Configuring AutoKey Internet Key Exchange
IPSec-NM supports the automated generation and negotiation of keys and security
associations (SAs) using the Internet Key Exchange (IKE) protocol. This automation is
termed as AutoKey IKE. Juniper Networks supports AutoKey IKE with pre-shared keys
and certificates.
Dynamic SAs require IKE configuration. With dynamic SAs, you can configure IKE and
then the SA. IKE creates the dynamic SAs and negotiates them for IPSec. The IKE
configuration defines the algorithms and keys used to establish the secure IKE connection
with the peer security gateway.
NOTE:
•
Ensure that connectivity to the host is not lost during the configuration
process.
•
Ensure that the IPSec-NM interfaces are configured.
Configuring IKE Proposals
You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to
protect the IKE connection between the IKE host and its peer.
To configure IKE proposal, complete the following steps:
1. Define an IKE proposal:
root@ipsec-nm# set security ike proposal ike-proposal-name authentication-method
pre-shared-keys
2. Define a Diffie-Hellman group (dh-group) for the IKE proposal:
root@ipsec-nm# set security ike proposal ike-proposal-name dh-group group2
3. Define an authentication algorithm for the IKE proposal:
root@ipsec-nm# set security ike proposal ike-proposal-name authentication-algorithm sha1
4. Define an encryption algorithm for the IKE proposal:
root@ipsec-nm# set security ike proposal ike-proposal-name encryption-algorithmaes-192-cbc
5. Set a lifetime for the IKE proposal in seconds:
root@ipsec-nm# set security ike proposal ike-proposal-name lifetime-seconds 180 to 86400
seconds
Copyright © 2017, Juniper Networks, Inc.172
JDM User Guide for NFX250 Network Services Platform
To Next Page
Loading...
