Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring IPsec Proposals

    An IPsec proposal lists protocols and algorithms (security services) to be negotiated with the remote IPsec peer.

    To configure an IPsec proposal, include the proposal statement and specify an IPsec proposal name at the [edit services ipsec-vpn ipsec] hierarchy level:

    [edit services ipsec-vpn ipsec]
    proposal proposal-name {authentication-algorithm (hmac-md5-96 | hmac-sha1-96);description description;encryption-algorithm algorithm;lifetime-seconds seconds;protocol (ah | esp | bundle);}

    This section discusses the following topics:

    Configuring the Authentication Algorithm for an IPsec Proposal

    To configure the authentication algorithm for an IPsec proposal, include the authentication-algorithm statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:

    [edit services ipsec-vpn ipsec proposal proposal-name]authentication-algorithm (hmac-md5-96 | hmac-sha1-96);

    The authentication algorithm can be one of the following:

    • hmac-md5-96—Hash algorithm that authenticates packet data. It produces a 128-bit digest. Only 96 bits are used for authentication.
    • hmac-sha1-96—Hash algorithm that authenticates packet data. It produces a 160-bit digest. Only 96 bits are used for authentication.

    Configuring the Description for an IPsec Proposal

    To specify an optional text description for an IPsec proposal, include the description statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:

    [edit services ipsec-vpn ipsec proposal proposal-name]description description;

    Configuring the Encryption Algorithm for an IPsec Proposal

    To configure encryption algorithm for an IPsec proposal, include the encryption-algorithm statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:

    [edit services ipsec-vpn ipsec proposal proposal-name]encryption-algorithm algorithm;

    The encryption algorithm can be one of the following:

    • 3des-cbc—Encryption algorithm that has a block size of 24 bytes; its key size is 192 bits long.
    • des-cbc—Encryption algorithm that has a block size of 8 bytes; its key size is 48 bits long.
    • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm.
    • aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm.
    • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm.

    Note: For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys, see RFC 2409, The Internet Key Exchange (IKE). The AES encryption algorithms use a software implementation that has much lower throughput, so DES remains the recommended option.

    For 3des-cbc, the first 8 bytes should differ from the second 8 bytes, and the second 8 bytes should be the same as the third 8 bytes.

    If you configure an authentication proposal but do not include the encryption statement, the result is NULL encryption. Certain applications expect this result. If you configure no specific authentication or encryption values, the Junos OS uses the default values of sha1 for the authentication and 3des-cbc for the encryption.

    Configuring the Lifetime for an IPsec SA

    When a dynamic IPsec SA is created, two types of lifetimes are used: hard and soft. The hard lifetime specifies the lifetime of the SA. The soft lifetime, which is derived from the hard lifetime, informs the IPsec key management system that the SA is about to expire. This allows the key management system to negotiate a new SA before the hard lifetime expires.

    Note: In IKEv1, the lifetime for SAs is negotiated with the remote peer based on the type of lifetime configured in the IPsec proposal. In IKEv2, such a negotiation is not performed with the remote peer. Instead, each IKE peer uses the lifetime that is locally configured for them.

    For SAs in IKEv2, the lifetime is either the default value as IKEv1 (if another lifetime is not configured in the IPsec proposal) or all IKEv2 proposals in the IPsec policy must be configured with the same lifetime value.

    To configure the hard lifetime value, include the lifetime-seconds statement and specify the number of seconds at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:

    [edit services ipsec-vpn ipsec proposal proposal-name]lifetime-seconds seconds;

    The default lifetime is 28,800 seconds. The range is from 180 through 86,400 seconds.

    The soft lifetime values are as follows:

    • Initiator: Soft lifetime = Hard lifetime – 135 seconds.
    • Responder: Soft lifetime = Hard lifetime – 90 seconds.

    Configuring the Protocol for a Dynamic SA

    The protocol statement sets the protocol for a dynamic SA. IPsec uses two protocols to protect IP traffic: ESP and AH. The ESP protocol can support authentication, encryption, or both. The AH protocol is used for strong authentication. AH also authenticates the IP packet. The bundle option uses AH authentication and ESP encryption; it does not use ESP authentication because AH provides stronger authentication of IP packets.

    To configure the protocol for a dynamic SA, include the protocol statement and specify the ah, esp, or bundle option at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level:

    [edit services ipsec-vpn ipsec proposal proposal-name]protocol (ah | esp | bundle);

    Modified: 2017-03-23