Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

policy (Security IKE)

 

Syntax

Hierarchy Level

Release Information

Statement modified in Junos OS Release 8.5. Support for suiteb-gcm-128 and suiteb-gcm-256 options added in Junos OS Release 12.1X45-D10. Support for policy-oids option added in Junos OS Release 12.3X48-D10. Support for trusted-ca option added in Junos OS Release 18.1R1.

Support for reauth-frequency option added in Junos OS Release 15.1X49-D60.

Description

Configure an IKE policy.

Options

policy-name—Name of the IKE policy. The policy name can be up to 32 alphanumeric characters long.

certificate—Specify usage of a digital certificate to authenticate the virtual private network (VPN) initiator and recipient.

description description—Specify the description of IKE policy.

mode—Define the mode used for Internet Key Exchange (IKE) Phase 1 negotiations. Use aggressive mode only when you need to initiate an IKE key exchange without ID protection, as when a peer unit has a dynamically assigned IP address. IKEv2 protocol does not negotiate using mode configuration. The device deletes existing IKE and IPsec SAs when you update the mode configuration in the IKE policy.

  • aggressive—Aggressive mode.

  • main—Main mode. Main mode is the recommended key-exchange method because it conceals the identities of the parties during the key exchange.

    Configuring mode main for group VPN servers or members is not supported when the remote gateway has a dynamic address and the authentication method is pre-shared-keys.

pre-shared-key—Define a preshared key for an IKE policy. Preshared keys are used to secure the Phase 1 SAs between the root-server and the sub-servers and between the sub-servers and the group members. Ensure that the preshared keys used are strong keys. On the sub-servers, the preshared key configured for the IKEpolicy RootSrv must match the preshared key configured on the root-server, and the preshared key configured for the IKE policy GMs must match the preshared key configured on the group members. The device deletes existing IKE and IPsec SAs when you update the pre-shared-key configuration in the IKE policy.

  • ascii-text key—Specify a string of 1 to 255 ASCII text characters for the key. Characters @ + - or = are not allowed. To include the special characters ( ) [ ] { } , ; enclose either the entire key string or the special character in quotation marks; for example “str)ng” or str”)”ng. Other use of quotation marks within the string is not allowed. With des-cbc encryption, the key contains 8 ASCII characters. With 3des-cbc encryption, the key contains 24 ASCII characters.

  • hexadecimal key—Specify a string of 1 to 255 hexadecimal characters for the key. Characters must be hexadecimal digits 0 through 9, or letters a through f or A through F. With des-cbc encryption, the key contains 16 hexadecimal characters. With 3des-cbc encryption, the key contains 48 hexadecimal characters.

proposal-set—Specify a set of default Internet Key Exchange (IKE) proposals.

proposals proposal-name—Specify up to four Phase 1 proposals for an IKE policy. If you include multiple proposals, use the same Diffie-Hellman group in all of the proposals.

reauth-frequency number—Configure the reauthentication frequency to trigger a new IKEv2 reauthentication. Reauthentication creates a new IKE SA, creates new child SAs within the IKE SA, and then deletes the old IKE SA. This option is disabled by default. umber of IKE rekeys that occurs before reauthentication occurs. If reauth-frequency is 1, reauthentication occurs every time there is an IKE rekey. If reauth-frequency is 2, reauthentication occurs at every other IKE rekey. If reauth-frequency is 3, reauthentication occurs at every third IKE rekey.

Default: 0 (disable)

Range: 0-100

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Related Documentation