proposal (Security Group VPN Member IKE)
Syntax
proposal proposal-name { authentication-algorithm (sha-256 | sha-384); authentication-method pre-shared-keys; description description; dh-group (group14 | group24); encryption-algorithm (aes-128-cbc | aes-192-cbc | aes-256-cbc); lifetime-seconds seconds; }
Hierarchy Level
[edit security group-vpn member ike]
Description
Define an IKE proposal. You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer.
Options
proposal proposal-name
—Name of the IKE proposal. The proposal name can be up
to 32 alphanumeric characters long.
authentication-algorithm
—Configure the Internet Key Exchange (IKE) authentication algorithm.
Hash algorithm that authenticates packet data. It can be one of the
following algorithms:
sha-256
—Produces a 256-bit digest. This is the default value.sha-384
—Produces a 384-bit digest.
authentication-method pre-shared-keys
—Specify the method the device
uses to authenticate the source of Internet Key Exchange (IKE) messages.
The pre-shared-keys
option refers to a preshared key, which
is a secret key shared between the two peers, is used during authentication
to identify the peers to each other. The same key must be configured
for each peer. This is the default method.
description description
—Specify descriptive text for an
IKE proposal.
dh-group
—Specify the IKE Diffie-Hellman group for key establishment.
group14
—2048-bit group. This is the default value.group24
—2048-bit, 256 bit subgroup. Support for thegroup24
option added in Junos OS Release 15.1X49-D30 for vSRX Virtual Firewall.
encryption-algorithm
—Configure an encryption algorithm for an IKE proposal.
aes-128-cbc
—Advanced Encryption Standard (AES) 128-bit encryption algorithm.aes-192-cbc
—AES 192-bit encryption algorithm.aes-256-cbc
—AES 256-bit encryption algorithm.
lifetime-seconds seconds
—Specify the lifetime (in seconds)
of an IKE or IPsec security association (SA) for group VPN. When the
SA expires, it is replaced by a new SA and security parameter index
(SPI) or terminated.
Range: 180 through 86,400 seconds
Default: 3600 seconds
The device does not delete existing IPsec SAs when you update
the authentication-algorithm
, authentication-method
, dh-group
, and encryption-algorithm
configuration
in the IKE proposal.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 10.2.