Navigation
Minimum Security Association Configurations
The following sections show the minimum configurations necessary to set up security associations (SAs) for IPsec services:
Minimum Manual SA Configuration
To define a manual SA configuration, you must include at least the following statements at the [edit services ipsec-vpn rule rule-name term term-name then manual] hierarchy level:
[edit services ipsec-vpn rule rule-name term term-name then manual]direction (inbound | outbound | bidirectional) {authentication {algorithm (hmac-md5-96 | hmac-sha1-96);key (ascii-text key | hexadecimal key);}encryption {algorithm algorithm;key (ascii-text key | hexadecimal key);}protocol (ah | esp | bundle);spi spi-value;}
Minimum Dynamic SA Configuration
To define a dynamic SA configuration, you must include at least the following statements at the [edit services ipsec-vpn] hierarchy level:
[edit services ipsec-vpn]ike {proposal proposal-name {authentication-algorithm (md5 | sha1 | sha-256);authentication-method pre-shared-keys;dh-group (group1 | group2 | group5 |group14);encryption-algorithm algorithm;}policy policy-name {proposals [ ike-proposal-names ];pre-shared-key (ascii-text key | hexadecimal key);version (1 | 2);mode (aggressive | main);}}ipsec {policy policy-name {proposals [ ipsec-proposal-names ];}proposal proposal-name {authentication-algorithm (hmac-md5-96 | hmac-sha1-96);encryption-algorithm algorithm;protocol (ah | esp | bundle);}}
 |
|
You must also include the ipsec-policy statement at the [edit services ipsec-vpn rule rule-name term term-name then dynamic] hierarchy level.
