Chapter 7 VPN
IKE Proposal Configuration Parameters: Phase 1 and 2The following table describe the IKE Phase 1 and Phase 2 Configuration parameters. To review the parameter descriptions for each set, see the following links:
•“IKE Phase 1 Setup:” on page 202
•“IKE Phase 2 Setup:” on page 205
Table
Parameter | Description |
|
|
IKE Phase 1 Setup:
Specify the parameters the X family device uses to negotiate Phase 1 of the IKE to establish a shared, secure connection. Phase 1 uses Aggressive Mode or Main Mode for packet exchange. The default is Main Mode.
Proposal Name Specifies a name for the IKE proposal. When you configure an IPSec Security Association, this name is used to select the IKE proposal to be used with the SA.
Encryption & Encryption and Integrity work in combination to provide the degree of security
Integrity required. Recommended combinations for IKE Phase 1 and IKE Phase 2 are listed below in order from least secure to most secure.
•
•
•
•
•
•
DES should only be used if it is supported on the remote device(s)
Note The strong encryption options are only available if the device is configured with strong encryption. To enable strong encryption functionality (3DES,
Diffie Hellman
Groupprevent unauthorized access to the key negotiation. The higher the Diffie- Hellman Group number, the more secure the connection. For interoperability or export restrictions, you may need to select a lower group number. Supported groups are:
•1 (768 bits) - This setting is not recommended
•2 (1024 bits)
•5 (1536 bits) (High encryption device only)
202 X Family LSM User’s Guide V 2.5.1