Section 35.3.10 – Westermo RedFox Series User Manual
Page 825
Westermo OS Management Guide
Version 4.17.0-0
Usage Set IKE Phase-2 hand shake negotiation. Configure what security suite
ESP should use to protect the data traffic in the established VPN tunnel.
Here the security suite consists of two parameters:
❼ Encryption algorithm: Supported encryption algorithms are 3des, aes128,
aes192 and aes256.
❼ Message authentication/integrity: Supported hash algorithms for mes-
sage authentication are md5, and sha1.
❼ Diffie-Hellman group for PFS: The Diffie-Hellman group can be negoti-
ated automatically, or a preferred group can be selected by hand. Sup-
ported Diffie-Hellman groups are 1024 (DH group 2), 1536 (DH group
5), 2048 (DH group 14), 3072 (DH group 15), 4096 (DH group 16), 6144
(DH group 17) and 8192 (DH group 18).
By specifying an ESP suite, e.g., ”esp crypto aes256 auth sha1 dh 1024”
you will ensure that this suite is used to secure the data traffic in the estab-
lished IPsec ESP tunnel. IKE phase-1 handshake - if the remote side does not
support this suite, the handshake will fail.
Use ”no esp” to specify the automatic security suite negotiation. When
configured as an initiator, this means that all combinations will be tried.
When configured as a responder any combination of the listed algorithms
will be accepted.
Use ”show esp” to show the configured ESP Cipher suite for this tunnel.
”Auto” is shown if the VPN gateway is configured to auto-negotiate what
ESP cipher suite to use.
Default values Auto (”no esp”)
Note
If aggressive mode is selected for the IKE phase-1 handshake, the de-
fault security suite for IKE phase-2 negotiation is set to ”AES128-SHA1-
AUTO” (”esp crypto aes128 auth sha1 dh auto”).
35.3.10
Select Pre-shared Secret or Certificate based authenti-
cation
Syntax [no] method <psk|cert>
Context
context
➞ 2015 Westermo Teleindustri AB
825