[an error occurred while processing this directive][an error occurred while processing this directive]

Configuring an IKE Proposal for Dynamic SAs

Dynamic Security Associations (SAs) require IKE configuration. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway.

You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer.

To configure an IKE proposal and define its properties, include the following statements at the [edit security ike] hierarchy level:

[edit security ike]proposal ike-proposal-name {authentication-algorithm (md5 | sha1);authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures);description description;dh-group (group1 | group2);encryption-algorithm (3des-cbc | des-cbc | ase-128-cbc | ase-192-cbc | ase-256-cbc);lifetime-seconds seconds;}

For information about associating an IKE proposal with an IKE policy, see Configuring an IKE Policy for Preshared Keys.

Tasks for configuring the IKE proposal are:

  1. Configuring the Authentication Algorithm for an IKE Proposal
  2. Configuring the Authentication Method for an IKE Proposal
  3. Configuring the Description for an IKE Proposal
  4. Configuring the Diffie-Hellman Group for an IKE Proposal
  5. Configuring the Encryption Algorithm for an IKE Proposal
  6. Configuring the Lifetime for an IKE SA

Configuring the Authentication Algorithm for an IKE Proposal

To configure an IKE authentication algorithm, include the authentication-algorithm statement at the [edit security ike proposal ike-proposal-name] hierarchy level:

[edit security ike proposal ike-proposal-name]authentication-algorithm (md5 | sha1);

The authentication algorithm can be one of the following:

  • md5—Produces a 128-bit digest.
  • sha1—Produces a 160-bit digest.

Configuring the Authentication Method for an IKE Proposal

To configure an IKE authentication method, include the authentication-method statement at the [edit security ike proposal ike-proposal-name] hierarchy level:

[edit security ike proposal ike-proposal-name]authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures);

The authentication method can be one of the following:

  • dsa-signatures—Digital Signature Algorithm (DSA)
  • pre-shared-keys—Preshared keys; a key derived from an out-of-band mechanism is used to authenticate an exchange
  • rsa-signatures—Public key algorithm that supports encryption and digital signatures

Configuring the Description for an IKE Proposal

To specify a description for an IKE proposal, include the description statement at the [edit security ike proposal ike-proposal-name] hierarchy level:

[edit security ike proposal ike-proposal-name]description description;

Configuring the Diffie-Hellman Group for an IKE Proposal

Diffie-Hellman is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. It is also used within IKE to establish session keys.

To configure an IKE Diffie-Hellman group, include the dh-group statement at the [edit security ike proposal ike-proposal-name] hierarchy level:

[edit security ike proposal ike-proposal-name ]dh-group (group1 | group2);

The group can be one of the following:

  • group1—Specify that IKE use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
  • group2—Specify that IKE use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

group2 provides more security but requires more processing time.

Configuring the Encryption Algorithm for an IKE Proposal

To configure an IKE encryption algorithm, include the encryption-algorithm statement at the [edit security ike proposal ike-proposal-name] hierarchy level:

[edit security ike proposal ike-proposal-name ]encryption-algorithm (3des-cbc | des-cbc);

The encryption algorithm can be one of the following:

  • 3des-cbc—Encryption algorithm that has a key size of 24 bytes; its key size is 192 bits long.
  • des-cbc—Encryption algorithm that has a key size of 8 bytes; its key size is 56 bits long.
  • aes-128-cbc—Advanced encryption algorithm that has a key size of 16 bytes; its key size is 128 bits long.
  • aes-192-cbc—Advanced encryption algorithm that has a key size of 24 bytes; its key size is 192 bits long.
  • aes-256-cbc—Advanced encryption algorithm that has a key size of 32 bytes; its key size is 256 bits long.

Configuring the Lifetime for an IKE SA

The IKE lifetime sets the lifetime of an IKE SA. When the IKE SA expires, it is replaced by a new SA (and SPI) or is terminated. The default value IKE lifetime is 3600 seconds.

To configure the IKE lifetime, include the lifetime-seconds statement and specify the number of seconds (180 through 86,400) at the [edit security ike proposal ike-proposal-name] hierarchy level:

[edit security ike proposal ike-proposal-name ]lifetime-seconds seconds;

Published: 2010-04-26

[an error occurred while processing this directive]