[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring an IPSec Policy

An IPSec policy defines a combination of security parameters (IPSec proposals) used during IPSec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection. During the IPSec negotiation, IPSec looks for a proposal that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.

A match is made when both policies from the two peers have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies (from the host and peer) is used.

You can create multiple, prioritized IPSec proposals at each peer to ensure that at least one proposal matches a remote peer’s proposal.

First, you configure one or more IPSec proposals; then you associate these proposals with an IPSec policy. You can prioritize a list of proposals used by IPSec in the policy statement by listing the proposals you want to use, from first to last.

To configure an IPSec policy, include the policy statement, and specify the policy name and one or more proposals to associate with the policy, at the [edit services ipsec-vpn ipsec] hierarchy level:




policy policy-name {

description description;



perfect-forward-secrecy {
keys (group1 | group2); 
}



proposals [ proposal-names ]; 
}

This section includes the following topics related to configuring an IPSec policy:

[Contents] [Prev] [Next] [Index] [Report an Error]