349
•
The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms,
integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide
different levels of protection. A stronger algorithm means better resistance to decryption of
protected data but requires more resources. Typically, the longer the key, the stronger the
algorithm.
•
The local and remote identity authentication methods.
{
To use the pre-shared key authentication method, you must determine the pre-shared key.
{
To use the RSA digital signature authentication method, you must determine the PKI
domain for the local end to use. For information about PKI, see "
To configure IKEv2, perform the following tasks:
Tasks at a glance
Remarks
(Required.)
N/A
(Required.)
N/A
(Optional.)
If you specify an IKEv2 proposal in an
IKEv2 policy, you must configure the
IKEv2 proposal.
Required when either end or both ends
use the pre-shared key authentication
method.
Configure global IKEv2 parameters
•
(Optional.)
Enabling the cookie challenging feature
•
(Optional.)
Configuring the IKEv2 DPD feature
•
(Optional.)
Configuring the IKEv2 NAT keepalive feature
The cookie challenging feature takes
effect only on IKEv2 responders.
Configuring an IKEv2 profile
An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation. To configure an
IKEv2 profile, perform the following tasks:
1.
Specify the local and remote identity authentication methods.
The local and remote identity authentication methods must both be specified and they can be
different. You can specify only one local identity authentication method and multiple remote
identity authentication methods.
2.
Configure the IKEv2 keychain or PKI domain for the IKEv2 profile to use:
{
To use digital signature authentication, configure a PKI domain.
{
To use pre-shared key authentication, configure an IKEv2 keychain.
3.
Configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2
negotiation:
{
For digital signature authentication, the device can use an ID of any type. If the local ID is an
IP address that is different from the IP address in the local certificate, the device uses the
FQDN as the local ID. The FQDN is the device name configured by using the
sysname
command.
{
For pre-shared key authentication, the device can use an ID of any type other than the DN.
4.
Configure peer IDs.
The device compares the received peer ID with the peer IDs of its local IKEv2 profiles. If a
match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. IKEv2
profiles will be compared in descending order of their priorities.
Summary of Contents for FlexFabric 5940 SERIES
Page 251: ...238 ...