Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Configure an IKE group on EAST

This task creates IKE group IKE-1E on EAST. This IKE group contains two proposals:

  • Proposal 1 uses AES-256 as the encryption cipher and SHA-1 as the hash algorithm.
  • Proposal 2 uses AES-256 with 128-bit GCM as the encryption cipher.

The IKE version is specified as version 2. IKEv2 is required for the AES encryption with 128-bit GCM.

The lifetime of a proposal from this IKE group is set to 3600.

Note that these parameters correspond to those set in IKE-1W on WEST. You must ensure, in defining proposals, that the encryption ciphers and hash algorithms are such that the two peers will be able to agree on at least one combination.

To create this IKE group, perform the following steps on EAST in configuration mode.

Table 1. Configuring an IKE group on EAST
Step Command

Create the configuration node for proposal 1 of IKE group IKE-1E.

vyatta@EAST# set security vpn ipsec ike-group IKE-1E proposal 1

Specify the IKE version (v2).

vyatta@WEST# set security vpn ipsec ike-group IKE-1E ike-version 2

Set the encryption cipher for proposal 1.

vyatta@EAST# set security vpn ipsec ike-group IKE-1E proposal 1 encryption aes256

Set the hash algorithm for proposal 1.

vyatta@EAST# set security vpn ipsec ike-group IKE-1E proposal 1 hash sha1

Set the encryption cipher for proposal 2. This also creates the configuration node for proposal 2 of IKE group IKE-1E.

vyatta@EAST# set security vpn ipsec ike-group IKE-1E proposal 2 encryption aes256gcm128

Set the hash algorithm for proposal 2.

vyatta@EAST# set security vpn ipsec ike-group IKE-1E proposal 2 hash null

Set the lifetime for the whole IKE group.

vyatta@EAST# set security vpn ipsec ike-group IKE-1E lifetime 3600

View the configuration for the IKE group. Don't commit yet.

vyatta@EAST# show security vpn ipsec ike-group IKE-1E
    ike-group 2
    proposal 1 {
        encryption aes256
        hash sha1
    }
    proposal 2 {
        encryption aes256cgm128
        hash null
    }
    lifetime 3600