}
This section includes the following topics related to configuring an IPsec policy:
•
Configuring the Description for an IPsec Policy on page 1103
•
Configuring Perfect Forward Secrecy on page 1103
•
Configuring the Proposals in an IPsec Policy on page 1103
Configuring the Description for an IPsec Policy
To specify an optional text description for an IPsec policy, include the description
statement at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level:
[edit services ipsec-vpn ipsec policy policy-name]
description description;
Configuring Perfect Forward Secrecy
PFS provides additional security by means of a Diffie-Hellman shared secret value. With
PFS, if one key is compromised, previous and subsequent keys are secure because they
are not derived from previous keys. This statement is optional.
To configure PFS, include the perfect-forward-secrecy statement and specify a
Diffie-Hellman group at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy
level:
[edit services ipsec-vpn ipsec policy policy-name]
perfect-forward-secrecy {
keys (group1 | group2 | group5 | group14);
}
The key can be one of the following:
•
group1—Specifies that IKE use the 768-bit Diffie-Hellman prime modulus group when
performing the new Diffie-Hellman exchange.
•
group2—Specifies that IKE use the 1024-bit Diffie-Hellman prime modulus group when
performing the new Diffie-Hellman exchange.
•
group5—Specifies that IKE use the 1536-bit Diffie-Hellman prime modulus group when
performing the new Diffie-Hellman exchange.
•
group14—Specifies that IKE use the 2048-bit Diffie-Hellman prime modulus group
when performing the new Diffie-Hellman exchange.
The higher numbered groups provide more security than the lowered numbered groups,,
but require more processing time.
Configuring the Proposals in an IPsec Policy
The IPsec policy includes a list of one or more proposals associated with an IPsec policy.
To configure the proposals in an IPsec policy, include the proposals statement and specify
one or more proposal names at the [edit services ipsec-vpn ipsec policy policy-name]
hierarchy level:
1103Copyright © 2017, Juniper Networks, Inc.
Chapter 33: Configuring IPsec
To Next Page
Loading...
Need help?
General
