Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Add a Proposal

 

You are here: Configure > Security Services > IPSec VPN > IKE (Phase I).

To add a proposal:

  1. Click the add icon (+) on the upper right side of the Proposal tab of IKE (Phase I) page.

    The Add Proposal page appears.

  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click OK to save the changes. If you want to discard your changes, click Cancel.

Table 1: Fields on the Add Proposal Page

Field

Action

IKE Proposal

Name

Enter a name of the proposal.

Authentication Algorithm

Specifies the AH algorithm that the device uses to verify the authenticity and integrity of a packet. Select a hash algorithm from the list:

  • md5—Produces a 128-bit digest.

  • sha1—Produces a 160-bit digest.

  • sha-256—Produces a 256-bit digest.

    Note: The sha-256 authentication algorithm is not supported with the dynamic VPN feature.

  • sha-384—Produces a 384-bit digest.

  • sha-512—Starting in Junos OS Release 19.1R1, this option is supported. Produces a 512-bit digest.

    Note: Starting in Junos OS Release 19.1R1, the new Authentication algorithm supports SRX5000 line of devices with SPC3 card upon installation of junos-ike package only. To install junos-ike package from J-Web, navigate to Configure > Security Services > IPsec VPN > Global Settings and click Install.

Authentication Method

Specifies the method the device uses to authenticate the source of IKE messages. Select an option from the list:

  • pre-shared-key—Key for encryption and decryption that both participants must have before beginning tunnel negotiations.

  • rsa-key—Kinds of digital signatures, which are certificates that confirm the identity of the certificate holder.

  • dsa-signatures—Specifies the Digital Signature Algorithm (DSA).

  • ecdsa-signatures-256—The Elliptic Curve DSA (ECDSA) using the 256-bit elliptic curve secp256r1, as specified in the Federal Information Processing Standard (FIPS) Digital Signature Standard (DSS) 186-3.

  • ecdsa-signatures-384—The ECDSA using the 384-bit elliptic curve secp384r1, as specified in the FIPS DSS 186-3.

Description

Enter a brief description of the IKE proposal.

DH Group

Specifies the Diffie-Hellman group. The DH exchange allows participants to produce a shared secret value over an unsecured medium without actually transmitting the value across the connection.

Select a group from the list:

  • None

  • group1

  • group2

  • group5

  • group14

  • group19

  • group20

  • group24

  • group15—Starting in Junos OS Release 19.1R1, this option is supported.

  • group16—Starting in Junos OS Release 19.1R1, this option is supported.

  • group21—Starting in Junos OS Release 19.1R1, this option is supported.

If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals.

Encryption Algorithm

Specifies the supported Internet Key Exchange (IKE) proposals. Select an encryption algorithm from the list:

  • 3des-cbc—3DES-CBC encryption algorithm.

  • aes-128-cbc—AES-CBC 128-bit encryption algorithm.

  • aes-192-cbc—AES-CBC 192-bit encryption algorithm.

  • aes-256-cbc—AES-CBC 256-bit encryption algorithm.

  • des-cbc—DES-CBC encryption algorithm.

  • aes-128-gcm—AES-GCM128-bit encryption algorithm

  • aes-256-gcm—AES-GCM256-bit encryption algorithm

Lifetime seconds

Select a lifetime for the IKE SA. Default: 3,600 seconds. Range: 180 through 86,400 seconds.

When the SA expires, it is replaced by a new SA and SPI or is terminated.

Release History Table
Release
Description
sha-512—Starting in Junos OS Release 19.1R1, this option is supported. Produces a 512-bit digest.
Starting in Junos OS Release 19.1R1, the new Authentication algorithm supports SRX5000 line of devices with SPC3 card upon installation of junos-ike package only. To install junos-ike package from J-Web, navigate to Configure > Security Services > IPsec VPN > Global Settings and click Install.
group15—Starting in Junos OS Release 19.1R1, this option is supported.
group16—Starting in Junos OS Release 19.1R1, this option is supported.
group21—Starting in Junos OS Release 19.1R1, this option is supported.