[Prev][Next][Report an Error]

Configuring an IKE Phase 1 Proposal—Quick Configuration (Dynamic VPNs)

You can use J-Web Quick Configuration to quickly configure an IKE Phase 1 proposal.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

Figure 5 shows the Quick Configuration page where you can select an existing proposal, or click Add to create a new one.

Figure 5: IKE Phase 1 Proposal Quick Configuration Page – Adding a Proposal

IKE Phase 1
Proposal Quick Configuration Page – Adding a Proposal

Figure 6 shows the Quick Configuration page where you create a new proposal.

Figure 6: IKE Phase 1 Proposal Quick Configuration Page – Configuring a Proposal

IKE Phase 1 Proposal
Quick Configuration Page – Configuring a Proposal

To configure a Phase 1 Proposal with Quick Configuration:

  1. Select Configuration>Quick Configuration>Dynamic VPN>IKE.
  2. Select the Phase 1 Proposal tab if it is not selected.
  3. To modify an existing proposal, click the appropriate link in the Name column to go to the proposal’s configuration page. Or, select the proposal from among those listed and click one of the following buttons:
  4. To configure a new Phase 1 proposal, click Add.
  5. Fill in the options as described in Table 3.
  6. Click one of the following buttons:

Table 3: Phase 1 Proposal Configuration Options




IKE Proposal (Phase 1)


Name to identify the proposal.

Enter a name.

Authentication algorithm

Authentication Header (AH) algorithm the device uses to verify the authenticity and integrity of a packet. Supported algorithms include the following:

  • md5—Produces a 128-bit digest.
  • sha1—Produces a 160-bit digest.
  • sha-256—Produces a 256-bit digest.

Select an authentication algorithm.

Authentication method

Method the device uses to authenticate the source of Internet Key Exchange (IKE) messages. The dynamic VPN feature only uses preshared keys for authentication. With this method, both participants must have the key before beginning tunnel negotiations.

No action is required. The device displays this information for informational purposes only.


Description of the proposal.

Enter a brief description of the Phase 1 proposal.

Dh group

Allow participants to produce a shared secret value over an unsecured medium without actually transmitting the value across the connection.

Select a Diffie-Hellman group. If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals.

Encryption algorithm

Supported Internet Key Exchange (IKE) proposals include the following:

  • 3des-cbc—3DES-CBC encryption algorithm
  • aes-128-cbc—AES-CBC 128-bit encryption algorithm
  • aes-192-cbc—AES-CBC 192-bit encryption algorithm
  • aes-256-cbc—AES-CBC 256-bit encryption algorithm
  • des-cbc—DES-CBC encryption algorithm

Select an encryption algorithm.

Lifetime seconds

Lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is either replaced by a new SA and security parameter index (SPI) or the SA is terminated.

Select a lifetime for the IKE security association (SA). Range: 180 through 86,400 seconds. Default: 3,600 seconds.

[Prev][Next][Report an Error]