1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOSE 11.2.X IP SERVICES
  6. Configuration manual

Aggressive Mode Negotiations; Ike Policies; Table 13: Initiator Proposals And Policy Rules - Juniper JUNOSE 11.2.X IP SERVICES Configuration Manual

For e series broadband services routers - ip services configuration
Hide thumbs
Table of Contents

Advertisement

IKE Policies

Copyright © 2010, Juniper Networks, Inc.
Exposes identities of the peers to eavesdropping, making it less secure than main
mode.
Is faster than main mode because fewer messages are exchanged between peers.
(Three messages are exchanged in aggressive mode.)
Enables support for fully qualified domain names (FQDNs) when the router uses
preshared keys.
The next section describes aggressive mode in more detail.

Aggressive Mode Negotiations

During aggressive mode phase 1 negotiations, the E Series router behaves as follows:
When the router is the initiator, the router searches all policy rules to find those that
allow aggressive mode. The router then selects the rule with the highest priority and
uses the rule to initiate phase 1 negotiations. If there are no policy rules with aggressive
mode allowed, the router selects the highest-priority rule that allows main mode.
When the router is the responder, the negotiation depends on what the initiator
proposes, as well as what is configured in the policy rules.
Table 13 on page 135 outlines the possible combinations of initiator proposals and policy
rules. As indicated, allowing aggressive mode in a policy rule allows negotiation to take
place no matter what the initiator requests.

Table 13: Initiator Proposals and Policy Rules

Aggressive Mode
Initiator Requests
Setting
(First Time)
Accepted
Main mode
Requested
Aggressive mode
Required
Aggressive mode
None
Main mode
The router responds to phase 1 negotiations with the highest-priority policy rule that
matches the initiator. A match means that all parameters, including the exchange type,
match.
An IKE policy defines a combination of security parameters to be used during the IKE SA
negotiation. IKE policies are configured on both security gateway peers, and there must
be at least one policy on the local peer that matches a policy on the remote peer. Failing
that, the two peers are not able to successfully negotiate the IKE SA, and no data flow
is possible.
Chapter 5: Configuring IPSec
Initiator Requests
Responder Policy
(Rekeyed)
Rule
Follows First Time
Aggressive or Main modes
(follows initiator)
Follows First Time
Aggressive or Main modes
(follows initiator)
Aggressive Mode
Aggressive mode
Main Mode
Main mode
135

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOSE 11.2.X IP SERVICES

Related Content for Juniper JUNOSE 11.2.X IP SERVICES

This manual is also suitable for:

Junose 11.2.x

Table of Contents