Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Configure an IKE group on WEST

The IKE group allows you to pre-define a set of one or more proposals to be used in IKE Phase 1 negotiation, after which the ISAKMP security association (SA) can be set up. For each proposal in the group, the following information is defined:

  • Cipher to encrypt packets during IKE Phase 1
  • Hash function to authenticate packets during IKE Phase 1

The IKE group also has a configured lifetime, which is the duration of the ISAKMP SA. When the lifetime of the ISAKMP SA expires, a new Phase 1 negotiation takes place, and new encryption, hash, and keying information is established in a new pair of ISAKMP SAs.

The lifetime is an attribute of the IKE group as a whole. If the IKE group contains multiple proposals, the lifetime applies regardless of which proposal in the group is accepted.

This task creates IKE group IKE-1W on WEST. This IKE group contains two proposals:

  • Proposal 1 uses AES-256 as the encryption cipher and SHA-1 as the hash algorithm.
  • Proposal 2 uses AES-256 with 128-bit GCM as the encryption cipher.

The IKE version is specified as version 2.

The lifetime of a proposal from this IKE group is set to 3600 seconds.

To create this IKE group, perform the following steps on WEST in configuration mode.

Table 1. Configuring an IKE group on WEST
Step Command

Create the configuration node for proposal 1 of IKE group IKE-1W.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 1
Specify the IKE version (v2).
vyatta@WEST# set security vpn ipsec ike-group IKE-1W ike-version 2

Set the encryption cipher for proposal 1.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 1 encryption aes256

Set the hash algorithm for proposal 1.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 1 hash sha1

Set the encryption cipher for proposal 2. This also creates the configuration node for proposal 2 of IKE group IKE-1W.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 2 encryption aes256gcm128

Set the hash algorithm for proposal 2.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 2 hash null

Set the lifetime for the whole IKE group.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W lifetime 3600

View the configuration for the IKE group. Don't commit yet.

vyatta@WEST# show security vpn ipsec ike-group IKE-1W
    ike-version 2
    proposal 1 {
        encryption aes256
        hash sha1
    }
    proposal 2 {
        encryption aes256gcm128
        hash null
    }
    lifetime 3600