Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

policy (Security IKE)

Syntax

Hierarchy Level

Description

IKE policies define a combination of security parameters (IKE proposals) to be used during IKE negotiation, including peer address, the preshared key for the given peer, and the proposals needed for that connection. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.

IKE proposals in the policy statement are evaluated in list order, from top to bottom, so when creating the policy, specify the highest priority proposal first, followed by the next highest priority, and so on.

Options

policy-name—Name of the IKE policy. The policy name can be up to 32 alphanumeric characters long.

blocklist blocklist-name—Specify the name of the corresponding remote peer's IKE identity blocklist. The blocklist is used for blocking IKE-IDs during IKE SA negotiation authentication phase.

certificate—Specify usage of a digital certificate to authenticate the virtual private network (VPN) initiator and recipient. For more information, See certificate.

description description—Specify the description of IKE policy.

mode—Define the mode used for Internet Key Exchange (IKE) Phase 1 negotiations. Use aggressive mode only when you need to initiate an IKE key exchange without ID protection, as when a peer unit has a dynamically assigned IP address. IKEv2 protocol does not negotiate using mode configuration. The device deletes existing IKE and IPsec SAs when you update the mode configuration in the IKE policy.

  • aggressive—Aggressive mode.

  • main—Main mode. Main mode is the recommended key-exchange method because it conceals the identities of the parties during the key exchange.

    Configuring mode main for group VPN servers or members is not supported when the remote gateway has a dynamic address and the authentication method is pre-shared-keys.

pre-shared-key—Define a preshared key for an IKE policy. The device deletes existing IKE and IPsec SAs when you update the pre-shared-key configuration in the IKE policy.

  • ascii-text key—Specify a string of 1 to 255 ASCII text characters for the key. To include the special characters ( ) [ ] ! & ? |  enclose either the entire key string or the special character in quotation marks; for example “str)ng” or str”)”ng. Other use of quotation marks within the string is not allowed. With des-cbc encryption, the key contains 8 ASCII characters. With 3des-cbc encryption, the key contains 24 ASCII characters.

  • hexadecimal key—Specify a string of 1 to 255 hexadecimal characters for the key. Characters must be hexadecimal digits 0 through 9, or letters a through f or A through F. With des-cbc encryption, the key contains 16 hexadecimal characters. With 3des-cbc encryption, the key contains 48 hexadecimal characters.

seeded-pre-shared-key—Define a seeded preshared key in ASCII or hexadecimal format for an IKE policy. The seeded-pre-shared-key is a master key that is used to generate the pre-shared-key for the peers. Thus each peer will have different pre-shared-key. The advantage of this option is that each peer connection to gateway will have different pre-shared key, so if one of the peer's pre-shared-key is compromised, then the other peers are not impacted.

The peer preshared keys are generated using the master key configured as seeded-pre-shared-key and shared across the peers. To view the peer's pre-shared-key, execute the show security ike pre-shared-key command, share and configure the displayed pre-shared key in peer's device as pre-shared-key (in ASCII format). Master key is only configured in the gateway device and not shared to any peer.

You can retrieve the peer preshared key using the show security ike pre-shared-key user-id peer ike-id master-key master key or show security ike pre-shared-key user-id peer ike-id gateway gateway name command.

  • ascii-text key—Configure a string of 1 to 255 ASCII text characters for the key. To include the special characters ( ) [ ] ! & ? |  enclose either the entire key string or the special character in quotation marks; for example “str)ng” or str”)”ng. Other use of quotation marks within the string is not allowed.

  • hexadecimal key—Specify a string of 1 to 255 hexadecimal characters for the key. Characters must be hexadecimal digits 0 through 9, or letters a through f or A through F.

proposal-set—Specify a set of default Internet Key Exchange (IKE) proposals.

proposals proposal-name—Specify up to four Phase 1 proposals for an IKE policy. If you include multiple proposals, use the same Diffie-Hellman group in all of the proposals.

reauth-frequency number—Configure the reauthentication frequency to trigger a new IKEv2 reauthentication. Reauthentication creates a new IKE SA, creates new child SAs within the IKE SA, and then deletes the old IKE SA. This option is disabled by default. umber of IKE rekeys that occurs before reauthentication occurs. If reauth-frequency is 1, reauthentication occurs every time there is an IKE rekey. If reauth-frequency is 2, reauthentication occurs at every other IKE rekey. If reauth-frequency is 3, reauthentication occurs at every third IKE rekey.

  • Default: 0 (disable)

  • Range: 0-100

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 8.5.

Support for suiteb-gcm-128 and suiteb-gcm-256 options added in Junos OS Release 12.1X45-D10.

Support for policy-oids option added in Junos OS Release 12.3X48-D10.

Support for trusted-ca option added in Junos OS Release 18.1R1.

Support for reauth-frequency option added in Junos OS Release 15.1X49-D60.

Support for seeded-pre-shared-key option added in Junos OS Release 21.1R1.

Support for blocklist option added in Junos OS Release 23.4R1.

Related Documentation