Ipsec; Security Associations; Ike - Juniper ACX1000 Configuration Manual

ACX Series Universal Access Router Configuration Guide

IPsec

Security Associations

IKE

1088
For a list of the IPsec and IKE standards supported by Junos OS, see the Junos OS Hierarchy
and RFC Reference.
IPsec on page 1088
Security Associations on page 1088
IKE on page 1088
The IPsec architecture provides a security suite for the IP version 4 (IPv4) network layer.
The suite provides functionality such as authentication of origin, data integrity,
confidentiality, replay protection, and nonrepudiation of source. In addition to IPsec,
Junos OS also supports the Internet Key Exchange (IKE), which defines mechanisms for
key generation and exchange, and manages security associations.
IPsec also defines a security association and key management framework that can be
used with any transport layer protocol. The security association specifies what protection
policy to apply to traffic between two IP-layer entities. IPsec provides secure tunnels
between two peers.
To use IPsec security services, you create security associations between hosts. A security
association is a simplex connection that allows two hosts to communicate with each
other securely by means of IPsec. There are two types of security associations:
Manual security associations require no negotiation; all values, including the keys, are
static and specified in the configuration. Manual security associations statically define
the security parameter index (SPI) values, algorithms, and keys to be used, and require
matching configurations on both ends of the tunnel. Each peer must have the same
configured options for communication to take place.
Dynamic security associations require additional configuration. With dynamic security
associations, you configure IKE first and then the security association. IKE creates
dynamic security associations; it negotiates security associations for IPsec. The IKE
configuration defines the algorithms and keys used to establish the secure IKE
connection with the peer security gateway. This connection is then used to dynamically
agree upon keys and other data used by the dynamic IPsec security association. The
IKE security association is negotiated first and then used to protect the negotiations
that determine the dynamic IPsec security associations.
IKE is a key management protocol that creates dynamic security associations; it negotiates
security associations for IPsec. An IKE configuration defines the algorithms and keys used
to establish a secure connection with a peer security gateway.
IKE performs the following tasks:
Negotiates and manages IKE and IPsec parameters.
Authenticates secure key exchange.
Copyright © 2017, Juniper Networks, Inc.