Configuring an IPsec Proposal for an ES PIC
An IPsec proposal lists protocols and algorithms (security services) to be negotiated with the remote IPsec peer.
To configure an IPsec proposal and define its properties, include the following
statements at the [edit security ipsec] hierarchy level:
[edit security ipsec] proposal ipsec-proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96); description description ; encryption-algorithm (3des-cbc | des-cbc); lifetime-seconds seconds; protocol (ah | esp | bundle); }
Tasks to configure an IPsec proposal for an ES PIC include:
Configuring the Authentication Algorithm for an IPsec Proposal
To configure an IPsec authentication algorithm, include the authentication-algorithm statement at the [edit security ipsec proposal ipsec-proposal-name] hierarchy level:
[edit security ipsec proposal ipsec-proposal-name] authentication-algorithm (hmac-md5-96 | hmac-sha1-96);
The authentication algorithm can be one of the following:
hmac-md5-96—Hash algorithm that authenticates packet data. It produces a 128-bit digest. Only 96 bits are used for authentication.hmac-sha1-96—Hash algorithm that authenticates packet data. It produces a 160-bit digest. Only 96 bits are used for authentication.
Configuring the Description for an IPsec Proposal
To specify a description for an IPsec proposal, include the description statement at the [edit security ipsec proposal ipsec-proposal-name] hierarchy level:
[edit security ike policy ipsec-proposal-name] description description;
Configuring the Encryption Algorithm for an IPsec Proposal
To configure the IPsec encryption algorithm, include the encryption-algorithm statement at the [edit security ipsec proposal ipsec-proposal-name] hierarchy level:
[edit security ipsec proposal ipsec-proposal-name ] encryption-algorithm (3des-cbc | des-cbc);
The encryption algorithm can be one of the following:
3des-cbc—Encryption algorithm that has a block size of 24 bytes; its key size is 192 bits long.des-cbc—Encryption algorithm that has a block size of 8 bytes; its key size is48 bits long.
Note:We recommend that you use the triple DES cipher block chaining (3DES-CBC) encryption algorithm.
Configuring the Lifetime for an IPsec SA
The IPsec lifetime option sets the lifetime of an IPsec SA. When the IPsec SA expires, it is replaced by a new SA (and SPI) or is terminated. A new SA has new authentication and encryption keys, and SPI; however, the algorithms may remain the same if the proposal is not changed. If you do not configure a lifetime and a lifetime is not sent by a responder, the lifetime is 28,800 seconds.
To configure the IPsec lifetime, include the lifetime-seconds statement and specify the number of seconds (180 through 86,400) at the [edit security
ipsec proposal ipsec-proposal-name] hierarchy level:
[edit security ipsec proposal ipsec-proposal-name] lifetime-seconds seconds;
When a dynamic SA is created, two types of lifetimes are used: hard and soft. The hard lifetime specifies the lifetime of the SA. The soft lifetime, which is derived from the hard lifetime, informs the IPsec key management system that that the SA is about to expire. This allows the key management system to negotiate a new SA before the hard lifetime expires. When you specify the lifetime, you specify a hard lifetime.
Configuring the Protocol for a Dynamic IPsec SA
The protocol statement sets the protocol for a dynamic SA. The
ESP protocol can support authentication, encryption, or both. The AH protocol is used for
strong authentication. AH also authenticates the IP packet. The bundle option uses
AH authentication and ESP encryption; it does not use ESP authentication because AH provides
stronger authentication of IP packets.
To configure the protocol for a dynamic SA, include the protocol statement at the [edit security ipsec proposal ipsec-proposal-name] hierarchy level:
[edit security ipsec proposal ipsec-proposal-name ] protocol (ah | esp | bundle);