Juniper NFX250 - ipsec Configuration Statements

To Next Page

To Previous Page

root@ipsec-nm# set security ipsec proposal ipsec-proposal-name encryption-algorithm

aes-256-cbc

4. Set a lifetime for the IPSec proposal in seconds:

root@ipsec-nm# set security ipsec proposal ipsec-proposal-name lifetime-seconds 180..86400

seconds

Configuring IPSec Policies

An IPSec policy defines a combination of security parameters (IPSec proposals) used

during IPSec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals

needed for the connection. During the IPSec negotiation, IPSec searches for a proposal

that is the same on both peers. The peer that initiates the negotiation sends all its policies

to the remote peer, and the remote peer tries to find a match.

A match is made when both policies from both the peers have a proposal that contains

the same configured attributes. If the lifetime is not identical, the shorter lifetime between

the two policies (from the host and peer) is used.

You can create multiple, prioritized IPSec proposals at each peer to ensure that at least

one proposal matches the proposal of the remote peer.

Initially, you must configure one or more IPSec proposals and then associate these

proposals with an IPSec policy. You can prioritize a list of proposals used by IPSec in the

policy statement by listing the proposals you want to use, from first to last.

To configure IPSec policies, complete the following steps:

1. Define an IPSec policy, a perfect forward secrecy, and a Diffie-Hellman group for the

policy:

root@ipsec-nm# set security ipsec policy ipsec-policy-name perfect-forward-secrecy keys

group2

2. Define a set of IPSec proposals for the policy:

root@ipsec-nm# set security ipsec policy ipsec-policy-name proposals proposal-name

Configuring IPSec Virtual Private Network

A virtual private network (VPN) provides a means for securely communicating among

remote computers across a public WAN such as the Internet. A VPN connection can link

two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows

between these two points passes through shared resources such as routers, switches,

and other network equipment that make up the public WAN. To secure VPN

communication while passing through the WAN, the two participants create an IP Security

(IPsec) tunnel. For more information, see IPsec VPN Overview.

JDM User Guide for NFX250 Network Services Platform

Other manuals for Juniper NFX250