Manualshelf

Specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface
141142143144145146147148149150
Chapter 5. Configuring Software Options 141
ike proposals set dh_group <NONE | 1 | 2 > <ProposalName>
Proposes the Diffie-Hellman (DH) key generation group used (no group or group 1 or 2).
ike proposals set lifetime <seconds> <ProposalName>
Proposes the length of time (in seconds) before the Phase 1 SA expires; the recommended value is 86400
(24 hours). When the time limit expires, IKE renegotiates the connection.
IKE IPSec Proposal Commands
The IKE IPSec proposal commands define the proposals exchanged to set up an IPSec SA, that is, an SA for the
user data transfer.
ike ipsec proposals add <ProposalName> Defines the name of a new IKE IPSec proposal.
ike ipsec proposals delete <ProposalName> Deletes an existing IKE IPSec proposal.
ike ipsec proposals list Lists the IKE IPSec proposals.
The followings proposals set commands specify the contents of the proposals exchanged.
Note: The next three commands (set espenc, set espauth, and set ahauth) determine the encapsulation
method (AH or ESP) used and the authentication and/or encryption requested by the proposal.
You cannot request both AH and ESP encapsulation in the same proposal. (It is possible for a connection
to use two proposals, one that requests AH and the other that requests ESP.)
In any one proposal, you can request any one of the following:
¥ AH authentication ¥ ESP encryption ¥ ESP authentication ¥ ESP encryption and authentication
ike ipsec proposals set espenc <DES | 3DES | NULL | NONE> <ProposalName>
Determines whether ESP encryption is requested and, if it is requested, the encryption method used.
DES Use ESP encapsulation and 56-bit encryption
3DES Use ESP encapsulation and 168-bit encryption (if 3DES is enabled in the router; see Software
Option Keys, page 114.)
NULL No encryption, but use ESP encapsulation. Headers are inserted as though the data was
encrypted. This allows veriÞcation of the source, but sends the data in the clear, increasing
throughput.
NONE No encryption and no ESP encapsulation. (If you select this option, the encapsulation method
must be requested by a set espauth or set ahauth command.)
ike ipsec proposals set espauth <MD5 | SHA1 | NONE> <ProposalName>
Determines whether ESP message authentication is requested and, if it is requested, the hash algorithm
used.
MD5 Use ESP encapsulation and authenticate using hash algorithm Message Digest 5.
SHA1 Use ESP encapsulation and authenticate using hash algorithm Secure Hash Algorithm-1.