# proposal-set (Security IKE)

#### Syntax

#### Hierarchy Level

`policy-name`]

#### Release Information

Statement introduced in Junos OS Release 8.5. Support for suiteb-gcm-128 and suiteb-gcm-256 options added in Junos OS Release 12.1X45-D10. Support for prime-128 and prime-256 options added in Junos OS Release 15.1X49-D40.

#### Description

Specify a set of default Internet Key Exchange (IKE) proposals.

**Note**

The prime-128 and prime-256 proposal sets require IKEv2 and certificate-based authentication.

#### Options

basic—Includes a basic set of two IKE proposals:

Proposal 1—Preshared key, Data Encryption Standard (DES) encryption, and Diffie-Hellman (DH) group 1 and Secure Hash Algorithm 1 (SHA-1) authentication.

Proposal 2—Preshared key, DES encryption, and DH group 1 and Message Digest 5 (MD5) authentication.

compatible—Includes a set of four commonly used IKE proposals:

Proposal 1—Preshared key, triple DES (3DES) encryption, and Diffie-Hellman (DH) group 2 (DH group 2) and SHA-1 authentication.

Proposal 2—Preshared key, 3DES encryption, and DH group 2 and MD5 authentication.

Proposal 3—Preshared key, DES encryption, and DH group 2 and SHA-1 authentication.

Proposal 4—Preshared key, DES encryption, and DH group 2 and MD5 authentication.

prime-128—Provides the following proposal set (this option is not supported on Group VPNv2):

Authentication method—Elliptic Curve Digital Signature Algorithm (ECDSA) 256-bit signatures.

Diffie-Hellman Group—19.

Encryption algorithm—Advanced Encryption Standard (AES) 128-bit Galois/Counter Mode (GCM).

Authentication algorithm—None (AES-GCM provides both encryption and authentication).

When this option is used, prime-128 should also be configured at the [edit security ipsec policy

`policy-name`proposal-set] hierarchy level.

prime-256—Provides the following proposal set (this option is not supported on Group VPNv2):

Authentication method—ECDSA 384-bit signatures.

Diffie-Hellman Group—20.

Encryption algorithm—AES 256-bit GCM.

Authentication algorithm—None (AES-GCM provides both encryption and authentication).

When this option is used, prime-256 should also be configured at the [edit security ipsec policy

`policy-name`proposal-set] hierarchy level.

standard—Includes a standard set of two IKE proposals:

Proposal 1— Preshared key, 3DES encryption, and DH group 2 and SHA-1 authentication.

Proposal 2—Preshared key, AES 128-bit encryption, and DH group 2 and SHA-1 authentication.

suiteb-gcm-128—Provides the following Suite B proposal set (this option is not supported on Group VPNv2):

Authentication method—ECDSA 256-bit signatures

Diffie-Hellman Group—19

Encryption algorithm—Advanced Encryption Standard (AES) 128-bit cipher block chaining (CBC)

**Note**CBC mode is used instead of GCM.

Authentication algorithm—SHA-256

suiteb-gcm-256—Provides the following Suite B proposal set (this option is not supported on Group VPNv2):

Authentication method—ECDSA 384-bit signatures

Diffie-Hellman Group—20

Encryption algorithm—AES 256-bit CBC

**Note**CBC mode is used instead of GCM.

Authentication algorithm—SHA-384

#### Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.