Juniper Networks Field Guide and Reference

An IPSec proposal lists protocols and algorithms (security services) to be negotiated with the remote IPSec peer. To configure an IPSec proposal, include the proposal statement:

[edit security ipsec] proposal ike-proposal-name { authentication-algorithm (md5 sha1); authentication-method pre-shared-keys; dh-group (group1 group2); encryption-algorithm (3des-cbc des-cbc); lifetime-seconds seconds; }

To configure an IPSec authentication algorithm, include the authentication-algorithm statement. The authentication algorithm can be one of the following:

• hmac-md5-96 ” Hash algorithm that authenticates packet data, producing a 128-bit digest

• hmac-sha1-96 ” Hash algorithm that authenticates packet data, producing a 160-bit digest

To configure an IPSec encryption algorithm, include the encryption-algorithm statement. The encryption algorithm can be one of the following:

• 3des-cbc ” Block size is 24 bytes, and key length is 192 bits

• des-cbc ” Block size is 8 bytes, and key length is 48 bits

The IPSec lifetime option sets the lifetime of an IPSec SA. When the SA expires , it is replaced by a new SA (and SPI) or terminated . If you do not configure a lifetime and a lifetime is not sent by a responder , it defaults to 28,800 seconds. To configure the IPSec lifetime, include the lifetime-seconds statement.