Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
IPsec Services Configuration Guidelines
To configure IP Security (IPsec) services, include the following statements at the [edit services ipsec-vpn] hierarchy level:
[edit services ipsec-vpn]clear-ike-sas-on-pic-restart;clear-ipsec-sas-on-pic-restart;ike {proposal proposal-name {authentication-algorithm (md5 | sha1 | sha-256);authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures);description description;dh-group (group1 | group2 | group5);encryption-algorithm algorithm;lifetime-seconds seconds;}policy policy-name {description description;local-certificate identifier;local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier);mode (aggressive | main);pre-shared-key (ascii-text key | hexadecimal key);proposals [ proposal-names ];remote-id {any-remote-id;ipv4_addr [ values ];ipv6_addr [ values ];key_id [ values ];}}}ipsec {proposal proposal-name {authentication-algorithm (hmac-md5-96 | hmac-sha1-96);description description;encryption-algorithm algorithm;lifetime-seconds seconds;protocol (ah | esp | bundle);}policy policy-name {description description;perfect-forward-secrecy {keys (group1 | group2);}proposals [ proposal-names ];}}rule rule-name {match-direction (input | output);term term-name {from {destination-address address;ipsec-inside-interface interface-name;source-address address;}then {anti-replay-window-size bits;backup-remote-gateway address;clear-dont-fragment-bit;dynamic {ike-policy policy-name;ipsec-policy policy-name;}initiate-dead-peer-detection;manual {direction (inbound | outbound | bidirectional) {authentication {algorithm (hmac-md5-96 | hmac-sha1-96);key (ascii-text key | hexadecimal key);}auxiliary-spi spi-value;encryption {algorithm algorithm;key (ascii-text key | hexadecimal key);}protocol (ah | bundle | esp);spi spi-value;}}no-anti-replay;remote-gateway address;syslog;tunnel-mtu bytes;}}}rule-set rule-set-name {[ rule rule-names ];}no-ipsec-tunnel-in-traceroute;traceoptions {file {files number;size bytes;}flag flag;level level;}
This chapter includes the following sections:
- Minimum Security Association Configurations
- Configuring Security Associations
- Configuring IKE Proposals
- Configuring IKE Policies
- Configuring IPsec Proposals
- Configuring IPsec Policies
- IPsec Policy for Dynamic Endpoints
- Configuring IPsec Rules
- Configuring IPsec Rule Sets
- Configuring Dynamic Endpoints for IPsec Tunnels
- Tracing IPsec Operations
- Examples: Configuring IPsec Services
