[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring an IKE Policy

An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. The policy defines a peer address, the preshared key for the given peer, and the proposals needed for that connection. During the IKE negotiation, IKE searches for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.

A match is made when both peer policies have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies is used. The configured preshared key must also match its peer.

Note: You can create an IKE access profile that uses the IKE policy to negotiate IKE and IPSec security associations with dynamic peers. You can configure only one tunnel profile per service set for all dynamic peers. The configured preshared key in the profile is used for IKE authentication of all dynamic peers terminating in that service set. You can also use the digital certificate method for IKE authentication with dynamic peers. For more information about IKE access profiles, see the JUNOS System Basics Configuration Guide. For detailed information, see the JUNOS Services Interfaces Configuration Guide.

To configure an IKE policy:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 31.
  3. Go on to Configuring an IPSec Proposal.

Table 31: Configuring IKE Policy

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Services>Ipsec vpn>Ike level in the configuration hierarchy.
  1. In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
  2. Next to Services, click Configure or Edit.
  3. Next to Ipsec vpn, click Configure.
  4. Next to Ike, click Configure.

From the [edit] hierarchy level, enter

edit services ipsec-vpn ike

Configure an IKE policy—for example, ike-dynamic-policy.
  1. Next to Policy, click Add new entry.
  2. In the Name box, type ike-dynamic-policy.

Enter

set policy ike-dynamic-policy

Configure a local ID for the policy—for example, 10.90.90.2.
  1. Next to Local id, click Configure.
  2. In the Id type box, select Ipv4 addr.
  3. In the Ipv4 addr box, type 10.90.90.2.

Enter

set policy ike-dynamic-policy local-id ipv4_addr 10.90.90.2

Configure a remote ID for the policy—for example, 10.90.90.1.
  1. Next to Remote id click Configure.
  2. Next to Ipv4 addr, click Add new entry.
  3. In the Value box, type 10.90.90.1.

Enter

set policy ike-dynamic-policy remote-id ipv4_addr 10.90.90.1

Configure a preshared key—for example, $1991poPPi—for IKE in ASCII format.

Note: The IKE preshared key must be configured exactly the same way at both the local and remote endpoints of the IPSec tunnel.
  1. Next to Pre-shared key, click Configure.
  2. In the Key choice box, select Ascii text from the list.
  3. In the Ascii text box, type the plain text IKE key $1991poPPi

Enter

set policy ike-dynamic-policy pre-shared-key ascii-text $1991poPPi

Configure the IKE proposal to be used for the IKE policy—for example, ike-dynamic-proposal.

  1. Next to Proposals, click Add new entry.
  2. In the Value keyword, type ike-dynamic-proposal.
  3. Click OK until you return to the main Configuration page.

Enter

set policy ike-dynamic-policy proposals ike-dynamic-proposal
[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]