Configuring Ipsec Parameters - Juniper IP SERVICES - CONFIGURATION GUIDE V 11.1.X Configuration Manual

JUNOSe 11.1.x IP Services Configuration Guide

Configuring IPSec Parameters

To configure IPSec:
1.
2.
3.
4.
ipsec key manual pre-share
146
Configuration Tasks
For each endpoint, create a transform set that provides the desired encryption
and authentication.
host1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha
host1(config)#ipsec transform-set customerBprotection ah-hmac-md5
Add a preshared key that the routers use to authenticate each other.
host1(config)#ipsec key manual pre-share 5.2.0.1
host1(config-manual-key)#key customerASecret
After you enter a preshared key, the router encrypts the key and displays it in
masked form to increase the security of the key. If you need to reenter the key,
you can enter it in its masked form using this command.
To see the masked form of the key:
host1#show config
ipsec key manual pre-share 10.10.1.1
masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO"
To enter the masked key:
host1(config-manual-key)#masked-key
AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO
Define the local endpoint used for ISAKMP/IKE negotiations for all IPSec tunnels
in the router.
host1(config)#ipsec local-endpoint 10.10.1.1 transport-virtual-router vr#8
(Optional) Set the global (default) lifetime for all SAs on the router.
host1(config)#ipsec lifetime kilobytes 42000000
Use to specify that a peer use a preshared key for authentication during the
tunnel establishment phase, and to display the prompt that lets you enter the
preshared key. To enter a key, use the key command.
Specify the peer by using its IP address or fully qualified domain name (FQDN).
FQDNs are supported only for signaled tunnels.
The router must be in aggressive mode to use FQDNs with preshared keys.
The identity string can include an optional user@ specification preceding
the FQDN.
You must enter this command in the virtual router context where the IP address
of the peer is defined.