Configuring the Description for an IPsec Proposal
To specify an optional text description for an IPsec proposal, include the description
statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ipsec proposal proposal-name]
description description;
Configuring the Encryption Algorithm for an IPsec Proposal
To configure encryption algorithm for an IPsec proposal, include the encryption-algorithm
statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ipsec proposal proposal-name]
encryption-algorithm algorithm;
ACX Series routers support Advanced Encryption Standard (AES) 128-bit encryption
algorithm.
Configuring the Lifetime for an IPsec SA
When a dynamic IPsec SA is created, two types of lifetimes are used: hard and soft. The
hard lifetime specifies the lifetime of the SA. The soft lifetime, which is derived from the
hard lifetime, informs the IPsec key management system that the SA is about to expire.
This allows the key management system to negotiate a new SA before the hard lifetime
expires.
To configure the hard lifetime value, include the lifetime-seconds statement and specify
the number of seconds at the [edit services ipsec-vpn ipsec proposal proposal-name]
hierarchy level:
[edit services ipsec-vpn ipsec proposal proposal-name]
lifetime-seconds seconds;
The default lifetime is 28,000 seconds. The range is from 180 through 86,400 seconds.
The soft lifetime values are as follows:
•
Initiator: Soft lifetime = Hard lifetime – 135 seconds.
•
Responder: Soft lifetime = Hard lifetime – 90 seconds.
Configuring the Protocol for a Dynamic SA
The protocol statement sets the protocol for a dynamic SA. IPsec uses ESP protocol to
protect IP traffic. The ESP protocol can support authentication, encryption, or both.
To configure the protocol for a dynamic SA, include the protocol statement and specify
esp at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ipsec proposal proposal-name]
protocol esp;
1099Copyright © 2017, Juniper Networks, Inc.
Chapter 33: Configuring IPsec
To Next Page
Loading...
Need help?
General
