Use the KeyExchangeOffer statement to define a key exchange offer for a dynamic VPN. A key exchange offer indicates one acceptable way to protect a key exchange for a dynamic VPN. A key exchange offer can be referenced by a KeyExchangeAction statement.
>>-KeyExchangeOffer--+------+--| Put Braces and Parameters on Separate Lines |->< '-name-' Put Braces and Parameters on Separate Lines |--+-{-------------------------------+--------------------------| +-| KeyExchangeOffer Parameters |-+ '-}-------------------------------' KeyExchangeOffer Parameters .-HowToEncrypt--DES--------------------------. |--+--------------------------------------------+---------------> '-HowToEncrypt--+-DES----------------------+-' +-3DES---------------------+ +-AES----------------------+ '-AES_CBC KeyLength keylen ' .-HowToAuthMsgs MD5-----------. >--+-----------------------------+------------------------------> '-HowToAuthMsgs--+-MD5------+-' +-SHA1-----+ +-SHA2_256-+ +-SHA2_384-+ '-SHA2_512-' .-HowToVerifyMsgs--HMAC_SHA1_96----------. >--+----------------------------------------+-------------------> '-HowToVerifyMsgs--+-AES128_XCBC_96----+-' +-HMAC_MD5_96-------+ +-HMAC_SHA1_96------+ +-HMAC_SHA2_256_128-+ +-HMAC_SHA2_384_192-+ '-HMAC_SHA2_512_256-' .-PseudoRandomFunction--HMAC_SHA1---------. >--+-----------------------------------------+------------------> '-PseudoRandomFunction--+-AES128_XCBC---+-' +-HMAC_MD5------+ +-HMAC_SHA1-----+ +-HMAC_SHA2_256-+ +-HMAC_SHA2_384-+ '-HMAC_SHA2_512-' .-DHGroup Group1-------. >--HowToAuthPeers--+-PresharedKey-+--+----------------------+---> '-RsaSignature-' '-DHGroup--+-Group1--+-' +-Group2--+ +-Group5--+ +-Group14-+ +-Group19-+ +-Group20-+ +-Group21-+ '-Group24-' .-RefreshLifetimeProposed 480----------. >--+--------------------------------------+---------------------> '-RefreshLifetimeProposed proposedtime-' .-RefreshLifetimeAccepted 240 1440--------. >--+-----------------------------------------+------------------> '-RefreshLifetimeAccepted mintime maxtime-' .-RefreshLifesizeProposed None-------------. >--+------------------------------------------+-----------------> '-RefreshLifesizeProposed-+-proposedsize-+-' '-None---------' .-RefreshLifesizeAccepted None----------------. >--+---------------------------------------------+--------------| '-RefreshLifesizeAccepted-+-minsize maxsize-+-' '-None------------'
Rule: If this KeyExchangeOffer statement is not specified inline within another statement, a name value must be provided.
If a name is not specified for an inline KeyExchangeOffer statement, a nonpersistent system name is created.Restriction: DES is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Rule: If 3DES is specified but is not supported by the system, then the Policy Agent fails the policy.
Rule: If AES is specified but AES encryption in CBC mode is not supported by this TCP/IP stack, Policy Agent fails the policy.
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: MD5 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: The HowToAuthMsgs parameter is ignored for IKE version 2 SAs.
Restriction: AES128_XCBC_96 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: HMAC_MD5_96 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: AES128_XCBC is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: HMAC_MD5 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: The HowToAuthPeers parameter is ignored for IKE version 2 SAs.
Restriction: Group1 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: Group2 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: Group5 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Guideline: If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5,14,19,20, or 24. If you are using encryption or authentication algorithms with a key length of 256 bits or greater, use Diffie-Hellman group 21.
Tip: When negotiating a new phase 1 SA and when the negotiation mode is IKE version 1 aggressive mode, only the first offer and its DH group are proposed to the peer. If the negotiation mode is IKE version 1 main mode, all offers and DH groups are proposed to the peer, who will select a particular offer and group. If the negotiation uses IKE version 2, then all offers and DH groups will be proposed, but only one DH group will be calculated in the proposal. The peer is free to either accept the DH group value used or choose a different value from one of the other offers. In that case, the IKE daemon starts the exchange again using the chosen group.
Tip: When negotiating an IKE version 2 SA, the IKE daemon uses the RefreshLifetimeProposed value in the first matching offer for the SA lifetime. Unlike IKE version 1, SA lifetimes are not negotiated under IKE version 2.
Restriction: The RefreshLifetimeAccepted parameter is ignored for IKE version 2 SAs.
Tip: When negotiating an IKE version 2 SA, the IKE daemon uses the RefreshLifesizeProposed value in the first matching offer for the SA lifesize. Unlike IKE version 1, SA lifesizes are not negotiated under IKE version 2.
Restriction: The RefreshLifesizeAccepted parameter is ignored for IKE version 2 SAs.