proposal (Security IKE)
Syntax
proposal proposal-name {
authentication-algorithm (md5 | sha-256 | sha-384| sha1 | sha-512);
authentication-method(certificates | dsa-signatures | ecdsa-signatures-256 | ecdsa-signatures-384 | pre-shared-keys | rsa-signatures | ecdsa-signatures-521);
description description;
dh-group (group1 | group14 | group19 | group2 | group20 | group24 | group5 | group15 | group16 | group21);
encryption-algorithm (3des-cbc | aes-128-cbc | aes-128-gcm | aes-192-cbc | aes-256-cbc | aes-256-gcm | chacha20-poly1305 | des-cbc);
lifetime-seconds seconds;
}
Hierarchy Level
[edit security ike]
Description
Define an IKE proposal.
Options
proposal-name—Name of the IKE proposal. The
proposal name can be up to 32 alphanumeric characters long.
authentication-algorithm—Configure the Internet Key Exchange (IKE)
authentication hash algorithm that authenticates packet data. It can be one of the
following algorithms:
-
md5—Produces a 128-bit digest. -
sha-256—Produces a 256-bit digest. -
sha-384—Produces a 384-bit digest. -
In Power Mode IPSec mode and in normal mode—
-
sha1—Produces a 160-bit digest. -
sha-512—Produces a 512-bit digest.
-
The device
deletes
existing IPsec SAs when you update the authentication-algorithm
configuration either in the IKE proposal or IPsec
proposal.
authentication-method—Specify the method the device uses to
authenticate the source of Internet Key Exchange (IKE) messages. The
pre-shared-keys option refers to a preshared key, which is a
key for encryption and decryption that both participants must have before beginning
tunnel negotiations. The other options refer to types of digital signatures, which
are certificates that confirm the identity of the certificate holder. The device
deletes
existing IPsec SAs when you update the authentication-method
configuration in the IKE
proposal.
-
certificates—You can establish the IKEv2 and IPsec SA tunnels irrespective of the type of certificate used on initiator and responder. Theauthentication-method certificatesoption cannot be used with IKEv1. -
dsa-signatures—Specify that the Digital Signature Algorithm (DSA) is used. -
ecdsa-signatures-256—Specify that the Elliptic Curve DSA (ECDSA) using the 256-bit elliptic curve secp256r1, as specified in the Federal Information Processing Standard (FIPS) Digital Signature Standard (DSS) 186-3, is used. -
ecdsa-signatures-384—Specify that the ECDSA using the 384-bit elliptic curve secp384r1, as specified in the FIPS DSS 186-3, is used. -
pre-shared-keys—Specify that a preshared key, which is a secret key shared between the two peers, is used during authentication to identify the peers to each other. The same key must be configured for each peer. This is the default method. -
rsa-signatures—Specify that a public key algorithm, which supports encryption and digital signatures, is used. -
ecdsa-signatures-521—Specify that the ECDSA using the 521-bit elliptic curve secp521r1 is used.
description description—Text the description of
IKE proposal.
dh-group—Specify the IKE Diffie-Hellman group.
encryption-algorithm—Configure an encryption algorithm for an IKE
proposal.
lifetime-seconds seconds—Specify the lifetime (in
seconds) of an IKE security association (SA). When the SA expires, it is replaced by
a new SA and security parameter index (SPI) or terminated.
-
Range: 180 through 86,400 seconds
-
Default: 28,800 seconds
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement modified in Junos OS Release 8.5.
Support for dh-group group 14 and dsa-signatures
added in Junos OS Release 11.1.
Support for sha-384, ecdsa-signatures-256,
ecdsa-signatures-384, group19,
group20, and group24 options added in Junos OS
Release 12.1X45-D10.
Support for ecdsa-signatures-256 and
ecdsa-signatures-384 options added in Junos OS Release
12.1X45-D10.
Support for sha-512, group15,
group16, group21, and
ecdsa-signatures-521 options added in Junos OS Release 19.1R1
on SRX5000 line of devices with junos-ike package installed.
Support for authentication algorithm (SH1: hmac-sha1-96) added to vSRX Virtual Firewall in Junos OS Release 19.3R1 for Power Mode IPSec mode, along with the existing support in normal mode.
Support for group15, group16, and
group21 options added in Junos OS Release 20.3R1 on vSRX
Virtual Firewall instances with junos-ike package installed.
Support for group15, group16, and
group21 options added in Junos OS Release 21.1R1 on vSRX
Virtual Firewall 3.0 instances with junos-ike package
installed.
Support for certificates option added in Junos OS Release 22.4R1 on
MX240, MX480, and MX960 in USF mode, SRX1500, SRX4200, SRX4600, SRX5400, SRX5600,
SRX5800, and vSRX 3.0 running the iked process.
Support for the chacha20-poly1305 option added to SRX1600, SRX2300,
SRX4300, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0 in Junos OS Release
24.2R1.