Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

proposal-set (Security IKE)

Syntax

Hierarchy Level

Description

Specify a set of default Internet Key Exchange (IKE) proposals.

The prime-128 and prime-256 proposal sets require IKEv2 and certificate-based authentication.

Options

  • basic—Includes a basic set of two IKE proposals:

    • Proposal 1—Preshared key, Data Encryption Standard (DES) encryption, and Diffie-Hellman (DH) group 1 and Secure Hash Algorithm 1 (SHA-1) authentication.

    • Proposal 2—Preshared key, DES encryption, and DH group 1 and Message Digest 5 (MD5) authentication.

  • compatible—Includes a set of four commonly used IKE proposals:

    • Proposal 1—Preshared key, triple DES (3DES) encryption, and Diffie-Hellman (DH) group 2 (DH group 2) and SHA-1 authentication.

    • Proposal 2—Preshared key, 3DES encryption, and DH group 2 and MD5 authentication.

    • Proposal 3—Preshared key, DES encryption, and DH group 2 and SHA-1 authentication.

    • Proposal 4—Preshared key, DES encryption, and DH group 2 and MD5 authentication.

  • prime-128—Provides the following proposal set (this option is not supported on Group VPNv2):

    • Authentication method—Elliptic Curve Digital Signature Algorithm (ECDSA) 256-bit signatures.

    • Diffie-Hellman Group—19.

    • Encryption algorithm—Advanced Encryption Standard (AES) 128-bit Galois/Counter Mode (GCM).

    • Authentication algorithm—None (AES-GCM provides both encryption and authentication).

    When this option is used, prime-128 should also be configured at the [edit security ipsec policy policy-name proposal-set] hierarchy level.

  • prime-256—Provides the following proposal set (this option is not supported on Group VPNv2):

    • Authentication method—ECDSA 384-bit signatures.

    • Diffie-Hellman Group—20.

    • Encryption algorithm—AES 256-bit GCM.

    • Authentication algorithm—None (AES-GCM provides both encryption and authentication).

    When this option is used, prime-256 should also be configured at the [edit security ipsec policy policy-name proposal-set] hierarchy level.

  • standard—Includes a standard set of two IKE proposals:

    • Proposal 1— Preshared key, 3DES encryption, and DH group 2 and SHA-1 authentication.

    • Proposal 2—Preshared key, AES 128-bit encryption, and DH group 2 and SHA-1 authentication.

  • suiteb-gcm-128—Provides the following Suite B proposal set (this option is not supported on Group VPNv2):

    • Authentication method—ECDSA 256-bit signatures

    • Diffie-Hellman Group—19

    • Encryption algorithm—Advanced Encryption Standard (AES) 128-bit cipher block chaining (CBC)

    • Authentication algorithm—SHA-256

  • suiteb-gcm-256—Provides the following Suite B proposal set (this option is not supported on Group VPNv2):

    • Authentication method—ECDSA 384-bit signatures

    • Diffie-Hellman Group—20

    • Encryption algorithm—AES 256-bit CBC

    • Authentication algorithm—SHA-384

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5. Support for suiteb-gcm-128 and suiteb-gcm-256 options added in Junos OS Release 12.1X45-D10. Support for prime-128 and prime-256 options added in Junos OS Release 15.1X49-D40.

Starting in Junos OS Release 20.2R1, we’ve changed the help text description as NOT RECOMMENDED for the CLI options basic, compatible, and standard for SRX Series Firewalls running iked process with junos-ike package.

Related Documentation