Defining an IKE Policy

IKE policies define parameters that the router uses during IKE phase 1 negotiation.

To create an IKE policy:

You can then set the following parameters, or use the default settings:

• Allow aggressive mode negotiation.

  host1(config-ike-policy)#aggressive-mode

• Specify the authentication method.

  host1(config-ike-policy)#authentication pre-share

• Specify the encryption algorithm.

  host1(config-ike-policy)#encryption 3des

• Assign a Diffie-Hellman group.

  host1(config-ike-policy)#group 5

• Set the hash algorithm.

  host1(config-ike-policy)#hash md5

• Specify the lifetime of IKE SAs created using this policy.

  host1(config-ike-policy)#lifetime 360

aggressive-mode

• Use to enable aggressive mode negotiation for the tunnel.
• If you specify aggressive mode negotiation, the tunnel proposes aggressive mode to the peer in connections that the policy initiates.
• If the peer initiates a negotiation, the tunnel accepts the negotiation if the mode matches this policy.
• Use the accepted keyword to accept aggressive mode when proposed by peers
• Use the requested keyword to request aggressive mode when negotiating with peers
• Use the required keyword to only request and accept aggressive mode when negotiating with peers.
• Example

  host1(config-ike-policy)#aggressive-mode accepted

• Use the no version to set the negotiation mode to main mode.
• See aggressive-mode.

authentication

• Use to specify the authentication method the router uses in the IKE policy: preshared keys or RSA signature.
• Example

  host1(config-ike-policy)#authentication pre-share

• Use the no version to restore the default, preshared keys.
• See authentication.

encryption

• Use to specify one of the following encryption algorithms to use in the IKE policy:
  • 3des—168-bit 3DES-CBC
  • des—56-bit DES-CBC
• Example

  host1(config-ike-policy)#encryption 3des

• Use the no version to restore the default encryption algorithm, 3DES.
• See encryption.

group

• Use to assign a Diffie-Hellman group to the IKE policy. Specify:
  • 1—768-bit group
  • 2—1024-bit group
  • 5—1536-bit group
• Example

  host1(config-ike-policy)#group 5

• Use the no version to restore the default.
• See group.

hash

• Use to set the hash algorithm for the IKE policy:
  • md5—MD5 (HMAC variant)
  • sha—SHA-1 (HMAC variant)
• Example

  host1(config-ike-policy)#hash md5

• Use the no version to restore the default, sha.
• See hash.

ipsec ike-policy-rule

ipsec isakmp-policy-rule

Note: The command replaces the ipsec isakmp-policy-rule command, which may be removed completely in a future release.

• Use to define an IKE policy.
• When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority.
• You can add up to 10 IKE policies per router.
• Example

  host1(config)#ipsec ike-policy-rule 3

  host1(config-ike-policy)#

• Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.
• See ipsec ike-policy-rule.
• See ipsec isakmp-policy-rule.

lifetime

• Use to specify the lifetime of IKE SAs.
• The range is 60–86400 seconds.

  host1(config-ike-policy)#lifetime 360

• Use the no version to reset the SA lifetime to the default, 28800 seconds.
• See lifetime.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.