...

CPU	DES and 3DES				AES-CBC				AES-CTR				AES-GCM
CPU	MD5	SHA1	SHA256	SHA512	MD5	SHA1	SHA256	SHA512	MD5	SHA1	SHA256	SHA512	MD5	SHA1	SHA256	SHA512
88F7040	no	yes	yes	yes	no	yes	yes	yes	no	yes	yes	yes	no	yes	yes	yes
AL21400	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes
AL32400	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes
AL52400	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes
AL73400	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes
IPQ-4018 / IPQ-4019	no	yes	yes	no	no	yes*	yes*	no	no	yes*	yes*	no	no	no	no	no
IPQ-5018	yes	yes	yes	no	yes	yes	yes	no	yes	yes	yes	no	no	no	no	no
IPQ-6010	no	no	no	no	no	yes	yes	yes	no	yes	yes	yes	no	yes	yes	yes
IPQ-8064	no	yes	yes	no	no	yes*	yes*	no	no	yes*	yes*	no	no	no	no	no
MT7621A	yes****	yes****	yes****	no	yes	yes	yes	no	no	no	no	no	no	no	no	no
P1023NSN5CFB	no	no	no	no	yes**	yes**	yes**	yes**	no	no	no	no	no	no	no	no
P202ASSE2KFB	yes	yes	yes	no	yes	yes	yes	yes	no	no	no	no	no	no	no	no
PPC460GT	no	no	no	no	yes***	yes***	yes***	yes***	yes***	yes***	yes***	yes***	no	no	no	no
TLR4 (TILE)	yes	yes	yes	no	yes	yes	yes	no	yes	yes	yes	no	no	no	no	no
x86 (AES-NI)	no	no	no	no	yes***	yes***	yes***	yes***	yes***	yes***	yes***	yes***	yes***	yes***	yes***	yes***

Profiles define a set of parameters that will be used for IKE negotiation during Phase 1. These parameters may be common with other peer configurations.

Properties

Property	Description
dh-group (modp768 \| modp1024 \| modp1536 \| modp2048 \| modp3072 \| modp4096 \| modp6144 \| modp8192 \| ecp256 \| ecp384 \| ecp521; Default: modp1024,modp2048)	Diffie-Hellman group (cipher strength)
dpd-interval (time \| disable-dpd; Default: 2m)	Dead peer detection interval. If set to disable-dpd, dead peer detection will not be used.
dpd-maximum-failures (integer: 1..100; Default: 5)	Maximum count of failures until peer is considered to be dead. Applicable if DPD is enabled.
enc-algorithm (3des \| aes-128 \| aes-192 \| aes-256 \| blowfish \| camellia-128 \| camellia-192 \| camellia-256 \| des; Default: aes-128)	List of encryption algorithms that will be used by the peer.
hash-algorithm (md5 \| sha1 \| sha256 \| sha512; Default: sha1)	Hashing algorithm. SHA (Secure Hash Algorithm) is stronger, but slower. MD5 uses 128-bit key, sha1-160bit key.
lifebytes (Integer: 0..4294967295; Default: 0)	Phase 1 lifebytes is used only as administrative value which is added to proposal. Used in cases if remote peer requires specific lifebytes value to establish phase 1.
lifetime (time; Default: 1d)	Phase 1 lifetime: specifies how long the SA will be valid.
name (string; Default: )
nat-traversal (yes \| no; Default: yes)	Use Linux NAT-T mechanism to solve IPsec incompatibility with NAT routers between IPsec peers. This can only be used with ESP protocol (AH is not supported by design, as it signs the complete packet, including the IP header, which is changed by NAT, rendering AH signature invalid). The method encapsulates IPsec ESP traffic into UDP streams in order to overcome some minor issues that made ESP incompatible with NAT.
proposal-check (claim \| exact \| obey \| strict; Default: obey)	Phase 2 lifetime check logic: claim - take shortest of proposed and configured lifetimes and notify initiator about it exact - require lifetimes to be the same obey - accept whatever is sent by an initiator strict - if the proposed lifetime is longer than the default then reject the proposal otherwise accept a proposed lifetime

Identities

Identities are configuration parameters that are specific to the remote peer. The main purpose of identity is to handle authentication and verify the peer's integrity.

...

Page tree

Versions Compared

Old Version 54

New Version 55

Key

Identities

Page tree

Page History

Versions Compared

Old Version 54

New Version 55

Key

Identities