Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

proposal-set (Security IKE)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 8.5. Support for suiteb-gcm-128 and suiteb-gcm-256 options added in Junos OS Release 12.1X45-D10. Support for prime-128 and prime-256 options added in Junos OS Release 15.1X49-D40.

Description

Specify a set of default Internet Key Exchange (IKE) proposals.

Note

The prime-128 and prime-256 proposal sets require IKEv2 and certificate-based authentication.

Options

  • basic—Includes a basic set of two IKE proposals:

    • Proposal 1—Preshared key, Data Encryption Standard (DES) encryption, and Diffie-Hellman (DH) group 1 and Secure Hash Algorithm 1 (SHA-1) authentication.

    • Proposal 2—Preshared key, DES encryption, and DH group 1 and Message Digest 5 (MD5) authentication.

  • compatible—Includes a set of four commonly used IKE proposals:

    • Proposal 1—Preshared key, triple DES (3DES) encryption, and Diffie-Hellman (DH) group 2 (DH group 2) and SHA-1 authentication.

    • Proposal 2—Preshared key, 3DES encryption, and DH group 2 and MD5 authentication.

    • Proposal 3—Preshared key, DES encryption, and DH group 2 and SHA-1 authentication.

    • Proposal 4—Preshared key, DES encryption, and DH group 2 and MD5 authentication.

  • prime-128—Provides the following proposal set (this option is not supported on Group VPNv2):

    • Authentication method—Elliptic Curve Digital Signature Algorithm (ECDSA) 256-bit signatures.

    • Diffie-Hellman Group—19.

    • Encryption algorithm—Advanced Encryption Standard (AES) 128-bit Galois/Counter Mode (GCM).

    • Authentication algorithm—None (AES-GCM provides both encryption and authentication).

    When this option is used, prime-128 should also be configured at the [edit security ipsec policy policy-name proposal-set] hierarchy level.

  • prime-256—Provides the following proposal set (this option is not supported on Group VPNv2):

    • Authentication method—ECDSA 384-bit signatures.

    • Diffie-Hellman Group—20.

    • Encryption algorithm—AES 256-bit GCM.

    • Authentication algorithm—None (AES-GCM provides both encryption and authentication).

    When this option is used, prime-256 should also be configured at the [edit security ipsec policy policy-name proposal-set] hierarchy level.

  • standard—Includes a standard set of two IKE proposals:

    • Proposal 1— Preshared key, 3DES encryption, and DH group 2 and SHA-1 authentication.

    • Proposal 2—Preshared key, AES 128-bit encryption, and DH group 2 and SHA-1 authentication.

  • suiteb-gcm-128—Provides the following Suite B proposal set (this option is not supported on Group VPNv2):

    • Authentication method—ECDSA 256-bit signatures

    • Diffie-Hellman Group—19

    • Encryption algorithm—Advanced Encryption Standard (AES) 128-bit cipher block chaining (CBC)

      Note

      CBC mode is used instead of GCM.

    • Authentication algorithm—SHA-256

  • suiteb-gcm-256—Provides the following Suite B proposal set (this option is not supported on Group VPNv2):

    • Authentication method—ECDSA 384-bit signatures

    • Diffie-Hellman Group—20

    • Encryption algorithm—AES 256-bit CBC

      Note

      CBC mode is used instead of GCM.

    • Authentication algorithm—SHA-384

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Related Documentation