The IKE proposal groups together the IKE map algorithms configured for the SA.
There are two IKE modes to which proposals are assigned: main mode and quick mode. The same IKE proposal can be assigned to both modes, or each mode can be assigned a unique IKE proposal depending upon your configuration needs.
The main mode or key exchange proposal is assigned to an IKE map in IKE map configuration mode. Main mode is the IKE negotiation that establishes a secure channel, known as the Internet Security Association and Key Management Protocol (ISAKMP) SA, between two devices.
Quick mode (also known as Phase 2) is the IKE negotiation that establishes a secure channel between two computers to protect data. Quick mode negotiates on behalf of the IPsec SAs. During quick mode, keying material is refreshed or, if necessary, new keys are generated. The quick mode proposal is assigned to an IKE policy using the proposal command in IKE policy configuration mode.
Use the crypto ike-proposal command in global VRF router configuration mode to create or modify an IKE proposal. Specify the name of the IKE proposal when entering the command. Upon entering the command, you are placed in IKE proposal configuration mode for the named proposal.
See IKE Proposal Parameters for a description of IKE proposal parameters.
Use the proposal command in IKE map configuration mode to assign a main mode (key exchange) proposal to an IKE map.
Parameter | Description |
---|---|
IKE Diffie-Hellman (DH) group | IKE Diffie-Hellman (DH) group is a key derivation algorithm that generates the IPsec SA key. There are three algorithms supporting key sizes 768, 1024, and 2048 bits. The larger the generated key, the greater the security, but also the greater the system overhead. Use the dh_group command in IKE proposal configuration mode to set the IKE DH group algorithm for the proposal. |
Encryption | Encryption is the process of transforming information, usually referred to as plaintext, using an algorithm, called a cipher, to make it unreadable to anyone except those possessing the associated key. The IKE proposal supports four encryption types:
|
Hash | The hash algorithm is used during phase 1 negotiation between the SA authenticating devices. This release supports the Secure Hash Algorithm 1 (SHA1) hash. This release does not support a hash default value. You must manually enter the hash algorithm for one to be configured. Use the hash command in IKE proposal configuration mode to configure the hash algorithm for the IKE proposal. |
Integrity | Integrity, also referred to as data authentication, verifies that the data has not been altered as opposed to a user authentication which verifies the identity of the user. This release supports SHA1 integrity. SHA1 produces a 160-bit message digest for which no known attacks or partial attacks have yet been demonstrated. This release does not support a default integrity algorithm. You must manually enter the integrity algorithm for one to be configured. Use the integrity command in IKE proposal configuration mode to configure the integrity algorithm for the IKE proposal. |