Configure an IKE group on WEST
The IKE group allows you to pre-define a set of one or more proposals to be used in IKE Phase 1 negotiation, after which the ISAKMP security association (SA) can be set up. For each proposal in the group, the following information is defined:
- Cipher to encrypt packets during IKE Phase 1
- Hash function to authenticate packets during IKE Phase 1
The IKE group also has a configured lifetime, which is the duration of the ISAKMP SA. When the lifetime of the ISAKMP SA expires, a new Phase 1 negotiation takes place, and new encryption, hash, and keying information is established in a new pair of ISAKMP SAs.
The lifetime is an attribute of the IKE group as a whole. If the IKE group contains multiple proposals, the lifetime applies regardless of which proposal in the group is accepted.
This task creates IKE group IKE-1W on WEST. This IKE group contains two proposals:
- Proposal 1 uses AES-256 as the encryption cipher and SHA-1 as the hash algorithm.
- Proposal 2 uses AES-256 with 128-bit GCM as the encryption cipher.
The IKE version is specified as version 2.
The lifetime of a proposal from this IKE group is set to 3600 seconds.
To create this IKE group, perform the following steps on WEST in configuration mode.
Step | Command |
---|---|
Create the configuration node for proposal 1 of IKE group IKE-1W. |
|
Specify the IKE version (v2). |
|
Set the encryption cipher for proposal 1. |
|
Set the hash algorithm for proposal 1. |
|
Set the encryption cipher for proposal 2. This also creates the configuration node for proposal 2 of IKE group IKE-1W. |
|
Set the hash algorithm for proposal 2. |
|
Set the lifetime for the whole IKE group. |
|
View the configuration for the IKE group. Don't commit yet. |
|