IPsec Configuration for an ES PIC Overview
IPsec Configuration for an ES PIC Overview
IP Security (IPsec) provides a secure way to authenticate senders and encrypt IPv4 and IPv6 traffic between network devices, such as routers and hosts. The following sections show how to configure IPsec for an ES PIC.
The key management process (kmd) provides IPsec authentication services for ES PICs. The key management process starts only when IPsec is configured on the router.
See Also
Configuring Manual SAs on an ES PIC
To define a manual security association (SA) configuration for an ES PIC, include at least the following
statements at the [edit security ipsec] hierarchy level:
[edit security ipsec] security-association sa-name { manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } encryption { algorithm (des-cbc | 3des-cbc); key (ascii-text key | hexadecimal key); } protocol (ah | esp | bundle); spi spi-value; } } }
See Also
Configuring IKE Requirements on an ES PIC
To define an IKE configuration for an ES PIC, include at least the following statements at the [edit security] hierarchy level:
[edit security ike] proposal ike-proposal-name { authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures); dh-group (group1 | group2); encryption-algorithm (3des-cbd | des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc); } policy ike-peer-address { proposals [ ike-proposal-names ]; pre-shared-key (ascii-text key | hexadecimal key); }
See Also
Configuring a Digital Certificate for IKE on an ES PIC
To define a digital certificate configuration
for IKE for an encryption interface on M Series and T Series
routers, include at least the following statements at the [edit security certificates] and [edit security ike] hierarchy levels:
[edit security]
certificates {
certification-authority ca-profile-name {
ca-name ca-identity;
crl filename;
enrollment-url url-name;
file certificate-filename;
ldap-url url-name;
}
}
ike {
policy ike-peer-address {
local-certificate certificate-filename;
local-key-pair private-public-key-file;
proposal [ ike-proposal-names ];
}
proposal ike-proposal-name {
authentication-method rsa-signatures;
}
}