Example: Configuring an IKE Phase 1 Proposal (CLI)

When configuring Phase 1 of an IPsec tunnel using IKE, you first configure proposals, then policies, and finally the gateway. The following example-based instructions show how to create the proposal portion of the IKE gateway.

In Phase 1 proposal configuration, you must set the authentication method and authentication and encryption algorithms that will be used to open a secure channel between participants. In this example, you create an IKE proposal called ike_prop_1 and specify that peers use preshared keys for encryption and decryption, and that they use Diffie-Hellman (DH) group 2 to produce the shared secret for the keys. You specify md5 as the authentication algorithm and 3DES cypher block chaining (CBC) for encryption. And you specify that after 300 seconds the participants renegotiate a new security association (SA).

Note: When configuring a Phase 1 proposal for the dynamic VPN feature, note that you must set the authentication method to preshared keys.

To configure a Phase 1 proposal using the CLI editor:

user@host# set security ike proposal ike_prop_1 description "new ike proposal"user@host# set security ike proposal ike_prop_1 authentication-method pre-shared-keysuser@host# set security ike proposal ike_prop_1 dh-group group2user@host# set security ike proposal ike_prop_1 authentication-algorithm md5user@host# set security ike proposal ike_prop_1 encryption-algorithm 3des-cbcuser@host# set security ike proposal ike_prop_1 lifetime-seconds 300

Use the following command to display information about IKE proposals:

user@host# show security ike

Related Topics

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.