Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

policy (Security IPsec)

Syntax

Hierarchy Level

Description

Define an IPsec policy. An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection.

Options

name

Name of the IPsec policy.

description

Enter descriptive text for an IPsec policy.

perfect-forward-secrecy keys

Specify Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. PFS generates each new encryption key independently from the previous key. The device deletes existing IPsec SAs when you update the perfect-forward-secrecy configuration in the IPsec policy.

  • Values:

    • group14—2048-bit MODP group.

    • group15—3072-bit MODP algorithm.

    • group16—4096-bit MODP algorithm.

    • group19—256-bit random Elliptic Curve Groups modulo a Prime (ECP groups) algorithm.

    • group20—384-bit random ECP groups algorithm.

    • group21—521-bit random ECP groups algorithm.

    • group24—2048-bit MODP Group with 256-bit prime order subgroup.

proposal-set

Define a set of default IPsec proposals.

  • Values:

    • prime-128—Provides the following proposal set:

      • Encapsulating Security Payload (ESP) protocol

      • Encryption algorithm—Advanced Encryption Standard Galois/Counter mode (AES-GCM)128-bit

      • Authentication algorithm—None (AES-GCM provides both encryption and authentication)

      This option is not supported on Group VPNv2.

    • prime-256—Provides the following proposal set:

      • ESP protocol

      • Encryption algorithm—AES-GCM 256-bit

      • Authentication algorithm—None (AES-GCM provides both encryption and authentication)

      This option is not supported on Group VPNv2.

    • suiteb-gcm-128—Provides the following proposal set:

      • ESP protocol

      • Encryption algorithm—AES-GCM 128-bit

      • Authentication algorithm—None (AES-GCM provides both encryption and authentication)

      This option is not supported on Group VPNv2.

    • suiteb-gcm-256—Provides the following proposal set:

      • ESP protocol

      • Encryption algorithm—AES-GCM 256-bit

      • Authentication algorithm—None (AES-GCM provides both encryption and authentication)

      This option is not supported on Group VPNv2.

proposals proposal-name

Specify up to four Phase 2 proposals for an IPsec policy. If you include multiple proposals, use the same Diffie-Hellman group in all of the proposals.

Proposals are evaluated in the order they appear on the list, from top down, so specify the highest priority first, followed by the next highest priority, and so on.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 8.5.

Support for group 14 is added in Junos OS Release 11.1.

Support for group14 options added in Junos OS Release 11.1.

Support for group19, group20, and group24 options added in Junos OS Release 12.1X45-D10.

group15, group16, and group21 options introduced in Junos OS Release 19.1R1 on SR5000 line of devices with junos-ike package installed.

Support for suiteb-gcm-128 and suiteb-gcm-256 options added in Junos OS Release 12.1X45-D10. Support for prime-128 and prime-256 options added in Junos OS Release 15.1X49-D40.

Starting in Junos OS Release 20.2R1, we’ve changed the help text description as NOT RECOMMENDED for the CLI options group1, group2, and group5 for devices running IKED with junos-ike package installed.

Support for group15, group16, and group21 options added in Junos OS Release 20.3R1 on vSRX Virtual Firewall instances with junos-ike package installed.

Support for group15, group16, and group21 options added in Junos OS Release 21.1R1 on vSRX Virtual Firewall 3.0 instances with junos-ike package installed.

We've deprecated support for group1, group2 and group5 in perfect-forward-secrecy keys and basic, compatible and standard in proposal-set starting in Junos OS Release 25.2R1.