Configuring IKE Proposals
Dynamic security associations (SAs) require IKE configuration. With dynamic SAs, you
configure IKE first, and then the SA. IKE creates the dynamic SAs and negotiates them
for IPsec. The IKE configuration defines the algorithms and keys used to establish the
secure IKE connection with the peer security gateway.
You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to
protect the IKE connection between the IKE host and its peer.
To configure an IKE proposal, include the proposal statement and specify a name at the
[edit services ipsec-vpn ike] hierarchy level:
[edit services ipsec-vpn ike]
proposal proposal-name {
authentication-algorithm (md5 | hmac-sha-256-128| hmac-sha1-96);
authentication-method pre-shared-keys;
dh-group (group1 | group2 | group5 |group14);
encryption-algorithm algorithm;
lifetime-seconds seconds;
}
This section includes the following topics:
•
Configuring the Authentication Algorithm for an IKE Proposal on page 1100
•
Configuring the Authentication Method for an IKE Proposal on page 1100
•
Configuring the Encryption Algorithm for an IKE Proposal on page 1101
•
Configuring the Lifetime for an IKE SA on page 1101
•
Example: Configuring an IKE Proposal on page 1102
Configuring the Authentication Algorithm for an IKE Proposal
To configure the authentication algorithm for an IKE proposal, include the
authentication-algorithm statement at the [edit services ipsec-vpn ike proposal
proposal-name] hierarchy level:
[edit services ipsec-vpn ike proposal proposal-name]
authentication-algorithm (hmac-sha-256-128| hmac-sha1-96);
ACX Series routers support the following authentication algorithms:
•
hmac-sha1-96—Hash algorithm that authenticates packet data. Produces a 160-bit
authenticator value.
•
hmac-sha-256-128—Hash algorithm that authenticates packet data. Produces a 256-bit
authenticator value.
Configuring the Authentication Method for an IKE Proposal
To configure the authentication method for an IKE proposal, include the
authentication-method statement at the [edit services ipsec-vpn ike proposal
proposal-name] hierarchy level:
Copyright © 2017, Juniper Networks, Inc.1100
ACX Series Universal Access Router Configuration Guide
To Next Page
Loading...
Need help?
General
