ipsec ikeproposal obey|strict|claim|exact

Specifies the action of lifetime length, key length, and PFS of the phase 2 selection on the responder side, and the action of lifetime check in phase 1.

obey The responder will obey the initiator anytime(default).
strict If the responder's lifetime length is not equal to the initiator's, the responder will use the initiator's value. Otherwise, the proposal will be rejected. If PFS is not required by the responder, the responder will obey the proposal. If PFS is required by both sides and the responder's group is not equal to the initiator's, then the responder will reject the proposal.
claim If the responder's lifetime length is not equal to the intiator's, the responder will use the initiator's value. If the responder's lifetime length is shorter than the initiator's, the responder uses its own length AND sends a RESPONDER-LIFETIME notify message to an initiator in the case of lifetime (phase 2 only). For PFS, this directive behaves the same as strict.
exact If the initiator's lifetime or key length is not equal to the responder's, the responder will reject the proposal. If PFS is required by both sides and the responder's group is not equal to the initiator's, then the responder will reject the proposal.

Examples:

  1. Set IKE proposal check level to strict :
    cmd ipsec ikeproposal strict

See also: IPsec

Last modified 7 years ago Last modified on 12-12-20 10:47:09 AM