[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Manual SAs

On the ES PIC, you configure a manual security association at the [edit security ipsec security-association name] hierarchy level. Include your choices for authentication, encryption, direction, mode, protocol, and SPI. Be sure that these choices are configured exactly the same way on the remote IPSec gateway.

[edit security]
ipsec {
security-association sa-name {
description description;
manual {
direction (inbound | outbound | bidirectional) {
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
auxiliary-spi auxiliary-spi;
encryption {
algorithm (des-cbc | 3des-cbc);
key (ascii-text key | hexadecimal key);
}
protocol (ah | esp | bundle);
spi spi-value;
}
}
mode (tunnel | transport);
}
}

On the AS and MultiServices PICs, you configure a manual security association at the [edit services ipsec-vpn rule rule-name] hierarchy level. Include your choices for authentication, encryption, direction, protocol, and SPI. Be sure that these choices are configured exactly the same way on the remote IPSec gateway.

[edit services ipsec-vpn]
rule rule-name {
match-direction (input | output);
term term-name {
from {
destination-address address;
source-address address;
}
then {
backup-remote-gateway address;
clear-dont-fragment-bit;
manual {
direction (inbound | outbound | bidirectional) {
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
auxiliary-spi spi-value;
encryption {
algorithm algorithm; # This can be aes-128-cbc, aes-192-cbc,
# aes-256-cbc, des-cbc, or 3des-cbc.
key (ascii-text key | hexadecimal key);
}
protocol (ah | bundle | esp);
spi spi-value;
}
}
no-anti-replay;
remote-gateway address;
syslog;
}
}
}
rule-set rule-set-name {
[ rule rule-names ];
}
[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.