To configure Internet Protocol Security (IPSec) services, include the following statements at the [edit services ipsec-vpn] hierarchy level:
-
clear-ike-sas-on-pic-restart;
-
clear-ipsec-sas-on-pic-restart;
-
ike {
-
-
proposal proposal-name {
-
authentication-algorithm (md5 | sha1 | sha-256);
-
authentication-method (dsa-signatures | pre-shared-keys
| rsa-signatures);
-
description description;
-
dh-group (group1 | group2);
-
encryption-algorithm algorithm;
-
lifetime-seconds seconds;
- }
-
-
policy policy-name {
-
description description;
-
local-certificate identifier;
-
-
local-id {
- ipv4_addr [ values ];
- ipv6_addr [ values ];
- key_id [ values ];
- }
-
mode (aggressive | main);
-
pre-shared-key (ascii-text key | hexadecimal key);
-
proposals [ proposal-names ];
-
-
remote-id {
- any-remote-id;
- ipv4_addr [ values ];
- ipv6_addr [ values ];
- key_id [ values ];
- }
- }
- }
-
ipsec {
-
-
proposal proposal-name {
-
authentication-algorithm (hmac-md5-96 | hmac-sha1-96);
-
description description;
-
encryption-algorithm algorithm;
-
lifetime-seconds seconds;
-
protocol (ah | esp | bundle);
- }
-
-
policy policy-name {
-
description description;
-
-
perfect-forward-secrecy {
- keys (group1 | group2);
- }
-
proposals [ proposal-names ];
- }
- }
-
rule rule-name {
-
match-direction (input | output);
-
-
term term-name {
-
-
from {
-
destination-address address;
-
ipsec-inside-interface interface-name;
-
source-address address;
- }
-
-
then {
-
backup-remote-gateway address;
-
clear-dont-fragment-bit;
-
-
dynamic {
- ike-policy policy-name;
- ipsec-policy policy-name;
- }
-
initiate-dead-peer-detection;
-
-
manual {
-
-
direction (inbound | outbound |
bidirectional) {
-
-
authentication {
- algorithm (hmac-md5-96 | hmac-sha1-96);
- key (ascii-text key | hexadecimal key);
- }
-
auxiliary-spi spi-value;
-
-
encryption {
- algorithm algorithm;
- key (ascii-text key | hexadecimal key);
- }
-
protocol (ah | bundle | esp);
-
spi spi-value;
- }
- }
-
no-anti-replay;
-
remote-gateway address;
-
syslog;
-
tunnel-mtu bytes;
- }
- }
- }
-
rule-set rule-set-name {
- [ rule rule-names ];
- }
-
traceoptions {
-
- file {
- files number;
- size bytes;
- }
- flag flag;
- }
This chapter includes the following sections: