IPsec IKE and ESP elements

Table 1 describes IPsec IKE and ESP configuration elements and provides default values, if applicable.

IPsec IKE and ESP elements
Description Valid Values Default
Internet Key Exchange Version ikev1, ikev2 ikev2
IKE Configuration
IKE Encryption aes128_cbc, aes192_cbc, aes256_cbc, 3des_cbc, hmac_md5

aes128_cbc

hmac_md5

IKE Authentication hmac_sha1, aes_xcbc, hmac_md5 hmac_md5

Psuedo Random Runction.

This is used for the key exchange only for ikev2.

hmac_sha1, aes_xcbc (ikev2) -

Diffie-Hellman Group

The group number is used to generate the group (group - set of numbers with special algebraic properties) that is used to select keys for the Diffie-Hellman algorithm. The larger the group number, the larger the keys used in the algorithm.

2, 14 (ikev2)

2 (ikev1)

2 (IKEv1)

14 (IKEv2)

IKE SA Lifetime

Lifetime of the IKE/IPsec security associations. A correct lifetime value would be <hours/mins/secs>. Example: 3 mins.

Note: If a connection goes down it will not reestablish until the lifetime expires. If the lifetime is set to 60 minutes and a failure causing a switchover of a VIP is required, the switchover will not occur until the 60 minutes expire. The recommendation is to set the lifetime to the lowest possible time that will not impact network connectivity, such as 3-5 minutes.
Number of time units 60
Lifetime Units hours, mins, secs mins

Perfiect Forward Secrecy

This is an algorithm used to ensure that if one of the private keys is compromised the other keys are not compromised.

yes, no yes
ESP Configuration

ESP Authentication

Algorithm used to authenticate the encrypted ESP

hmac_sha1, hmac_md5 hmac_sha1

Encryption Encryption

Algorithm used to encrypt the actual IPsec packets

aes128_cbc, aes192_cbc, aes256_cbc, 3des_cbc aes128_cbc