Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring IKE Policies

    An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. It defines a peer address and the proposals needed for that connection. Depending on which authentication method is used, it defines the preshared key for the given peer or the local certificate. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.

    A match is made when both policies from the two peers have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies (from the host and peer) is used. The configured preshared key must also match its peer.

    You can create multiple, prioritized proposals at each peer to ensure that at least one proposal matches a remote peer’s proposal.

    First, you configure one or more IKE proposals; then you associate these proposals with an IKE policy. You can also prioritize a list of proposals used by IKE in the policy statement by listing the proposals you want to use, from first to last.

    To configure an IKE policy, include the policy statement and specify a policy name at the [edit services ipsec-vpn ike] hierarchy level:

    [edit services ipsec-vpn ike]
    policy policy-name {
    pre-shared-key (ascii-text key | hexadecimal key);
    proposals [ proposal-names ];
    }

    This section includes the following topics:

    Configuring the Proposals in an IKE Policy

    The IKE policy includes a list of one or more proposals associated with an IKE policy.

    To configure the proposals in an IKE policy, include the proposals statement and specify one or more proposal names at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:

    proposals [ proposal-names ];

    Configuring the Preshared Key for an IKE Policy

    When you include the authentication-method pre-shared-keys statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level, IKE policy preshared keys authenticate peers; for more information, see Configuring the Authentication Method for an IKE Proposal. You must manually configure a preshared key, which must match that of its peer. The preshared key can be an ASCII text (alphanumeric) key or a hexadecimal key.

    To configure the preshared key in an IKE policy, include the pre-shared-keys statement and a key at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:

    [edit services ipsec-vpn ike policy policy-name]
    pre-shared-key (ascii-text key | hexadecimal key);

    ACX Series routers support ascii-text key.

    Modified: 2017-09-13