[Prev][Next][Report an Error]

Configuring an IKE Phase 1 Proposal— (Dynamic VPNs)

You can use J-Web Quick Configuration to quickly configure an IKE Phase 1 proposal.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

Figure 32 shows the Configuration page where you can select an existing proposal, or click Add to create a new one.

Figure 32: IKE Phase 1 Proposal Quick Configuration Page – Adding a Proposal

IKE Phase 1 Proposal Quick Configuration Page – Adding a Proposal

Figure 33 shows the Configuration page where you create a new proposal.

Figure 33: IKE Phase 1 Proposal Quick Configuration Page – Configuring a Proposal

IKE Phase 1 Proposal Quick Configuration Page – Configuring a Proposal

To configure a Phase 1 Proposal with Configuration:

  1. Select Configure>IPSec VPN>Dynamic VPN>IKE.
  2. Select the Phase 1 Proposal tab if it is not selected.
  3. To modify an existing proposal, click the appropriate link in the Name column to go to the proposal’s configuration page. Or, select the proposal from among those listed and click one of the following buttons:
  4. To configure a new Phase 1 proposal, click Add.
  5. Fill in the options as described in Table 191.
  6. Click one of the following buttons:

Table 191: Phase 1 Proposal Configuration Options

Field

Function

Action
IKE Proposal (Phase 1)

Name

Name to identify the proposal.

Enter a name.

Authentication algorithm

Authentication Header (AH) algorithm the device uses to verify the authenticity and integrity of a packet. Supported algorithms include the following:

  • md5—Produces a 128-bit digest.
  • sha1—Produces a 160-bit digest.
  • sha-256—Produces a 256-bit digest.

Select an authentication algorithm.

Authentication method

Method the device uses to authenticate the source of Internet Key Exchange (IKE) messages. The dynamic VPN feature only uses preshared keys for authentication. With this method, both participants must have the key before beginning tunnel negotiations.

No action is required. The device displays this information for informational purposes only.

Description

Description of the proposal.

Enter a brief description of the Phase 1 proposal.

Dh group

Allow participants to produce a shared secret value over an unsecured medium without actually transmitting the value across the connection.

Select a Diffie-Hellman group. If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals.

Encryption algorithm

Supported Internet Key Exchange (IKE) proposals include the following:

  • 3des-cbc—3DES-CBC encryption algorithm
  • aes-128-cbc—AES-CBC 128-bit encryption algorithm
  • aes-192-cbc—AES-CBC 192-bit encryption algorithm
  • aes-256-cbc—AES-CBC 256-bit encryption algorithm
  • des-cbc—DES-CBC encryption algorithm

Select an encryption algorithm.

Lifetime seconds

Lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is either replaced by a new SA and security parameter index (SPI) or the SA is terminated.

Select a lifetime for the IKE security association (SA). Range: 180 through 86,400 seconds. Default: 3,600 seconds.

[Prev][Next][Report an Error]

Copyright © 2010, Juniper Networks, Inc. All rights reserved. Trademark Notice.