[edit services ipsec-vpn ipsec policy policy-name]
proposals [ proposal-names ];
Configuring IKE Policies
An IKE policy defines a combination of security parameters (IKE proposals) to be used
during IKE negotiation. It defines a peer address and the proposals needed for that
connection. Depending on which authentication method is used, it defines the preshared
key for the given peer or the local certificate. During the IKE negotiation, IKE looks for an
IKE policy that is the same on both peers. The peer that initiates the negotiation sends
all its policies to the remote peer, and the remote peer tries to find a match.
A match is made when both policies from the two peers have a proposal that contains
the same configured attributes. If the lifetimes are not identical, the shorter lifetime
between the two policies (from the host and peer) is used. The configured preshared
key must also match its peer.
You can create multiple, prioritized proposals at each peer to ensure that at least one
proposal matches a remote peer’s proposal.
First, you configure one or more IKE proposals; then you associate these proposals with
an IKE policy. You can also prioritize a list of proposals used by IKE in the policy statement
by listing the proposals you want to use, from first to last.
To configure an IKE policy, include the policy statement and specify a policy name at the
[edit services ipsec-vpn ike] hierarchy level:
[edit services ipsec-vpn ike]
policy policy-name {
pre-shared-key (ascii-text key | hexadecimal key);
proposals [ proposal-names ];
}
This section includes the following topics:
•
Configuring the Proposals in an IKE Policy on page 1104
•
Configuring the Preshared Key for an IKE Policy on page 1104
Configuring the Proposals in an IKE Policy
The IKE policy includes a list of one or more proposals associated with an IKE policy.
To configure the proposals in an IKE policy, include the proposals statement and specify
one or more proposal names at the [edit services ipsec-vpn ike policy policy-name]
hierarchy level:
proposals [ proposal-names ];
Configuring the Preshared Key for an IKE Policy
When you include the authentication-method pre-shared-keys statement at the [edit
services ipsec-vpn ike proposal proposal-name] hierarchy level, IKE policy preshared keys
authenticate peers; for more information, see Configuring the Authentication Method for
Copyright © 2017, Juniper Networks, Inc.1104
ACX Series Universal Access Router Configuration Guide
To Next Page
Loading...
Need help?
General
