 |
Note: Dynamic tunnel SAs require an ES PIC. |
You configure dynamic SAs with a set of proposals that are negotiated by the security gateways. The keys are generated as part of the negotiation and do not need to be specified in the configuration. The dynamic SA includes one or more proposals, which allow you to prioritize a list of protocols and algorithms to be negotiated with the peer.
To enable a dynamic SA, follow these steps:
For more information about IKE policies and proposals, see Configuring an IKE Policy for Preshared Keys and Configuring an IKE Proposal (Dynamic SAs Only). For more information about IPSec policies and proposals, see Configuring the IPSec Policy (ES PIC).
|
Note: Dynamic tunnel SAs require an ES PIC. |
To configure a dynamic SA, include the dynamic statement at the [edit security ipsec security-association sa-name] hierarchy level. Specify an IPSec policy name, and optionally, a 32-packet or 64-packet replay window size.
- [edit security ipsec security-association sa-name ]
-
dynamic {
- ipsec-policy policy-name ;
- replay-window-size (32 | 64);
- }
|
Note: If you want to establish a dynamic SA, the attributes in at least one configured IPSec and IKE proposal must match those of its peer. The replay window is not used with manual SAs. |
 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |