Configuring an IKE Phase 1 Proposal— (Dynamic VPNs)

You can use J-Web Quick Configuration to quickly configure an IKE Phase 1 proposal.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

IKE Phase 1 Proposal Quick Configuration Page shows the Configuration page where you can select an existing proposal, or click Add to create a new one.

IKE Phase 1 Proposal Quick Configuration Page shows the Configuration page where you create a new proposal.

To configure a Phase 1 Proposal with Configuration:

  1. Select Configure>IPSec VPN>Dynamic VPN>IKE.
  2. Select the Phase 1 Proposal tab if it is not selected.
  3. To modify an existing proposal, click the appropriate link in the Name column to go to the proposal’s configuration page. Or, select the proposal from among those listed and click one of the following buttons:
    • To apply the configuration, click Apply.
    • To delete the configuration, click Delete.
  4. To configure a new Phase 1 proposal, click Add.
  5. Fill in the options as described in Table 72.
  6. Click one of the following buttons:
    • To apply the configuration, click OK.
    • To cancel the configuration and return to the main Configuration page, click Cancel.

Table 72: Phase 1 Proposal Configuration Options

Field

Function

Action

IKE Proposal (Phase 1)

Name

Name to identify the proposal.

Enter a name.

Authentication algorithm

Authentication Header (AH) algorithm the device uses to verify the authenticity and integrity of a packet. Supported algorithms include the following:

  • md5—Produces a 128-bit digest.
  • sha1—Produces a 160-bit digest.
  • sha-256—Produces a 256-bit digest.

Select an authentication algorithm.

Authentication method

Method the device uses to authenticate the source of Internet Key Exchange (IKE) messages. The dynamic VPN feature only uses preshared keys for authentication. With this method, both participants must have the key before beginning tunnel negotiations.

No action is required. The device displays this information for informational purposes only.

Description

Description of the proposal.

Enter a brief description of the Phase 1 proposal.

Dh group

Allow participants to produce a shared secret value over an unsecured medium without actually transmitting the value across the connection.

Select a Diffie-Hellman group. If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals.

Encryption algorithm

Supported Internet Key Exchange (IKE) proposals include the following:

  • 3des-cbc—3DES-CBC encryption algorithm
  • aes-128-cbc—AES-CBC 128-bit encryption algorithm
  • aes-192-cbc—AES-CBC 192-bit encryption algorithm
  • aes-256-cbc—AES-CBC 256-bit encryption algorithm
  • des-cbc—DES-CBC encryption algorithm

Select an encryption algorithm.

Lifetime seconds

Lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is either replaced by a new SA and security parameter index (SPI) or the SA is terminated.

Select a lifetime for the IKE security association (SA). Range: 180 through 86,400 seconds. Default: 3,600 seconds.