1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOSE 11.0.X IP SERVICES
  6. Configuration manual

Diffie-Hellman Group; Lifetime; Ike Sa Negotiation; Generating Private And Public Key Pairs - Juniper JUNOSE 11.0.X IP SERVICES Configuration Manual

For e series broadband services routers - ip services configuration
Hide thumbs
Table of Contents

Advertisement

JUNOSe 11.0.x IP Services Configuration Guide

Diffie-Hellman Group

An IKE policy must specify which Diffie-Hellmann group is used during the
symmetrical key generation phase of IKE. The following Diffie-Hellmann groups are
supported:

Lifetime

Like a user SA, an IKE SA does not last indefinitely. Therefore, the router allows you
to specify a lifetime parameter for an IKE policy. The timer for the lifetime parameter
begins when the IKE SA is established using IKE.

IKE SA Negotiation

As the initiator of an IKE SA, the router sends its IKE policies to the remote peer. If
the peer has an IKE policy that matches the encryption, hash, authentication method,
and Diffie-Hellmann group settings, the peer returns the matching policy. The peers
use the lesser lifetime setting as the IKE SA lifetime. If no match is found, the IKE
SA fails, and a log alarm is generated.
As the responder of an IKE negotiation, the router receives all IKE policies from a
remote security gateway. The router then scans its own list of IKE policies to
determine whether a match exists, starting from the highest priority. If it finds a
match, that policy is successfully negotiated. Again, the lifetime is negotiated to the
lesser of the two lifetimes, and failures are logged.

Generating Private and Public Key Pairs

When any of the public key methods for authenticating remote security gateways is
used, the system must have at least one valid pair of public or private keys. Therefore,
the system provides a facility by which it can generate public and private key pairs
for itself.
The private key is used only by the system itself. It is never exchanged with any
other nodes. When generated, the private key is securely stored internally to the
system in nonvolatile memory. Access to the private key is never given, not even to
a system administrator or to a network management system.
The public key is used in either of the following scenarios:
144
IKE Overview
Group 1 (768-bit)
Group 2 (1024-bit)
Group 5 (1536-bit)
A network administration system or system administrator can retrieve it so that
it can be entered into remote security gateways with which the system needs
to establish an IKE SA.
It can be given to CAs so that they can properly sign it. From there, the public
key is distributed to remote security gateways that can handle a PKI.

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOSE 11.0.X IP SERVICES

Related Content for Juniper JUNOSE 11.0.X IP SERVICES

This manual is also suitable for:

Junose 11.0.x

Table of Contents