proposal-set (Security IKE)
Syntax
proposal-set (basic | compatible | prime-128 | prime-256 | standard | suiteb-gcm-128 | suiteb-gcm-256);
Hierarchy Level
[edit security ike policy policy-name]
Description
Specify a set of default Internet Key Exchange (IKE) proposals.
The prime-128
and prime-256
proposal sets
require IKEv2 and certificate-based authentication.
Options
basic
—Includes a basic set of two IKE proposals:Proposal 1—Preshared key, Data Encryption Standard (DES) encryption, and Diffie-Hellman (DH) group 1 and Secure Hash Algorithm 1 (SHA-1) authentication.
Proposal 2—Preshared key, DES encryption, and DH group 1 and Message Digest 5 (MD5) authentication.
compatible
—Includes a set of four commonly used IKE proposals:Proposal 1—Preshared key, triple DES (3DES) encryption, and Diffie-Hellman (DH) group 2 (DH group 2) and SHA-1 authentication.
Proposal 2—Preshared key, 3DES encryption, and DH group 2 and MD5 authentication.
Proposal 3—Preshared key, DES encryption, and DH group 2 and SHA-1 authentication.
Proposal 4—Preshared key, DES encryption, and DH group 2 and MD5 authentication.
prime-128
—Provides the following proposal set (this option is not supported on Group VPNv2):Authentication method—Elliptic Curve Digital Signature Algorithm (ECDSA) 256-bit signatures.
Diffie-Hellman Group—19.
Encryption algorithm—Advanced Encryption Standard (AES) 128-bit Galois/Counter Mode (GCM).
Authentication algorithm—None (AES-GCM provides both encryption and authentication).
When this option is used,
prime-128
should also be configured at the [edit security ipsec policy policy-name proposal-set
] hierarchy level.
prime-256
—Provides the following proposal set (this option is not supported on Group VPNv2):Authentication method—ECDSA 384-bit signatures.
Diffie-Hellman Group—20.
Encryption algorithm—AES 256-bit GCM.
Authentication algorithm—None (AES-GCM provides both encryption and authentication).
When this option is used,
prime-256
should also be configured at the [edit security ipsec policy policy-name proposal-set
] hierarchy level.
standard
—Includes a standard set of two IKE proposals:Proposal 1— Preshared key, 3DES encryption, and DH group 2 and SHA-1 authentication.
Proposal 2—Preshared key, AES 128-bit encryption, and DH group 2 and SHA-1 authentication.
-
suiteb-gcm-128
—Provides the following Suite B proposal set (this option is not supported on Group VPNv2):-
Authentication method—ECDSA 256-bit signatures
-
Diffie-Hellman Group—19
-
Encryption algorithm—Advanced Encryption Standard (AES) 128-bit cipher block chaining (CBC)
-
Authentication algorithm—SHA-256
-
suiteb-gcm-256
—Provides the following Suite B proposal set (this option is not supported on Group VPNv2):Authentication method—ECDSA 384-bit signatures
Diffie-Hellman Group—20
-
Encryption algorithm—AES 256-bit CBC
Authentication algorithm—SHA-384
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release
8.5. Support for suiteb-gcm-128
and suiteb-gcm-256
options added in Junos OS Release 12.1X45-D10. Support for prime-128
and prime-256
options added in Junos OS
Release 15.1X49-D40.
Starting in Junos OS Release 20.2R1, we’ve changed the help text description as NOT
RECOMMENDED
for the CLI options basic
,
compatible
, and
standard
for SRX Series Firewalls running iked process with junos-ike
package.