extended-authentication
Specifying IPSec Security Association Transforms
transform
Copyright © 2010, Juniper Networks, Inc.
authentication is only performed at the first IKE SA establishment. Subsequent IKE SAs
rekey operations inherit the initial authentication and do not reauthenticate users.
NOTE: For maximum security, enable reauthentication.
The skip-peer-config keyword disables the router from configuring peer IP characteristics.
Use to specify the extended user authentication protocol for use during the extended
user authentication protocol exchange. This command can also enable or disable the
reauthentication option (a subsequent authentication procedure).
The re-authenticate keyword enables the reauthentication option (a subsequent
authentication procedure).
The skip-peer-config keyword disables the router from configuring peer IP
characteristics.
Example
host1(config-ipsec-tunnel-profile)#extended-authentication chap
Use the no version to reset the extended authentication to the default protocol, pap.
See extended-authentication.
The transform command specifies the IPSec transforms that IPSec SA negotiations can
use for this profile. The router accepts the first transform proposed by a client that
matches one of the transforms specified by this command. During an IPSec SA exchange
with a client, the router proposes all transforms specified by this command and one is
accepted by the client.
NOTE: You can specify up to six transform algorithms for this profile.
For additional information about transforms and transform sets, see "Configuring IPSec"
on page 119.
Use to specify the eligible transforms for this profile for IPSec security association
negotiations.
Example
host1(config-ipsec-tunnel-profile)#transform ah-hmac-md5
Use the no version to reset the transform to the default, esp-3des-sha1.
See transform.
Chapter 6: Configuring Dynamic IPSec Subscribers
179