Section 35.3.9 – Westermo RedFox Series User Manual
Page 824
Westermo OS Management Guide
Version 4.17.0-0
❼ Diffie-Hellman groups: Supported Diffie-Hellman groups are 1024 (DH
group 2), 1536 (DH group 5), 2048 (DH group 14), 3072 (DH group 15),
4096 (DH group 16), 6144 (DH group 17) and 8192 (DH group 18).
By specifying an IKE suite, e.g., ”ike crypto aes256 auth sha1 dh 2048”
you will ensure that this suite is used to secure the IKE handshake - if the
remote side does not support this suite, the handshake will fail.
Use ”no ike” to specify the automatic security suite negotiation. When con-
figured as an initiator, this means that all combinations will be tried (starting
by offering a set of suites with either AES-128 or 3DES for encryption, SHA1
or MD5 for authentication, and DH groups 1024, 1536 and 2048). When
configured as a responder any combination of the listed algorithms will be
accepted.
Use ”show ike” to show the configured IKE Cipher suite for this tunnel, i.e.,
encryption algorithm, message authentication algorithm, and Diffie-Hellman
group. ”Auto” is shown if the VPN gateway is configured to auto-negotiate
what IKE cipher suite to use.
Default values Auto (”no ike”)
Note
If aggressive mode is selected for the IKE phase-1 handshake, the de-
fault security suite for IKE phase-1 negotiation is set to ”AES128-SHA1-
DH1024” (”esp crypto aes128 auth sha1 dh 1024”).
Examples The following example show the output when AES-128 is used for
encryption, SHA-1 for message authentication, and Diffie-Hellman group
1024.
Example
example:/config/tunnel/ipsec-0/#> show ike
AES128-SHA1-1024
example:/config/tunnel/ipsec-0/#>
35.3.9
Configure allowed crypto algorithms for ESP
Syntax [no] esp crypto <3des|aes128|...> auth <md5|sha1> dh <auto|...>
Context
context
824
➞ 2015 Westermo Teleindustri AB