Configuring an Internet Key Exchange (IKE) Access Profile

An IKE access profile is used to negotiate IKE and IPSec security associations with dynamic peers. You can configure only one tunnel profile per service set for all dynamic peers. The configured preshared key in the profile is used for IKE authentication of all dynamic peers terminating in that service set. Beginning with JUNOS Release 8.2, you can also use the digital certificate method for IKE authentication with dynamic peers. Include the ike-policy policy-name statement at the [edit access profile profile-name client * ike] hierarchy level. policy-name is the name of the IKE policy you define at the [edit services ipsec-vpn ike policy policy-name] hierarchy level. For more information, see the JUNOS Services Interfaces Configuration Guide.

The IKE tunnel profile specifies all the information you need to complete the IKE negotiation. Each protocol has its own statement hierarchy within the client statement to configure protocol-specific attribute value pairs, but only one client configuration is allowed for each profile. The following is the configuration hierarchy.

For dynamic peers, the JUNOS software supports only IKE main mode with both the preshared key and digital certificate methods. In this mode, an IPv6 or IPv4 address is used to identify a tunnel peer to obtain the preshared key or digital certificate information. The client value * (wildcard) means that configuration within this profile is valid for all dynamic peers terminating within the service set accessing this profile.

The following statement makes up the IKE profile:

• allowed-proxy-pair—During phase 2 IKE negotiation, the remote peer supplies its network address (remote) and its peer’s network address (local). Since multiple dynamic tunnels are authenticated through the same mechanism, this statement must include the list of possible combinations. If the dynamic peer does not present a valid combination, the phase 2 IKE negotiation fails.

By default, remote 0.0.0.0/0 local 0.0.0.0/0 is used if no values are configured.

• pre-shared-key—Key used to authenticate the dynamic peer during IKE phase 1 negotiation. This key is known to both ends through an out-of-band secure mechanism. You can configure the value either in hexadecimal or ascii-text format. It is a mandatory value.
• ike-policy—Name of the IKE policy that defines either the local digital certificate or the pre-shared key used to authenticate the dynamic peer during IKE negotiation. You must include this statement to use the digital certificate method for IKE authentication with a dynamic peer. You define the IKE policy at the [edit services ipsec-vpn ike policy policy-name] hierarchy level. For more information, see the JUNOS Services Interfaces Configuration Guide.
• initiate-dead-peer-detection—Detects dead peers on dynamic IPSec tunnels..
• interface-id—Interface identifier, a mandatory attribute used to derive the logical service interface information for the session.

For more information about how to configure IPSec tunnels with dynamic peer security gateways, see the JUNOS Feature Guide and the JUNOS Services Interfaces Configuration Guide.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.