policy (Security IPsec)

Syntax

Hierarchy Level

Description

Define an IPsec policy. An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection.

Options

name	Name of the IPsec policy.
description	Enter descriptive text for an IPsec policy.
perfect-forward-secrecy keys	Specify Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. PFS generates each new encryption key independently from the previous key. The device deletes existing IPsec SAs when you update the `perfect-forward-secrecy` configuration in the IPsec policy. Values: `group1`—768-bit Modular Exponential (MODP) algorithm. `group2`—1024-bit MODP algorithm. `group5`—1536-bit MODP algorithm. `group14`—2048-bit MODP group. `group15`—3072-bit MODP algorithm. `group16`—4096-bit MODP algorithm. `group19`—256-bit random Elliptic Curve Groups modulo a Prime (ECP groups) algorithm. `group20`—384-bit random ECP groups algorithm. `group21`—521-bit random ECP groups algorithm. `group24`—2048-bit MODP Group with 256-bit prime order subgroup.
proposal-set	Define a set of default IPsec proposals. Values: basic—IPsec basic proposal set. esp-des-sha and esp-des-md5. Encapsulating Security Payload (ESP) protocol Encryption algorithm—DES-CBC encryption algorithm Authentication algorithm—SHA1 or MD5 authentication algorithm compatible—IPsec compatible proposal set. esp-3des-sha, esp-3des-md5, esp-des-sha, and esp-des-md5. ESP protocol Encryption algorithm—3DES-CBC or DES-CBC encryption algorithm Authentication algorithm—SHA1 or MD5 authentication algorithm `prime-128`—Provides the following proposal set: Encapsulating Security Payload (ESP) protocol Encryption algorithm—Advanced Encryption Standard Galois/Counter mode (AES-GCM)128-bit Authentication algorithm—None (AES-GCM provides both encryption and authentication) This option is not supported on Group VPNv2. `prime-256`—Provides the following proposal set: ESP protocol Encryption algorithm—AES-GCM 256-bit Authentication algorithm—None (AES-GCM provides both encryption and authentication) This option is not supported on Group VPNv2. `standard`—esp-3des-sha and esp-aes128-sha ESP protocol Encryption algorithm—3DES-CBC or AES-CBC 128-bit encryption algorithm Authentication algorithm—SHA1 authentication algorithm `suiteb-gcm-128`—Provides the following proposal set: ESP protocol Encryption algorithm—AES-GCM 128-bit Authentication algorithm—None (AES-GCM provides both encryption and authentication) This option is not supported on Group VPNv2. `suiteb-gcm-256`—Provides the following proposal set: ESP protocol Encryption algorithm—AES-GCM 256-bit Authentication algorithm—None (AES-GCM provides both encryption and authentication) This option is not supported on Group VPNv2.
proposals `proposal-name`	Specify up to four Phase 2 proposals for an IPsec policy. If you include multiple proposals, use the same Diffie-Hellman group in all of the proposals. Proposals are evaluated in the order they appear on the list, from top down, so specify the highest priority first, followed by the next highest priority, and so on.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 8.5.

Support for group 14 is added in Junos OS Release 11.1.

Support for group14 options added in Junos OS Release 11.1.

Support for group19, group20, and group24 options added in Junos OS Release 12.1X45-D10.

group15, group16, and group21 options introduced in Junos OS Release 19.1R1 on SR5000 line of devices with junos-ike package installed.

Support for suiteb-gcm-128 and suiteb-gcm-256 options added in Junos OS Release 12.1X45-D10. Support for prime-128 and prime-256 options added in Junos OS Release 15.1X49-D40.

Starting in Junos OS Release 20.2R1, we’ve changed the help text description as NOT RECOMMENDED for the CLI options group1, group2, and group5 for devices running IKED with junos-ike package installed.

Support for group15, group16, and group21 options added in Junos OS Release 20.3R1 on vSRX Virtual Firewall instances with junos-ike package installed.

Support for group15, group16, and group21 options added in Junos OS Release 21.1R1 on vSRX Virtual Firewall 3.0 instances with junos-ike package installed.

ON THIS PAGE