Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring an IKE Proposal for Dynamic SAs

 

Dynamic Security Associations (SAs) require IKE configuration. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway.

You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer.

To configure an IKE proposal and define its properties, include the following statements at the [edit security ike] hierarchy level:

For information about associating an IKE proposal with an IKE policy, see Configuring an IKE Policy for Preshared Keys.

Tasks for configuring the IKE proposal are:

Configuring the Authentication Algorithm for an IKE Proposal

To configure an IKE authentication algorithm, include the authentication-algorithm statement at the [edit security ike proposal ike-proposal-name] hierarchy level:

The authentication algorithm can be one of the following:

  • md5—Produces a 128-bit digest.

  • sha1—Produces a 160-bit digest.

Configuring the Authentication Method for an IKE Proposal

To configure an IKE authentication method, include the authentication-method statement at the [edit security ike proposal ike-proposal-name] hierarchy level:

The authentication method can be one of the following:

  • dsa-signatures—Digital Signature Algorithm (DSA)

  • pre-shared-keys—Preshared keys; a key derived from an out-of-band mechanism is used to authenticate an exchange

  • rsa-signatures—Public key algorithm that supports encryption and digital signatures

Configuring the Description for an IKE Proposal

To specify a description for an IKE proposal, include the description statement at the [edit security ike proposal ike-proposal-name] hierarchy level:

Configuring the Diffie-Hellman Group for an IKE Proposal

The Diffie-Hellman key exchange is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. It is also used within IKE to establish session keys.

To configure an IKE Diffie-Hellman group, include the dh-group statement at the [edit security ike proposal ike-proposal-name] hierarchy level:

The group can be one of the following:

  • group1—Specify that IKE use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

  • group2—Specify that IKE use the 1024-bit modulus group.

  • group5—Specify that IKE use the 1536-bit modulus group.

  • *group14—Specify that IKE use the 2048-bit modulus group.

  • *group15—Specify that IKE use the 3072-bit modulus group.

  • *group16—Specify that IKE use the 768-bit modulus group.

  • *group19—Specify that IKE use the 256-bit elliptic curve group.

  • **group20—Specify that IKE use the 384-bit elliptic curve group.

  • **group24—Specify that IKE use the 2048-bit modulus and 256-bit prime order subgroup.

* Strong. ** Next-generation, strong.

Configuring the Encryption Algorithm for an IKE Proposal

To configure an IKE encryption algorithm, include the encryption-algorithm statement at the [edit security ike proposal ike-proposal-name] hierarchy level:

The encryption algorithm can be one of the following:

  • 3des-cbc—Encryption algorithm that has a key size of 24 bytes; its key size is 192 bits long.

  • des-cbc—Encryption algorithm that has a key size of 8 bytes; its key size is 56 bits long.

  • aes-128-cbc—Advanced encryption algorithm that has a key size of 16 bytes; its key size is 128 bits long.

  • aes-192-cbc—Advanced encryption algorithm that has a key size of 24 bytes; its key size is 192 bits long.

  • aes-256-cbc—Advanced encryption algorithm that has a key size of 32 bytes; its key size is 256 bits long.

Configuring the Lifetime for an IKE SA

The IKE lifetime sets the lifetime of an IKE SA. When the IKE SA expires, it is replaced by a new SA (and SPI) or is terminated. The default value IKE lifetime is 3600 seconds.

To configure the IKE lifetime, include the lifetime-seconds statement and specify the number of seconds (180 through 86,400) at the [edit security ike proposal ike-proposal-name] hierarchy level: