Configuring an IPSec Proposal

An IPSec proposal lists protocols and algorithms (security services) to be negotiated with the remote IPSec peer. To configure an IPSec proposal, include the proposal statement:

 [edit security ipsec]  proposal  ike-proposal-name  {   authentication-algorithm (md5  sha1);   authentication-method pre-shared-keys;   dh-group (group1  group2);   encryption-algorithm (3des-cbc  des-cbc);   lifetime-seconds  seconds;  } 

To configure an IPSec authentication algorithm, include the authentication-algorithm statement. The authentication algorithm can be one of the following:

• hmac-md5-96 ” Hash algorithm that authenticates packet data, producing a 128-bit digest

• hmac-sha1-96 ” Hash algorithm that authenticates packet data, producing a 160-bit digest

To configure an IPSec encryption algorithm, include the encryption-algorithm statement. The encryption algorithm can be one of the following:

• 3des-cbc ” Block size is 24 bytes, and key length is 192 bits

• des-cbc ” Block size is 8 bytes, and key length is 48 bits

The IPSec lifetime option sets the lifetime of an IPSec SA. When the SA expires , it is replaced by a new SA (and SPI) or terminated . If you do not configure a lifetime and a lifetime is not sent by a responder , it defaults to 28,800 seconds. To configure the IPSec lifetime, include the lifetime-seconds statement.