Technical Documentation

Example: Configuring an IKE Policy

Define two IKE policies: policy 10.1.1.2 and policy 10.1.1.1. Each policy is associated with proposal-1 and proposal-2.

[edit security]ike {proposal proposal-1 {authentication-method pre-shared-keys;dh-group group1;authentication-algorithm sha1;encryption-algorithm 3des-cbc;lifetime-seconds 1000;}proposal proposal-2 {authentication-method pre-shared-keys;dh-group group2;authentication-algorithm md5;encryption-algorithm des-cbc;lifetime-seconds 10000;}proposal proposal-3 {authentication-method rsa-signatures;dh-group group2;authentication-algorithm md5;encryption-algorithm des-cbc;lifetime-seconds 10000;}policy 10.1.1.2 {mode main;proposals [ proposal-1 proposal-2 ];pre-shared-key ascii-text example-pre-shared-key;}policy 10.1.1.1 {local-certificate certificate-filename;local-key-pair private-public-key-file;mode aggressive;proposals [ proposal-2 proposal-3 ]pre-shared-key hexadecimal 0102030abbcd;}}

Note: Updates to the current IKE proposal and policy configuration are not applied to the current IKE SA; updates are applied to new IKE SAs.

If you want the new updates to take immediate effect, you must clear the existing IKE security associations so that they will be reestablished with the changed configuration. For information about how to clear the current IKE security association, see the JUNOS System Basics and Services Command Reference.


Published: 2010-04-26