An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. It defines a peer address and the proposals needed for that connection. Depending on which authentication method is used, it defines the preshared key for the given peer or the local certificate. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.
A match is made when both policies from the two peers have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies (from the host and peer) is used. The configured preshared key must also match its peer.
You can create multiple, prioritized proposals at each peer to ensure that at least one proposal matches a remote peer’s proposal.
First, you configure one or more IKE proposals; then you associate these proposals with an IKE policy. You can also prioritize a list of proposals used by IKE in the policy statement by listing the proposals you want to use, from first to last.
To configure an IKE policy, include the policy statement and specify a policy name at the [edit services ipsec-vpn ike] hierarchy level:
-
policy policy-name {
-
description description;
-
local-certificate identifier;
-
-
local-id {
- ipv4_addr [ values ];
- ipv6_addr [ values ];
- key_id [ values ];
- }
-
mode (aggressive | main);
-
pre-shared-key (ascii-text key | hexadecimal key);
-
proposals [ proposal-names ];
-
-
remote-id {
- any-remote-id;
- ipv4_addr [ values ];
- ipv6_addr [ values ];
- key_id [ values ];
- }
- }
This section includes the following topics:
For an example of an IKE policy configuration, see Example: Configuring an IKE Policy.