Configuring IKE Policies
An IKE policy defines a combination of security parameters (IKE proposals) to be used
during IKE negotiation. It defines a peer address and the proposals needed for that
connection. Depending on which authentication method is used, it defines the preshared
key for the given peer. During the IKE negotiation, IKE looks for an IKE policy that is the
same on both peers. The peer that initiates the negotiation sends all its policies to the
remote peer, and the remote peer tries to find a match.
A match is made when both policies from the two peers have a proposal that contains
the same configured attributes. If the lifetimes are not identical, the shorter lifetime
between the two policies (from the host and peer) is used. The configured preshared
key must also match its peer.
The key management process (kmd) daemon determines which version of IKE is used
in a negotiation. If kmd is the IKE initiator, it uses IKEv1 by default and retains the configured
version for negotiations. If kmd is the IKE responder, it accepts connections from IKEv1.
You can create multiple, prioritized proposals at each peer to ensure that at least one
proposal matches the proposal of a remote peer.
Initially, you must configure one or more IKE proposals and associate these proposals
with an IKE policy. You can also prioritize a list of proposals used by IKE in the policy
statement by listing the proposals you want to use, from first to last.
To configure IKE policy, complete the following steps:
1. Define an IKE policy with first phase mode:
root@ipsec-nm# set security ike policy ike-policy-name mode aggressive
2. Define a set of IKE proposals:
root@ipsec-nm# set security ike policy ike-policy-name proposals proposal-name
3. Define a pre-shared key for IKE:
root@ipsec-nm# set security ike policy ike-policy-name pre-shared-key ascii-text text-format
Configuring IKE Gateway
An IKE gateway initiates and terminates network connections between a firewall and a
security device.
173Copyright © 2017, Juniper Networks, Inc.
Chapter 8: Understanding IPSec-NM
To Next Page
Loading...
