[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Local and Remote IDs

You can optionally specify local identifiers for use in IKE phase 1 negotiation. If the local-id statement is omitted, the local gateway address is used.

To specify one or more local IDs, include the local-id statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:

local-id {
ipv4_addr [ values ];
ipv6_addr [ values ];
key_id [ values ];
}

You can also specify remote gateway identifiers for which the IKE policy is used. The remote gateway address in which this policy is defined is added by default.

To specify one or more remote IDs, include the remote-id statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:

remote-id {
any-remote-id;
ipv4_addr [ values ];
ipv6_addr [ values ];
key_id [ values ];
}

The any-remote-id option allows any remote address to connect. This option is supported only in dynamic endpoints configurations and cannot be configured along with specific values. For more information about dynamic endpoint configurations, see Configuring Dynamic Endpoints.

Example: Configuring an IKE Policy

Define two IKE policies: policy 10.1.1.2 and policy 10.1.1.1. Each policy is associated with proposal-1 and proposal-2.

[edit services ipsec-vpn]
ike {
proposal proposal-1 {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 1000;
}
proposal proposal-2 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm des-cbc;
lifetime-seconds 10000;
}
proposal proposal-3 {
authentication-method rsa-signatures;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm des-cbc;
lifetime-seconds 10000;
}
policy 10.1.1.2 {
mode main;
proposals [ proposal-1 proposal-2 ];
pre-shared-key ascii-text example-pre-shared-key;
}
policy 10.1.1.1 {
local-certificate certificate-file-name;
local-key-pair private-public-key-file;
mode aggressive;
proposals [ proposal-2 proposal-3 ]
pre-shared-key hexadecimal 0102030abbcd;
}
}

Note: Updates to the current IKE proposal and policy configuration are not applied to the current IKE SA; updates are applied to new IKE SAs.

If you want the new updates to take immediate effect, you must clear the existing IKE security associations so that they will be reestablished with the changed configuration. For information about how to clear the current IKE security association, see the JUNOS System Basics and Services Command Reference.

[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.