Encryption algorithm: 3DES

Hash algorithm: MD5

Diffie-Hellman Group: 2

Maximum lifetime: 28,800 seconds (8 hours)

Maximum Quick Modes: 100

You can specify alternative values for the above parameters in the ipsec_config add ike command.

On Windows XP systems with SP2, IP Security policies are pre-configured with four IKE SA proposals. The second IKE proposal matches the default HP-UX IPSec IKE proposal3, and will be used by the two systems if no changes are made to the default configuration data. If these IKE parameters meet your security requirements, you do not need to modify the IKE parameters and can skip to “Step 10: Assigning the IP Security Policy” (page 30).

Use the following procedure to modify the Windows IKE SA parameters:

1.From the Policy Properties dialog box, select the General tag. The IP Security configuration utility opens the General dialog box (Figure 13).

Click Advanced4. (Ignore the field labeled Check for policy changes. This field is used only when the policy is stored in an Active Directory.)

Figure 13 General Policy Properties Dialog Box

2.The IP Security configuration utility opens the Key Exchange Settings dialog box (Figure 14).

3.By default, the first Windows XP proposal has the following parameters: Encryption - 3DES; Hash - SHA1; Diffie-Hellman Group - 2. The third and fourth Windows proposals are weaker, and use DES encryption and Diffie-Hellman Group 1. Refer to the Windows documentation for more information.

4.On Windows 2003 servers, this button is labeled Settings.

Configuring a Windows Host-to-Host Policy 27