To define a dynamic SA configuration, you must include at least the following statements at the [edit services ipsec-vpn] hierarchy level:
-
ike {
-
-
proposal proposal-name {
-
authentication-algorithm (md5 | sha1 | sha-256);
-
authentication-method pre-shared-keys;
-
dh-group (group1 | group2);
-
encryption-algorithm algorithm;
- }
-
-
policy policy-name {
-
proposal [ ike-proposal-names ];
-
pre-shared-key (ascii-text key | hexadecimal key);
- }
- }
-
ipsec {
-
-
policy policy-name {
-
proposals [ ipsec-proposal-names ];
- }
-
-
proposal proposal-name {
-
authentication-algorithm (hmac-md5-96 | hmac-sha1-96);
-
encryption-algorithm algorithm;
-
protocol (ah | esp | bundle);
- }
- }
You must also include the ipsec-policy statement at the [edit services ipsec-vpn rule rule-name term term-name then dynamic] hierarchy level.