[an error occurred while processing this directive][an error occurred while processing this directive]

Configuring an IKE Policy for Digital Certificates for an ES PIC

An IKE policy for digital certificates defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. It defines a peer address and the proposals needed for that connection. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.

To configure an IKE policy for digital certificates for an ES PIC, include the following statements at the [edit security ike policy ike-peer-address] hierarchy level:

[edit security ike] policy ike-peer-address{encoding (binary | pem);identity identity-name;local-certificate certificate-filename;local-key-pair private-public-key-file;}

Tasks for configuring an IKE policy for digital certificates are:

  1. Configuring the Type of Encoding Your CA Supports
  2. Configuring the Identity to Define the Remote Certificate Name
  3. Specifying the Certificate Filename
  4. Specifying the Private and Public Key File

Configuring the Type of Encoding Your CA Supports

By default, the encoding is set to binary. Encoding specifies the file format used for the local-certificate and local-key-pair statements. By default, the binary (distinguished encoding rules) format is enabled. PEM is an ASCII base 64 encoded format. Check with your CA to determine which file formats it supports.

To configure the file format that your CA supports, include the encoding statement and specify a binary or PEM format at the [edit security ike policy ike-peer-address] hierarchy level:

[edit security ike policy ike-peer-address ]encoding (binary | pem);

Configuring the Identity to Define the Remote Certificate Name

To define the remote certificate name, include the identity statement at the [edit security ike policy ike-peer-address] hierarchy level:

[edit security ike policy ike-peer-address]identity identity-name;

identity-name defines the identity of the remote certificate name if the identity cannot be learned through IKE (ID payload or IP address).

Specifying the Certificate Filename

To configure the certificate filename from which to read the local certificate, include the local-certificate statement at the [edit security ike policy ike-peer-address] hierarchy level:

[edit security ike policy ike-peer-address]local-certificate certificate-filename;

certificate-filename specifies the file from which to read the local certificate.

Specifying the Private and Public Key File

To specify the filename from which to read the public and private key, include the local key-pair statement at the [edit security ike policy ike-peer-address] hierarchy level:

[edit security ike policy ike-peer-address ]local-key-pair private-public-key-file;

private-public-key-file specifies the file from which to read the pair key.


Published: 2010-04-26

[an error occurred while processing this directive]