CLI Commands : crypto

Media Flow Manager only. Configure IPSec cryptographic settings.
crypto ipsec peer <IP_address> local <IP_address> keying ike [preshared-key <string> | prompt-preshared-key]
[mode {transport|tunnel}] [exchange-mode {main|aggressive|base}] [pfs_group <group #>] [lifetime <seconds>]
[encrypt {3des|aes-cbc|none}] [auth {hmac-md5|hmac-sha1}]
no crypto ipsec peer <IP_address> local <IP_address>
Add an IPSec peering relationship to the address specified, using a specified local address; the no variant removes the relationship. This pair of IP addresses uniquely define an IPSec peering entry. The IPSec peering relationship is keyed using IKE. Notes:
preshared-key | prompt-preshared-key—The specified preshared-key is used for the initial IKE exchange; it is used in the initial setup for both ESP (encapsulating security payload) and AH (authentication header). If prompt-preshared-key is chosen, the user is prompted for the preshared key rather than entering it on the command line.
mode—If transport is used, only the payload (the data you transfer) of the IP packet is encrypted and/or authenticated; this is used for host-to-host communications. If tunnel is used, the entire IP packet (data and IP header) is encrypted and/or authenticated; this is used to create Virtual Private Networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access), and host-to-host communications (e.g. private chat).
exchange_mode—Allows a gateway to download an IP address (and other network level configuration)to the client as part of an IKE negotiation. Choose aggressive for the highest security.
pfs_group—Enter an IPv4 address. If perfect forward secrecy (PFS) is specified in the IPSec policy, a new Diffie-Hellman exchange is performed with each quick mode, providing keying material that has greater entropy (key material life) and thereby greater resistance to cryptographic attacks. Each Diffie-Hellman exchange requires large exponentiations, thereby increasing CPU use and exacting a performance cost.
lifetime—The lifetime of the IKE SA (security association) in seconds.
encrypt—The encryption algorithm used can be specified as either 3des (for triple DES) (default), aes-cbc (for AES), or none (a.k.a. NULL encryption).
auth—The authentication method used can be specified as either hmac-md5 (MD5 HMAC variant) (default), or hmac-sha1 (SHA1 HMAC variant).
show crypto [configured]
Display various run-time cryptographic states. Use the configured subcommand to display various cryptographic settings.
There are many good references on IPSEC on the Internet, here’s one: IPSec Overview Part Four: Internet Key Exchange (IKE).

Report an Error
Media Flow Manager Administrator's Guide and CLI Command Reference
Copyright © Juniper Networks, Inc.