Table 1 describes IPsec IKE and ESP configuration elements and provides default values, if applicable.
| Description | Valid Values | Default |
|---|---|---|
| Internet Key Exchange Version | ikev1, ikev2 | ikev2 |
| IKE Configuration | ||
| IKE Encryption | aes128_cbc, aes192_cbc, aes256_cbc, 3des_cbc, hmac_md5 |
aes128_cbc hmac_md5 |
| IKE Authentication | hmac_sha1, aes_xcbc, hmac_md5 | hmac_md5 |
|
Psuedo Random Runction. This is used for the key exchange only for ikev2. |
hmac_sha1, aes_xcbc (ikev2) | - |
|
Diffie-Hellman Group The group number is used to generate the group (group - set of numbers with special algebraic properties) that is used to select keys for the Diffie-Hellman algorithm. The larger the group number, the larger the keys used in the algorithm. |
2, 14 (ikev2) 2 (ikev1) |
2 (IKEv1) 14 (IKEv2) |
|
IKE SA Lifetime Lifetime of the IKE/IPsec security associations. A correct lifetime value would be <hours/mins/secs>. Example: 3 mins. Note: If a connection goes down it will not reestablish until the lifetime expires. If the lifetime is set to 60 minutes and a failure causing a switchover of a VIP is required, the switchover will not occur until the 60 minutes expire. The recommendation is to set the lifetime to the lowest possible time that will not impact network connectivity, such as 3-5 minutes.
|
Number of time units | 60 |
| Lifetime Units | hours, mins, secs | mins |
|
Perfiect Forward Secrecy This is an algorithm used to ensure that if one of the private keys is compromised the other keys are not compromised. |
yes, no | yes |
| ESP Configuration | ||
|
ESP Authentication Algorithm used to authenticate the encrypted ESP |
hmac_sha1, hmac_md5 | hmac_sha1 |
|
Encryption Encryption Algorithm used to encrypt the actual IPsec packets |
aes128_cbc, aes192_cbc, aes256_cbc, 3des_cbc | aes128_cbc |