 |
Note: The IKE policy peer address must be an IPSec tunnel destination address. |
An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. It defines a peer address, the preshared key for the given peer, and the proposals needed for that connection. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.
A match is made when both policies from the two peers have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies (from the host and peer) is used. The configured preshared key must also match its peer.
You can create multiple, prioritized proposals at each peer to ensure that at least one proposal will match a remote peer’s proposal.
First, you configure one or more IKE proposals; then you associate these proposals with an IKE policy. You can also prioritize a list of proposals used by IKE in the policy statement by listing the proposals you want to use, from first to last.
To configure an IKE policy, include the policy statement at the [edit security ike] hierarchy level and specify a peer address:
- [edit security ike]
-
policy ike-peer-address;
|
Note: The IKE policy peer address must be an IPSec tunnel destination address. |
This section discusses the following topics:
 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |