[an error occurred while processing this directive][an error occurred while processing this directive]

Configuring an IPsec Proposal for an ES PIC

An IPsec proposal lists protocols and algorithms (security services) to be negotiated with the remote IPsec peer.

To configure an IPsec proposal and define its properties, include the following statements at the [edit security ipsec] hierarchy level:

[edit security ipsec]proposal ipsec-proposal-name {authentication-algorithm (hmac-md5-96 | hmac-sha1-96);description description ;encryption-algorithm (3des-cbc | des-cbc);lifetime-seconds seconds; protocol (ah | esp | bundle);}

Tasks to configure an IPsec proposal for an ES PIC are:

Configuring the Authentication Algorithm for an IPsec Proposal

To configure an IPsec authentication algorithm, include the authentication-algorithm statement at the [edit security ipsec proposal ipsec-proposal-name] hierarchy level:

[edit security ipsec proposal ipsec-proposal-name]authentication-algorithm (hmac-md5-96 | hmac-sha1-96);

The authentication algorithm can be one of the following:

  • hmac-md5-96—Hash algorithm that authenticates packet data. It produces a 128-bit digest. Only 96 bits are used for authentication.
  • hmac-sha1-96—Hash algorithm that authenticates packet data. It produces a 160-bit digest. Only 96 bits are used for authentication.

Configuring the Description for an IPsec Proposal

To specify a description for an IPsec proposal, include the description statement at the [edit security ipsec proposal ipsec-proposal-name] hierarchy level:

[edit security ike policy ipsec-proposal-name]description description;

Configuring the Encryption Algorithm for an IPsec Proposal

To configure the IPsec encryption algorithm, include the encryption-algorithm statement at the [edit security ipsec proposal ipsec-proposal-name] hierarchy level:

[edit security ipsec proposal ipsec-proposal-name ]encryption-algorithm (3des-cbc | des-cbc);

The encryption algorithm can be one of the following:

  • 3des-cbc—Encryption algorithm that has a block size of 24 bytes; its key size is 192 bits long.
  • des-cbc—Encryption algorithm that has a block size of 8 bytes; its key size is
  • 48 bits long.

    Note: We recommend that you use the triple DES cipher block chaining (3DES-CBC) encryption algorithm.

Configuring the Lifetime for an IPsec SA

The IPsec lifetime option sets the lifetime of an IPsec SA. When the IPsec SA expires, it is replaced by a new SA (and SPI) or is terminated. A new SA has new authentication and encryption keys, and SPI; however, the algorithms may remain the same if the proposal is not changed. If you do not configure a lifetime and a lifetime is not sent by a responder, the lifetime is 28,800 seconds.

To configure the IPsec lifetime, include the lifetime-seconds statement and specify the number of seconds (180 through 86,400) at the [edit security ipsec proposal ipsec-proposal-name] hierarchy level:

[edit security ipsec proposal ipsec-proposal-name]lifetime-seconds seconds;

Note: When a dynamic SA is created, two types of lifetimes are used: hard and soft. The hard lifetime specifies the lifetime of the SA. The soft lifetime, which is derived from the hard lifetime, informs the IPsec key management system that that the SA is about to expire. This allows the key management system to negotiate a new SA before the hard lifetime expires. When you specify the lifetime, you specify a hard lifetime.

Configuring the Protocol for a Dynamic IPsec SA

The protocol statement sets the protocol for a dynamic SA. The ESP protocol can support authentication, encryption, or both. The AH protocol is used for strong authentication. AH also authenticates the IP packet. The bundle option uses AH authentication and ESP encryption; it does not use ESP authentication because AH provides stronger authentication of IP packets.

To configure the protocol for a dynamic SA, include the protocol statement at the [edit security ipsec proposal ipsec-proposal-name] hierarchy level:

[edit security ipsec proposal ipsec-proposal-name ] protocol (ah | esp | bundle);

Published: 2010-04-26

[an error occurred while processing this directive]