Configuring IKE 591

There are two hashing algorithm options: SHA-1 and MD5. Both algorithms provide data source authentication and integrity protection mechanism. Compared with MD5, SHA-1 contained more summary information, and is more secure, but the authentication speed is relatively slow. A kind of attack subject to MD5 can be successful, though difficult, but HMAC anamorphous used by IKE can stop such attacks.

Perform the following configurations in IKE proposal view.

Table 660 Select Hashing Algorithm

Operation

Command

 

 

Select hashing algorithm

authentication-algorithm { md5 sha

 

}

 

 

Set hashing algorithm to the default value

undo authentication-algorithm

 

 

By default SHA-1 hashing algorithm (i.e., parameter sha) is adopted.

Selecting DH Group ID There are two DH (Diffie-Hellman) group ID options: 768-bit Diffie-Hellman group (Group 1) or 1024-bit Diffie-Hellman group (Group 2). The 1024-bit Diffie-Hellman group (Group 2) takes longer CPU time

Perform the following configurations in IKE proposal view.

Table 661 Select DH Group ID

Operation

Command

 

 

 

Select DH group ID

dh {

group1 group2 }

Restore the default value of DH group ID

undo

dh

 

 

 

By default, 768-bit Diffie-Hellman group is selected.

Setting the Lifetime of Lifetime means how long IKE exists before it becomes invalid. When IKE begins IKE Association SA negotiation, it must first make its security parameters of the two parties be

consistent. SA quotes the consistent parameters at each terminal, and each terminal keeps SA until its lifetime expires. Before SA becomes invalid, the sequent IKE negotiation can use it again. The new SA is negotiated before the current SA becomes invalid.

IKE negotiation can be set with a relatively short life cycle for the purpose of improving IKE negotiation security. There is a critical IKE life cycle value. If the policy lifetimes of the two terminals are different, that of the originating party will be taken as the lifetime of the IKE SA.

If the policy lifetimes of two terminals are different, only when the lifetime of originating terminals is reater than or equal to that of the peer end can the IKE policy be selected, and the shorter lifetime selected as IKE SA lifetime.

Perform the following configurations in IKE proposal view.

Table 662 Set Lifetime of IKE Negotiation SA

Operation

Command

 

 

Set lifetime of IKE SA

sa duration seconds

 

 

Set lifetime as the default value

undo sa duration

 

 

Page 595
Image 595
3Com 10014299 manual By default, 768-bit Diffie-Hellman group is selected, Select Hashing Algorithm, Select DH Group ID