Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Authentication Process


The remote dynamic peer initiates IKE and negotiations with the local (Juniper Networks) router. The local router uses a default set of authentication and encryption values to match the and IKE proposals sent by the remote peer to establish the SA. If any of the values match, the tunnel establishment process continues. The default values are shown in Table 1.

Table 1: Default IKE and Proposals for Dynamic SA Negotiations

Statement Name


Implicit IKE Proposal


preshared keys


group1, group2


sha1, md5


3des-cbc, des-cbc


3600 seconds

Implicit Proposal


esp, ah, bundle


hmac-sha1-96, hmac-md5-96


3des-cbc, des-cbc


28,800 seconds (8 hours)

Phase 2 of the authentication process matches the proxy identities of the protected hosts and networks sent by the peer against a list of configured proxy identities. The accepted proxy identity is used to create the dynamic rules for encrypting the traffic. You can configure proxy identities by including the allowed-proxy-pair statement in an IKE access profile at the [edit access profile profile-name client * ike] hierarchy level. If no configured entry matches, the negotiation is rejected.

However, if you do not configure the allowed-proxy-pair statement, the default value ANY( is applied, and the local router accepts any proxy identities sent by the peer.

Once the phase 2 negotiation has been successfully completed, the router builds dynamic rules and inserts the reverse route into the routing table using the accepted proxy identity.