Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Authentication Process

 

The remote dynamic peer initiates IKE and negotiations with the local (Juniper Networks) router. The local router uses a default set of authentication and encryption values to match the and IKE proposals sent by the remote peer to establish the SA. If any of the values match, the tunnel establishment process continues. The default values are shown in Table 1.

Table 1: Default IKE and Proposals for Dynamic SA Negotiations

Statement Name

Values

Implicit IKE Proposal

authentication-method

preshared keys

dh-group

group1, group2

authentication-algorithm

sha1, md5

encryption-algorithm

3des-cbc, des-cbc

lifetime-seconds

3600 seconds

Implicit Proposal

protocol

esp, ah, bundle

authentication-algorithm

hmac-sha1-96, hmac-md5-96

encryption-algorithm

3des-cbc, des-cbc

lifetime-seconds

28,800 seconds (8 hours)

Phase 2 of the authentication process matches the proxy identities of the protected hosts and networks sent by the peer against a list of configured proxy identities. The accepted proxy identity is used to create the dynamic rules for encrypting the traffic. You can configure proxy identities by including the allowed-proxy-pair statement in an IKE access profile at the [edit access profile profile-name client * ike] hierarchy level. If no configured entry matches, the negotiation is rejected.

However, if you do not configure the allowed-proxy-pair statement, the default value ANY(0.0.0.0/0)-ANY is applied, and the local router accepts any proxy identities sent by the peer.

Once the phase 2 negotiation has been successfully completed, the router builds dynamic rules and inserts the reverse route into the routing table using the accepted proxy identity.