When configuring Phase 2 of an IPsec tunnel, you first configure proposals, then policies, and finally you configure IPsec AutoKey (IKE). The following example-based instructions show how to create the policy.
Before You Begin |
|---|
For background information about standard IPsec VPNs, read:
For background information about dynamic IPsec VPNs, read: |
In Phase 2 IPsec policy configuration, you must create a policy and reference a Phase 2 proposal. In this example, you create a policy called ipsec_pol_1 and reference the proposal ipsec_prop_1. You also configure Perfect Forward Secrecy to use Diffie-Hellman Group 2 as the method the device uses to generate the encryption key.
To configure IPsec policies, use either the J-Web or the CLI configuration editor. (For information about configuring IPsec policies using J-Web Quick Configuration pages, see Configuring an IPsec Policy—Quick Configuration (Standard VPNs)or Configuring an IPsec Policy—Quick Configuration (Dynamic VPNs).)
This topic covers:
To configure an IPsec policy in J-Web:
To configure an IPsec policy using the CLI editor:
- user@host# set security ipsec policy ipsec_pol_1
description "new ipsec policy"
- user@host# set security ipsec policy ipsec_pol_1
perfect-forward-secrecy keys group2
- user@host# set security ipsec policy ipsec_pol_1
proposals ipsec_prop_1
Use the following command to display information about this IKE proposal:
