[edit services ipsec-vpn ike proposal proposal-name]
authentication-method pre-shared-keys;
The authentication method can be one of the following:
•
pre-shared-keys—A key derived from an out-of-band mechanism; the key authenticates
the exchanges
Configuring the Encryption Algorithm for an IKE Proposal
To configure the encryption algorithm for an IKE proposal, include the encryption-algorithm
statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level:
[edit services ipsec-vpn ike proposal proposal-name]
encryption-algorithm algorithm;
The algorithm can be one of the following:
•
des-cbc—Encryption algorithm that has a block size of 8 bytes; its key size is 64 bits
long.
•
3des-cbc—Encryption algorithm that has a block size of 24 bytes; its key size is 192 bits
long.
•
aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm.
•
aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm.
•
aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm.
NOTE: For a list of Data Encryption Standard (DES) encryption algorithm
weak and semiweak keys, see RFC 2409, The Internet Key Exchange (IKE).
The AES encryption algorithms use a software implementation that has much
lower throughput, so DES remains the recommended option. For reference
information on AES encryption, see RFC 3602, The AES-CBC Cipher Algorithm
and Its Use with IPsec.
For 3des-cbc, the first 8 bytes should differ from the second 8 bytes, and the
second 8 bytes should be the same as the third 8 bytes.
If you configure an authentication proposal but do not include the encryption
statement, the result is NULL encryption. Certain applications expect this
result. If you configure no specific authentication or encryption values, the
Junos OS uses the default values of sha1 for the authentication and 3des-cbc
for the encryption.
Configuring the Lifetime for an IKE SA
The lifetime-seconds statement sets the lifetime of an IKE SA. When the IKE SA expires,
it is replaced by a new SA (and SPI) or the IPsec connection is terminated.
To configure the lifetime for an IKE SA, include the lifetime-seconds statement at the
[edit services ipsec-vpn ike proposal proposal-name] hierarchy level:
1101Copyright © 2017, Juniper Networks, Inc.
Chapter 33: Configuring IPsec
To Next Page
Loading...
Need help?
General
