Cisco AP776A - Nexus Converged Network Switch 5020 Configuration Manual page 920

Manually Configuring IPsec and IKE
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
parameters will be used to protect subsequent IKE negotiations and mandates how peers are
authenticated. You can create multiple, prioritized policies at each peer to ensure that at least one policy
will match a remote peer's policy.
You can configure the policy based on the encryption algorithm (DES, 3DES, or AES), the hash
algorithm (SHA or MD5), and the DH group (1, 2, or 5). Each policy can contain a different combination
of parameter values. A unique priority number identifies the configured policy. This number ranges from
1 (highest priority) to 255 (lowest priority). You can create multiple policies in a switch. If you need to
connect to a remote peer, you must ascertain that at least one policy in the local switch contains the
identical parameter values configured in the remote peer. If several policies have identical parameter
configurations, the policy with the lowest number is selected.
Table 37-1
Table 37-1
Parameter
encryption algorithm
hash algorithm
authentication method
DH group identifier
The following table lists the supported and verified settings for IPsec and IKE encryption authentication
algorithms on the Microsoft Windows and Linux platforms:
Platform
Microsoft iSCSI initiator,
Microsoft IPsec implementation
on Microsoft Windows 2000
platform
Cisco iSCSI initiator,
Free Swan IPsec implementation
on Linux platform
When you configure the hash algorithm, the corresponding HMAC version is used as the authentication
Note
algorithm.
When the IKE negotiation begins, IKE looks for an IKE policy that is the same on both peers. The peer
that initiates the negotiation will send all its policies to the remote peer, and the remote peer will try to
find a match. The remote peer looks for a match by comparing its own highest priority policy against the
other peer's received policies. The remote peer checks each of its policies in order of its priority (highest
priority first) until a match is found.
Cisco MDS 9000 Family CLI Configuration Guide
37-12
provides a list of allowed transform combinations.
IKE Transform Configuration Parameters
Accepted Values
56-bit DES-CBC
168-bit DES
128-bit AES
SHA-1 (HMAC variant)
MD5 (HMAC variant)
Preshared keys
768-bit DH
1024-bit DH
1536-bit DH
IKE
3DES, SHA-1 or MD5,
DH group 2
3DES, MD5, DH group 1
Chapter 37 Configuring IPsec Network Security
Keyword Default Value
des 3des
3des
aes
sha sha
md5
Not configurable Preshared keys
1 1
2
5
IPsec
3DES, SHA-1
3DES, MD5
OL-18084-01, Cisco MDS NX-OS Release 4.x