[Prev][Next][Report an Error]

Configuring an IKE Phase 1 Proposal—Quick Configuration (Standard VPNs)

You can use J-Web Quick Configuration to quickly configure an IKE Phase 1 proposal.

Before You Begin

For background information, read

  • "Internet Protocol Security (IPsec)" chapter in the JUNOS Software Security Configuration Guide.

Figure 6 shows the quick configuration page where can you select an existing Phase 1 proposal, or click Add to create a new one.

Figure 6: IKE Phase 1 Proposal Configuration

IKE Phase 1 Proposal Configuration

 

Figure 7 shows the IKE Phase 1 Proposal Configuration Options page.

Figure 7: IKE Phase 1 Proposal Configuration Options

IKE Phase 1 Proposal Configuration Options

To configure an IKE proposal with Quick Configuration:

  1. Select Configuration > Quick Configuration > VPN > IKE.
  2. Select the Phase 1 Proposal tab if it is not selected.
  3. To use an existing proposal, select it from among those listed and click one of the following buttons:
  4. To configure a new IKE policy, click Add.

    Figure 7 shows the quick configuration page where you create a new IKE proposal.

  5. Fill in the options as described in Table 4.
  6. Click one of the following buttons:

Table 4: Phase 1 Proposal Configuration Options

Field

Function

Action

IKE Proposal (Phase 1)

Name

The name of the proposal.

Enter a name.

Authentication algorithm

The Authentication Header (AH) algorithm the device uses to verify the authenticity and integrity of a packet. Supported algorithms include the following:

  • md5—Produces a 128-bit digest.
  • sha1—Produces a 160-bit digest.
  • sha-256—Produces a 256-bit digest.

Note: The sha-256 authentication algorithm is not supported with the dynamic VPN feature.

Select an algorithm.

Authentication method

The method the device uses to authenticate the source of Internet Key Exchange (IKE) messages. Options include:

  • pre-shared-keys—Key for encryption and decryption that both participants must have before beginning tunnel negotiations.
  • rsa-key—Kinds of digital signatures, which are certificates that confirm the identity of the certificate holder.

Select an authentication method.

Description

Easy identification of the proposal.

Enter brief description of the IKE proposal.

Dh group

The Diffie-Hellman exchange allows participants to produce a shared secret value over an unsecured medium without actually transmitting the value across the connection.

Select a group. If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals.

Encryption altorithm

Supported Internet Key Exchange (IKE) proposals include the following:

  • 3des-cbc—3DES-CBC encryption algorithm.
  • aes-128-cbc—AES-CBC 128-bit encryption algorithm.
  • aes-192-cbc—AES-CBC 192-bit encryption algorithm.
  • aes-256-cbc—AES-CBC 256-bit encryption algorithm.
  • des-cbc—DES-CBC encryption algorithm.

Select an encryption algorithm.

Lifetime seconds

The lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated.

Select a lifetime for the IKE SA.

Default: 3,600 seconds.

Range: 180 through 86,400 seconds.


[Prev][Next][Report an Error]