When configuring Phase 2 of an IPsec tunnel, you first configure proposals, then policies, and finally you configure IPsec AutoKey (IKE). The following example-based instructions show how to create the initial proposal.
Before You Begin |
|---|
For background information about standard IPsec VPNs, read:
For background information about dynamic IPsec VPNs, read: |
In Phase 2 proposal configuration, you must create a proposal, specify a security protocol, and select authentication and encryption algorithms for the traffic that will flow through the tunnel. In this example, you create a proposal called ipsec_prop_1, specify ESP as the security protocol, and set hmac-md5-96 as the authentication algorithm and 3des-cbc as the encryption algorithm. You also specify that the security association (SA) terminate after 1,800 KB of data pass through it.
To configure Phase 2 proposals, use either the J-Web or the CLI configuration editor. (For information about configuring Phase 2 proposals using J-Web Quick Configuration pages, see Configuring an IPsec Phase 2 Proposal—Quick Configuration (Standard VPNs)or Configuring an IPsec Phase 2 Proposal—Quick Configuration (Dynamic VPNs).)
This topic covers:
To configure an IPsec Phase 2 proposal in J-Web:
To configure an IPsec Phase 2 proposal using the CLI editor:
- user@host# set security ipsec proposal ipsec_prop_1
description "new ipsec proposal"
- user@host# set security ipsec proposal ipsec_prop_1
protocol esp
- user@host# set security ipsec proposal ipsec_prop_1
authentication-algorithm hmac-md5-96
- user@host# set security ipsec proposal ipsec_prop_1
encryption-algorithm 3des-cbc
- user@host# set security ipsec proposal ipsec_prop_1
lifetime-seconds 1800
Use the following command to display information about this IKE proposal:
