Configuring IPsec Policies
An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection. During the IPsec negotiation, IPsec looks for a proposal that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.
A match is made when both policies from the two peers have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies (from the host and peer) is used.
You can create multiple, prioritized IPsec proposals at each peer to ensure that at least one proposal matches a remote peer’s proposal.
First, you configure one or more IPsec proposals; then you associate these proposals with an IPsec policy. You can prioritize a list of proposals used by IPsec in the policy statement by listing the proposals you want to use, from first to last.
To configure an IPsec policy, include the policy statement, and specify the policy name and one or more proposals to associate with the policy, at the [edit services ipsec-vpn ipsec] hierarchy level:
This section includes the following topics related to configuring an IPsec policy:
Configuring the Description for an IPsec Policy
To specify an optional text description for an IPsec policy, include the description statement at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level:
Configuring Perfect Forward Secrecy
PFS provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys. This statement is optional.
To configure PFS, include the perfect-forward-secrecy statement and specify a Diffie-Hellman group at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level:
The key can be one of the following:
- group1—Specifies that IKE use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
- group2—Specifies that IKE use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
- group5—Specifies that IKE use the 1536-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
- group14—Specifies that IKE use the 2048-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
The higher numbered groups provide more security than the lowered numbered groups,, but require more processing time.
Configuring the Proposals in an IPsec Policy
The IPsec policy includes a list of one or more proposals associated with an IPsec policy.
To configure the proposals in an IPsec policy, include the proposals statement and specify one or more proposal names at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level:
Example: Configuring an IPsec Policy
Define an IPsec policy, dynamic policy-1, that is associated with two proposals (dynamic-1 and dynamic-2):
 | Note: Updates to the current IPsec proposal and policy configuration are not applied to the current IPsec SA; updates are applied to new IPsec SAs. If you want the new updates to take immediate effect, you must clear the existing IPsec security associations so that they will be reestablished with the changed configuration. For information about how to clear the current IPsec security association, see the Junos OS Operational Mode Commands. |
