The IKE group allows you to pre-define a set of one or more proposals to be used in IKE Phase 1 negotiation, after which the ISAKMP security association (SA) can be set up. For each proposal in the group, the following information is defined:

• Cipher to encrypt packets during IKE Phase 1
• Hash function to authenticate packets during IKE Phase 1

The IKE group also has a configured lifetime, which is the duration of the ISAKMP SA. When the lifetime of the ISAKMP SA expires, a new Phase 1 negotiation takes place, and new encryption, hash, and keying information is established in a new pair of ISAKMP SAs.

The lifetime is an attribute of the IKE group as a whole. If the IKE group contains multiple proposals, the lifetime applies regardless of which proposal in the group is accepted.

This task creates IKE group IKE-1W on WEST. This IKE group contains two proposals:

• Proposal 1 uses AES-256 as the encryption cipher and SHA-1 as the hash algorithm.
• Proposal 2 uses AES-256 with 128-bit GCM as the encryption cipher.

The IKE version is specified as version 2.

The lifetime of a proposal from this IKE group is set to 3600 seconds.

To create this IKE group, perform the following steps on WEST in configuration mode.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 1

vyatta@WEST# set security vpn ipsec ike-group IKE-1W ike-version 2

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 1 encryption aes256

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 1 hash sha1

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 2 encryption aes256gcm128

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 2 hash null

vyatta@WEST# set security vpn ipsec ike-group IKE-1W lifetime 3600

vyatta@WEST# show security vpn ipsec ike-group IKE-1W
    ike-version 2
    proposal 1 {
        encryption aes256
        hash sha1
    }
    proposal 2 {
        encryption aes256gcm128
        hash null
    }
    lifetime 3600