Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


proposal (Security Group VPN Member IKE)


Hierarchy Level


Define an IKE proposal. You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer.


proposal proposal-name—Name of the IKE proposal. The proposal name can be up to 32 alphanumeric characters long.

authentication-algorithm—Configure the Internet Key Exchange (IKE) authentication algorithm. Hash algorithm that authenticates packet data. It can be one of the following algorithms:

  • sha-256—Produces a 256-bit digest. This is the default value.

  • sha-384—Produces a 384-bit digest.

authentication-method pre-shared-keys—Specify the method the device uses to authenticate the source of Internet Key Exchange (IKE) messages. The pre-shared-keys option refers to a preshared key, which is a secret key shared between the two peers, is used during authentication to identify the peers to each other. The same key must be configured for each peer. This is the default method.

description description—Specify descriptive text for an IKE proposal.

dh-group—Specify the IKE Diffie-Hellman group for key establishment.

  • group14—2048-bit group. This is the default value.

  • group24—2048-bit, 256 bit subgroup. Support for the group24 option added in Junos OS Release 15.1X49-D30 for vSRX Virtual Firewall.

encryption-algorithm—Configure an encryption algorithm for an IKE proposal.

  • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm.

  • aes-192-cbc—AES 192-bit encryption algorithm.

  • aes-256-cbc—AES 256-bit encryption algorithm.

lifetime-seconds seconds—Specify the lifetime (in seconds) of an IKE or IPsec security association (SA) for group VPN. When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated.

  • Range: 180 through 86,400 seconds

  • Default: 3600 seconds

The device does not delete existing IPsec SAs when you update the authentication-algorithm, authentication-method, dh-group, and encryption-algorithm configuration in the IKE proposal.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 10.2.