Configuring an IKE Policy

To specify a description for an IKE policy, include the description statement at the [edit security ike policy ike-peer-address] hierarchy level:

IKE policy has two modes: aggressive and main. By default, main mode is enabled. Main mode uses six messages, in three exchanges, to establish the IKE SA. (These three steps are IKE SA negotiation, a Diffie-Hellman key exchange, and authentication of the peer.) Main mode also allows a peer to hide its identity.

Aggressive mode also establishes an authenticated IKE SA and keys. However, aggressive mode uses half the number of messages, has less negotiation power, and does not provide identity protection. The peer can use the aggressive or main mode to start IKE negotiation; the remote peer accepts the mode sent by the peer.

To configure IKE policy mode, include the mode statement and specify aggressive or main at the [edit security ike policy ike-peer-address] hierarchy level:

For Junos OS in FIPS mode, the aggressive option for IKEv1 is not supported with the mode statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level.

IKE policy preshared keys authenticate peers. You must manually configure a preshared key, which must match that of its peer. The preshared key can be an ASCII text (alphanumeric) key or a hexadecimal key.

A local certificate is an alternative to the preshared key. A commit operation fails if either a preshared key or a local certificate is not configured.

To configure an IKE policy preshared key, include the pre-shared-key statement at the [edit security ike policy ike-peer-address] hierarchy level:

The IKE policy proposal is a list of one or more proposals associated with an IKE policy.

To configure an IKE policy proposal, include the proposals statement at the [edit security ike policy ike-peer-address] hierarchy level and specify one or more proposal names: