Configuring an IPsec Policy
Configuring the IPsec Policy for an ES PIC
An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection. During the IPsec negotiation, IPsec looks for an IPsec proposal that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.
A match is made when both policies from the two peers have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies (from the host and peer) is used.
You can create multiple, prioritized IPsec proposals at each peer to ensure that at least one proposal will match a remote peer’s proposal.
First, you configure one or more IPsec proposals; then you associate these proposals with an IPsec policy. You can prioritize the proposals in the list by listing them in the order in which the IPsec policy uses them (first to last).
To configure an IPsec policy, include the policy statement at
the [edit security ipsec] hierarchy level, specifying the policy name and one or
more proposals you want to associate with this policy:
[edit security ipsec] policy ipsec-policy-name { proposals [ proposal-names ]; }
Configuring Perfect Forward Secrecy
PFS provides additional security by means of a Diffie-Hellman key exchange shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys. This statement is optional.
To configure PFS, include the perfect-forward-secrecy statement
and specify a Diffie-Hellman group at the [edit security ipsec policy ipsec-policy-name] hierarchy level:
[edit security ipsec policy ipsec-policy-name] perfect-forward-secrecy { keys (group1 | group2); }
The key can be one of the following:
group1—Specify that IKE use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.group2—Specify that IKE use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
group2 provides more security than group1, but requires
more processing time.
Example: Configuring an IPsec Policy
The following example shows how to configure an IPsec policy:
[edit security ipsec]
proposal dynamic-1 {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 6000;
}
proposal dynamic-2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 6000;
}
policy dynamic-policy-1 {
perfect-forward-secrecy {
keys group1;
}
proposals [ dynamic-1 dynamic-2 ];
}
security-association dynamic-sa1 {
dynamic {
replay-window-size 64;
ipsec-policy dynamic-policy-1;
}
}
Updates to the current IPsec proposal and policy configuration are not applied to the current IPsec SA; updates are applied to new IPsec SAs.
If you want the new updates to take immediate effect, you must clear the existing IPsec security associations so that they will be reestablished with the changed configuration. For information about how to clear the current IPsec security association, see the CLI Explorer.