Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring IPsec Proposals

    An IPsec proposal lists protocols and algorithms (security services) to be negotiated with the remote IPsec peer.

    To configure an IPsec proposal, include the proposal statement and specify an IPsec proposal name at the [edit services ipsec-vpn ipsec] hierarchy level:

    [edit services ipsec-vpn ipsec]
    proposal proposal-name {
    authentication-algorithm (hmac-sha-256-128 | hmac-sha1-96);
    description description;
    }

    This section discusses the following topics:

    Configuring the Authentication Algorithm for an IPsec Proposal

    To configure the authentication algorithm for an IPsec proposal, include the authentication-algorithm statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:

    [edit services ipsec-vpn ipsec proposal proposal-name]
    authentication-algorithm (hmac-sha-256-128| hmac-sha1-96);

    ACX Series routers supports the following authentication algorithms:

    • hmac-sha1-96—Hash algorithm that authenticates packet data. Produces a 160-bit authenticator value.
    • hmac-sha-256-128—Hash algorithm that authenticates packet data. Produces a 256-bit authenticator value.

    Configuring the Description for an IPsec Proposal

    To specify an optional text description for an IPsec proposal, include the description statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:

    [edit services ipsec-vpn ipsec proposal proposal-name]
    description description;

    Configuring the Encryption Algorithm for an IPsec Proposal

    To configure encryption algorithm for an IPsec proposal, include the encryption-algorithm statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:

    [edit services ipsec-vpn ipsec proposal proposal-name]

    ACX Series routers support Advanced Encryption Standard (AES) 128-bit encryption algorithm.

    Configuring the Lifetime for an IPsec SA

    When a dynamic IPsec SA is created, two types of lifetimes are used: hard and soft. The hard lifetime specifies the lifetime of the SA. The soft lifetime, which is derived from the hard lifetime, informs the IPsec key management system that the SA is about to expire. This allows the key management system to negotiate a new SA before the hard lifetime expires.

    To configure the hard lifetime value, include the lifetime-seconds statement and specify the number of seconds at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:

    [edit services ipsec-vpn ipsec proposal proposal-name]

    The default lifetime is 28,000 seconds. The range is from 180 through 86,400 seconds.

    The soft lifetime values are as follows:

    • Initiator: Soft lifetime = Hard lifetime – 135 seconds.
    • Responder: Soft lifetime = Hard lifetime – 90 seconds.

    Configuring the Protocol for a Dynamic SA

    The protocol statement sets the protocol for a dynamic SA. IPsec uses ESP protocol to protect IP traffic. The ESP protocol can support authentication, encryption, or both.

    To configure the protocol for a dynamic SA, include the protocol statement and specify esp at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:

    [edit services ipsec-vpn ipsec proposal proposal-name]

    Modified: 2017-09-13