Authentication Process
The remote dynamic peer initiates IKE and IPSec negotiations with the local (Juniper Networks) router. The local router uses a default set of authentication and encryption values to match the IPSec and IKE proposals sent by the remote peer to establish the SA. If any of the values match, the tunnel establishment process continues. The default values are shown in Table 1.
Table 1: Default IKE and IPSec Proposals for Dynamic SA Negotiations
Statement Name | Values |
|---|---|
| Implicit IKE Proposal | |
authentication-method | preshared keys |
dh-group | group1, group2 |
authentication-algorithm | sha1, md5 |
encryption-algorithm | 3des-cbc, des-cbc |
lifetime-seconds | 3600 seconds |
| Implicit IPSec Proposal | |
protocol | esp, ah, bundle |
authentication-algorithm | hmac-sha1-96, hmac-md5-96 |
encryption-algorithm | 3des-cbc, des-cbc |
lifetime-seconds | 28,800 seconds (8 hours) |
Phase 2 of the authentication process matches the proxy identities of the protected hosts and networks sent by the peer against a list of configured proxy identities. The accepted proxy identity is used to create the dynamic rules for encrypting the traffic. You can configure proxy identities by including the allowed-proxy-pair statement in an IKE access profile at the [edit access profile profile-name client * ike] hierarchy level. If no configured entry matches, the negotiation is rejected.
However, if you do not configure the allowed-proxy-pair statement, the default value ANY(0.0.0.0/0)-ANY is applied, and the local router accepts any proxy identities sent by the peer.
Once the phase 2 negotiation has been successfully completed, the router builds dynamic rules and inserts the reverse route into the routing table using the accepted proxy identity.
