Configuring an IPsec Phase 2 Proposal—Quick Configuration (Dynamic VPNs)

You can use J-Web Quick Configuration to quickly configure IPsec Phase 2 proposals.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

Phase 2 Proposal Quick Configuration Page shows the Quick Configuration page where you can select an existing proposal, or click Add to create a new one.

To configure an IPsec Phase 2 proposal with Quick Configuration:

  1. Select Configure>IPSec VPN>Dynamic VPN>IPSec AutoKey.
  2. Select the IPsec Phase 2 Proposal tab if it is not selected
  3. To modify an existing proposal, click the appropriate link in the Name column to go to the proposal’s configuration page. Or, select the proposal from among those listed and click one of the following buttons:
    • To apply the configuration, click Apply.
    • To delete the configuration, click Delete.
  4. To configure a new Phase 2 proposal, click Add.
  5. Fill in the options as described in Table 91.
  6. Click one of the following buttons:
    • To apply the configuration, click OK.
    • To cancel the configuration and return to the main Configuration page, click Cancel.

Table 91: IPsec Phase 2 Proposal Options




IPsec Proposal (Phase 2)


Name to identify the Phase 2 proposal.

Enter a name.


Description of the Phase 2 proposal.

Enter a brief description of the proposal.

Authentication algorithm

Hash algorithm that authenticates packet data. You can choose one of the following:

  • hmac-md5-96—Produces a 128-bit digest.
  • hmac-sha1-96—Produces a 160-bit digest.

Select a hash algorithm.

Encryption algorithm

IKE algorithm used to encrypt data. You can choose one of the following:

  • 3des-cbc—Has a block size of 24 bytes; the key size is 192 bits long.
  • aes-128-cbc—AES 128-bit encryption algorithm.
  • aes-192-cbc—AES 192-bit encryption algorithm.
  • aes-256-cbc—AES 256-bit encryption algorithm.
  • des-cbc—Has a block size of 8 bytes; the key size is 48 bits long.

Select an encryption algorithm.

Lifetime kilobytes

Lifetime (in kilobytes) of an IPsec security association (SA). The SA is terminated when the specified number of kilobytes of traffic have passed.

Enter a value from 64 through 1,048,576 bytes.

Lifetime seconds

Lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is either replaced by a new SA and security parameter index (SPI) or the SA is terminated.

Enter a value from 180 through 86,400 seconds.


Type of security protocol. Supported options include:

  • ah—Authentication Header (AH) protocol verifies the authenticity/integrity of the content and origin of a packet.
  • esp—Encapsulating Security Payload (ESP) protocol ensures privacy (encryption) and source authentication and content integrity (authentication).

Select a protocol for the proposal.