270Step Command Remarks1. Enter system view. system-view N/A2. Create an IKE proposal andenter its view. ike proposal proposal-numberBy default, there is an IKEproposal that is used as thedefault IKE proposal.3. Specify an encryptionalgorithm for the IKEproposal.encryption-algorithm { 3des-cbc |aes-cbc-128 | aes-cbc-192 |aes-cbc-256 | des-cbc }By default, an IKE proposal usesthe 56-bit DES encryptionalgorithm in CBC mode innon-FIPS mode and 128-bit AESencryption algorithm in FIPSmode.4. Specify an authenticationmethod for the IKE proposal.authentication-method { dsa-signature| pre-share | rsa-signature }By default, an IKE proposal usesthe pre-shared key authenticationmethod.5. Specify an authenticationalgorithm for the IKEproposal.• In non-FIPS mode:authentication-algorithm { md5 |sha }• In FIPS mode:authentication-algorithm shaBy default, an IKE proposal usesthe HMAC-SHA1 authenticationalgorithm.6. Specify a DH group for keynegotiation in phase 1.• In non-FIPS mode:dh { group1 | group14 | group2 |group24 | group5 }• In FIPS mode:dh group14By default, DH group1 (the768-bit DH group) is used innon-FIPS mode, and DH group14 (2048-bit DH group) is usedin FIPS mode.7. Set the IKE SA lifetime forthe IKE proposal. sa duration seconds By default, the IKE SA lifetime is86400 seconds.Configuring an IKE keychainPerform this task when you configure the IKE to use the pre-shared key for authentication.Follow these guidelines when you configure an IKE keychain:1. Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.2. You can specify the local address configured in IPsec policy or IPsec policy template view (usingthe local-address command) for the IKE keychain to be applied. If no local address is configured,specify the IP address of the interface referencing the IPsec policy.3. You can specify a priority number for the IKE keychain. To determine the priority of an IKEkeychain:a. The device examines the existence of the match local address command. An IKE keychain withthe match local address command configured has a higher priority.b. If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller prioritynumber has a higher priority.c. If a tie still exists, the device prefers an IKE keychain configured earlier.To configure the IKE keychain: