Dh algorithm, Isakmp sa lifetime, Viewing the ike proposal list – H3C Technologies H3C Intelligent Management Center User Manual
Page 47: Querying ike proposals
37
{
Pre-shared key—Two IKE peers use the pre-configured shared key for identity authentication.
{
CA—Two IKE peers use digital certificates issued by the CA for identity authentication.
DH algorithm
The DH algorithm is a public key algorithm with which two peers can exchange keying material
and then use the material to calculate the shared keys. IVM supports the following DH algorithms
for ISAKMP SA negotiation:
{
DH Group 1—768-bit Diffie-Hellman group.
{
DH Group 2—1024-bit Diffie-Hellman group.
{
DH Group 5—1536-bit Diffie-Hellman group.
{
DH Group 14—2048-bit Diffie-Hellman group.
ISAKMP SA lifetime
The ISAKMP SA has a specified lifetime and is updated periodically. After the ISAKMP SA lifetime
expires, the IKE peers uses the DH algorithm to calculate a new key. Since the DH computation can
be time-consuming for low end devices, HP recommends that you set the ISAKMP SA lifetime to no
less than 600 seconds.
You can query, view, add, modify, and delete IKE proposals.
Viewing the IKE proposal list
1.
Click the Service tab.
2.
From the navigation tree, select IPsec VPN Manager > Security Proposals > IKE Proposals.
The IKE Proposal List displays all IKE proposals.
IKE Proposal List contents
{
Proposal Name—IKE proposal name. Click the name to view the IKE proposal details.
{
IKE Authentication—Authentication method used by IKE peers for identity authentication:
Pre-Shared Key or CA Authentication.
{
Encryption Algorithm—Encryption algorithm used by IKE peers for key negotiation. Options
are DES, 3DES, AES(128), AES(192), AES(256), and None.
{
Authentication Algorithm—Authentication algorithm used by IKE peers for key negotiation.
Options are MD5 and SHA-1.
{
DH Group ID—DH group used by IKE peers for key negotiation. Options are DH Group 1, DH
Group 2, DH Group 5, and DH Group 14.
{
ISAKMP SA Life Time—ISAKMP SA lifetime in seconds. The value range is 60 to 604800, and
the default is 86400.
{
Modify—Click the Modify icon
to modify settings of the IKE proposal.
Querying IKE proposals
1.
Click the Service tab.
2.
From the navigation tree, select IPsec VPN Manager > Security Proposals > IKE proposals.
The IKE Proposal List displays all IKE proposals.
3.
Enter the IKE proposal name you want to query for. IVM supports fuzzy matching for this field.