Configuring an IKE Policy for Preshared Keys
An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. It defines a peer address, the preshared key for the given peer, and the proposals needed for that connection. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.
A match is made when both policies from the two peers have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies (from the host and peer) is used. The configured preshared key must also match its peer.
You can create multiple, prioritized proposals at each peer to ensure that at least one proposal will match a remote peer’s proposal.
First, you configure one or more IKE proposals; then you associate these proposals with an IKE policy. You can also prioritize a list of proposals used by IKE in the policy statement by listing the proposals you want to use, from first to last.
To configure an IKE policy, include the policy statement at the [edit security ike] hierarchy level and specify a peer address:
 | Note: The IKE policy peer address must be an IPsec tunnel destination address. |
Tasks for configuring an IKE policy are:
- Configuring the Description for an IKE Policy
- Configuring the Mode for an IKE Policy
- Configuring the Preshared Key for an IKE Policy
- Associating Proposals with an IKE Policy
Configuring the Description for an IKE Policy
To specify a description for an IKE policy, include the description statement at the [edit security ike policy ike-peer-address] hierarchy level:
Configuring the Mode for an IKE Policy
IKE policy has two modes: aggressive and main. By default, main mode is enabled. Main mode uses six messages, in three exchanges, to establish the IKE SA. (These three steps are IKE SA negotiation, a Diffie-Hellman key exchange, and authentication of the peer.) Main mode also allows a peer to hide its identity.
Aggressive mode also establishes an authenticated IKE SA and keys. However, aggressive mode uses half the number of messages, has less negotiation power, and does not provide identity protection. The peer can use the aggressive or main mode to start IKE negotiation; the remote peer accepts the mode sent by the peer.
To configure IKE policy mode, include the mode statement and specify aggressive or main at the [edit security ike policy ike-peer-address] hierarchy level:
Configuring the Preshared Key for an IKE Policy
IKE policy preshared keys authenticate peers. You must manually configure a preshared key, which must match that of its peer. The preshared key can be an ASCII text (alphanumeric) key or a hexadecimal key.
A local certificate is an alternative to the preshared key. A commit operation fails if either a preshared key or a local certificate is not configured.
To configure an IKE policy preshared key, include the pre-shared-key statement at the [edit security ike policy ike-peer-address] hierarchy level:
Associating Proposals with an IKE Policy
The IKE policy proposal is a list of one or more proposals associated with an IKE policy.
To configure an IKE policy proposal, include the proposals statement at the [edit security ike policy ike-peer-address] hierarchy level and specify one or more proposal names:
