dh

Function

The dh command configures Diffie-Hellman group identifier used in Phase 1 of the IKE negotiation.

The undo dh command restores the default setting.

By default, no Diffie-Hellman group is configured.

This command is supported only on the NetEngine 8000 F1A.

Format

dh { group1 | group2 | group5 | group14 | group19 | group20 | group21 }

dh { group15 | group16 }

undo dh { group15 | group16 }

Parameters

Parameter	Description	Value
group1	Adopts 768-bits Diffie-Hellman group in Phase 1 of the key negotiation.	-
group2	Adopts 1024-bits Diffie-Hellman group in Phase 1 of the key negotiation.	-
group5	Adopts 1536-bits Diffie-Hellman group in Phase 1 of the key negotiation. The DH groups 1, 2, and 5 are not secure.	-
group14	Adopts 2048-bits Diffie-Hellman group in Phase 1 of the key negotiation.	-
group19	Adopts 256-bits ECP group in Phase 1 of the key negotiation.	-
group20	Adopts 384-bits ECP group in Phase 1 of the key negotiation.	-
group21	Adopts 512-bits ECP group in Phase 1 of the key negotiation.	-
group15	Adopts 3072-bits Diffie-Hellman group in Phase 1 of the key negotiation.	-
group16	Adopts 4096-bits Diffie-Hellman group in Phase 1 of the key negotiation.	-

Views

IKE proposal view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
ike	write

Usage Guidelines

DH algorithm is a public key algorithm. Both parties in communication can exchange some data without transmitting the key and find the shared key by calculation. The prerequisite for encryption is that both parties must have a shared key. To configure the Diffie-Hellman group identifier used in Phase 1 of the IKE negotiation, run the dh command.

The Diffie-Hellman group identifier used at two IPSec tunnel ends must be the same.

Example

# Specify the 2048-bit Diffie-Hellman group for IKE proposal 10.

<HUAWEI> system-view
[~HUAWEI] ike proposal 10
[*HUAWEI-ike-proposal-10] dh group14