Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


proposal (Security IKE)




For MX, M, and T Series Routers

Hierarchy Level

Release Information

Statement modified in Junos OS Release 8.5.

Support for dh-group group 14 and dsa-signatures added in Junos OS Release 11.1.

Support for sha-384, ecdsa-signatures-256, ecdsa-signatures-384, group19, group20, and group24 options added in Junos OS Release 12.1X45-D10.

sha-512, group15, group16, group21, and ecdsa-signatures-521 options introduced in Junos OS Release 19.R1 on SRX Series devices.

Support for authentication algorithm (SH1: hmac-sha1-96) added to vSRX in Junos OS Release 19.3R1 for Power Mode IPSec mode, along with the existing support in normal mode.

Support for ecdsa-signatures-256 and ecdsa-signatures-384 options added in Junos OS Release 12.1X45-D10.


Define an IKE proposal.


proposal-name—Name of the IKE proposal. The proposal name can be up to 32 alphanumeric characters long.

authentication-algorithm—Configure the Internet Key Exchange (IKE) authentication hash algorithm that authenticates packet data. It can be one of the following algorithms:

  • md5—Produces a 128-bit digest.

  • sha-256—Produces a 256-bit digest.

  • sha-384—Produces a 384-bit digest.

  • In Power Mode IPSec mode and in normal modesha1—Produces a 160-bit digest.

  • sha-512—Produces a 512-bit digest.

The device does not delete existing IPsec SAs when you update the authentication-algorithm configuration in the IKE proposal. The device deletes existing IPsec SAs when you update the authentication-algorithm configuration in the IPsec proposal.

authentication-method—Specify the method the device uses to authenticate the source of Internet Key Exchange (IKE) messages. The pre-shared-keys option refers to a preshared key, which is a key for encryption and decryption that both participants must have before beginning tunnel negotiations. The other options refer to types of digital signatures, which are certificates that confirm the identity of the certificate holder. The device does not delete existing IPsec SAs when you update the authentication-method configuration in the IKE proposal.

  • dsa-signatures—Specify that the Digital Signature Algorithm (DSA) is used.

  • ecdsa-signatures-256—Specify that the Elliptic Curve DSA (ECDSA) using the 256-bit elliptic curve secp256r1, as specified in the Federal Information Processing Standard (FIPS) Digital Signature Standard (DSS) 186-3, is used.

  • ecdsa-signatures-384—Specify that the ECDSA using the 384-bit elliptic curve secp384r1, as specified in the FIPS DSS 186-3, is used.

  • pre-shared-keys—Specify that a preshared key, which is a secret key shared between the two peers, is used during authentication to identify the peers to each other. The same key must be configured for each peer. This is the default method.

  • rsa-signatures—Specify that a public key algorithm, which supports encryption and digital signatures, is used.

  • ecdsa-signatures-521—Specify that the ECDSA using the 521-bit elliptic curve secp521r1 is used.

description description—Text the description of IKE proposal.

dh-group—Specify the IKE Diffie-Hellman group.

encryption-algorithm—Configure an encryption algorithm for an IKE proposal.

lifetime-seconds seconds—Specify the lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated.

Range: 180 through 86,400 seconds

Default: 28,800 seconds

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.