ike proposal

In the IKE proposal view, you can define parameters, including authentication method, encryption algorithm, authentication algorithm, integrity algorithm, DH group ID and SA duration, for the IKE proposal by using the authentication-method, authentication-algorithm, dh, encryption-algorithm, integrity-algorithm, and sa duration commands.

For a newly created IKE proposal, the default encryption algorithm is AES-CBC-256, the default authentication algorithm is SHA2-256, the default authentication method is Pre-Shared Key, the default Diffie-Hellman group ID is not configured, and the default lifetime is 86400 seconds. Change the values of these parameters as required. The new values take effect in the next tunnel negotiation instead of tunnels that have been negotiated.

The encryption algorithms DES/SHA1 (in digital signature scenarios) have a low security, which may bring security risks. If protocols allowed, using more secure encryption algorithms, such as AES/SHA2/HMAC-SHA2, is recommended.

Both sides of the negotiation can be configured with more than one IKE proposal. They negotiate from the IKE proposal with the highest priority to select one in which both sides of the negotiation has the same encryption algorithm, authentication algorithm, authentication method, and DH group ID. The SA duration is decided by the initiator of the negotiation and need no agreement.

If you specify the IKE proposal in the ike peer of the initiator of the negotiation, only the specified IKE proposal is sent during IKE negotiation. The responder searches for only the IKE proposal matching with that specified by the initiator. If such IKE proposal cannot be found, the negotiation fails.

If no IKE proposal is specified in the ike peer of the initiator of the negotiation, all IKE proposals are sent during the IKE negotiation. The responder searches for the IKE proposals matching with these proposals sent by the initiator one by one.