[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring an IKE Phase 1 Proposal (Standard and Dynamic VPNs)

When configuring Phase 1 of an IPsec tunnel using IKE, you first configure proposals, then policies, and finally you configure the gateway. The following example-based instructions show how to create the proposal portion of the IKE gateway.

Before You Begin
For background information about standard IPsec VPNs, read: Virtual Private Networks (VPNs) Overview Understanding IKE and IPsec Packet Processing Configuring an IPsec Tunnel—Overview For background information about dynamic IPsec VPNs, read: Dynamic VPN Overview. Configuring a Dynamic VPN—Overview.

Before You Begin

For background information about standard IPsec VPNs, read:

For background information about dynamic IPsec VPNs, read:

In Phase 1 proposal configuration, you must set the authentication method and authentication and encryption algorithms that will be used to open a secure channel between participants. In this example, you create an IKE proposal called ike_prop_1 and specify that peers use preshared keys for encryption and decryption, and that they use Diffie-Helman group 2 to produce the shared secret for the keys. You specify md5 as the authentication algorithm and 3DES cypher block chaining (CBC) for encryption. And you specify that after 300 seconds the participants renegotiate a new security association (SA).

Note: When configuring a Phase 1 proposal for the dynamic VPN feature, note that you must set the authentication method to preshared keys.

To configure Phase 1 proposals, use the J-Web or CLI configuration editor. (For information about configuring Phase 1 proposals using the J-Web Quick Configuration pages, see Configuring an IKE Phase 1 Proposal—Quick Configuration (Standard VPNs) or Configuring an IKE Phase 1 Proposal—Quick Configuration (Dynamic VPNs).)

This topic covers:

J-Web Configuration

To configure a Phase 1 proposal in J-Web:

Select Configure>CLI Tools>Point and Click CLI.
Next to Security, click Configure or Edit.
Next to Ike, click Configure or Edit.
Next to Proposal, click Add new entry.
In the Name box, type Ike_prop_1.
From the Authentication algorithm list, select md5.
From the Authentication method list, select pre-shared-keys.
In the Description box, type new Ike proposal.
From the Dh-group list, select group2.
From the Encryption algorithm list, select 3des-cbc.
In the Lifetime seconds box, type 300 and click OK.
To save and commit the configuration, click Commit.

CLI Configuration

To configure a Phase 1 proposal using the CLI editor:


            
               user@host# set security ike proposal ike_prop_1
                     description "new ike proposal"
               user@host# set security ike proposal ike_prop_1
                     authentication-method pre-shared-keys
               user@host# set security ike proposal ike_prop_1
                     dh-group group2
               user@host# set security ike proposal ike_prop_1
                     authentication-algorithm md5
               user@host# set security ike proposal ike_prop_1
                     encryption-algorithm 3des-cbc
               user@host# set security ike proposal ike_prop_1
                     lifetime-seconds 300

Use the following command to display information about IKE proposals:


            
               user@host# show security ike

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]