Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

proposal (Security IKE)

Syntax

Hierarchy Level

Description

Define an IKE proposal.

Options

proposal-name

Name of the IKE proposal. The proposal name can be up to 32 alphanumeric characters long.
authentication-algorithm

Configure the Internet Key Exchange (IKE) authentication hash algorithm that authenticates packet data. It can be one of the following algorithms:

  • md5—Produces a 128-bit digest.

  • sha-256—Produces a 256-bit digest.

  • sha-384—Produces a 384-bit digest.

  • In Power Mode IPSec mode and in normal mode—

    • sha1—Produces a 160-bit digest.

    • sha-512—Produces a 512-bit digest.

The device deletes existing IPsec SAs when you update the authentication-algorithm configuration either in the IKE proposal or IPsec proposal.
authentication-method

Specify the method the device uses to authenticate the source of Internet Key Exchange (IKE) messages. The pre-shared-keys option refers to a preshared key, which is a key for encryption and decryption that both participants must have before beginning tunnel negotiations. The other options refer to types of digital signatures, which are certificates that confirm the identity of the certificate holder. The device deletes existing IPsec SAs when you update the authentication-method configuration in the IKE proposal.

  • certificates—You can establish the IKEv2 and IPsec SA tunnels irrespective of the type of certificate used on initiator and responder. The authentication-method certificates option cannot be used with IKEv1.

  • digital-signature—Specify digital signature as an authentication method for IKEv2. Note that you cannot use the option with IKEv1.

  • dsa-signatures—Specify that the Digital Signature Algorithm (DSA) is used.

  • ecdsa-signatures-256—Specify that the Elliptic Curve DSA (ECDSA) using the 256-bit elliptic curve secp256r1, as specified in the Federal Information Processing Standard (FIPS) Digital Signature Standard (DSS) 186-3, is used.

  • ecdsa-signatures-384—Specify that the ECDSA using the 384-bit elliptic curve secp384r1, as specified in the FIPS DSS 186-3, is used.

  • pre-shared-keys—Specify that a preshared key, which is a secret key shared between the two peers, is used during authentication to identify the peers to each other. The same key must be configured for each peer. This is the default method.

  • rsa-signatures—Specify that a public key algorithm, which supports encryption and digital signatures, is used.

  • ecdsa-signatures-521—Specify that the ECDSA using the 521-bit elliptic curve secp521r1 is used.

description description

Text the description of IKE proposal.
dh-group

Specify the IKE Diffie-Hellman group.
encryption-algorithm

Configure an encryption algorithm for an IKE proposal.
lifetime-seconds seconds

Specify the lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated.

  • Range: 180 through 86,400 seconds

  • Default: 28,800 seconds
signature-hash-algorithm

(Optional) Specify the digital signature hash algorithms for IKEv2. Note that you cannot use the option with IKEv1.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 8.5.

Support for dh-group group 14 and dsa-signatures added in Junos OS Release 11.1.

Support for sha-384, ecdsa-signatures-256, ecdsa-signatures-384, group19, group20, and group24 options added in Junos OS Release 12.1X45-D10.

Support for ecdsa-signatures-256 and ecdsa-signatures-384 options added in Junos OS Release 12.1X45-D10.

Support for sha-512, group15, group16, group21, and ecdsa-signatures-521 options added in Junos OS Release 19.1R1 on SRX5000 line of devices with junos-ike package installed.

Support for authentication algorithm (SH1: hmac-sha1-96) added to vSRX Virtual Firewall in Junos OS Release 19.3R1 for Power Mode IPSec mode, along with the existing support in normal mode.

Support for group15, group16, and group21 options added in Junos OS Release 20.3R1 on vSRX Virtual Firewall instances with junos-ike package installed.

Support for group15, group16, and group21 options added in Junos OS Release 21.1R1 on vSRX Virtual Firewall 3.0 instances with junos-ike package installed.

Support for certificates option added in Junos OS Release 22.4R1 on MX240, MX480, and MX960 in USF mode, SRX1500, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0 running the iked process.

Support for the chacha20-poly1305 option added to SRX1600, SRX2300, SRX4120, SRX4300, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0 in Junos OS Release 24.2R1.

Support for the digital-signature and signature-hash-algorithm options added in Junos OS Release 24.4R1.

We've deprecated support for md5 and sha1 in authentication-algorithm, des-cbc and 3des-cbc in encryption-algorithm, and group1, group2 and group5 in dh-group starting in Junos OS Release 25.2R1.

Related Documentation