Table of Contents
Advertisement
Configuring IKE Proposals
Creating Custom IKE Phase1 Proposals
Copyright © 2010, Juniper Networks, Inc.
If you make changes to a protected resource object that is used in a VPN, NSM
automatically generates new configuration and propagates your changes to all affected
security devices.
If you change the security device that protects a resource, NSM removes the previous
security device from all affected VPNs and adds the new security device. However,
NSM does not configure the VPN topology for the new security device—you must
reconfigure the topology to include the new device manually.
In an AutoKey IKE VPN, you can use the Internet Key Exchange (IKE) protocol to generate
and distribute encryption keys and authentication algorithms to all VPN nodes. IKE
automatically generates new encryption keys for the traffic on the network, and
automatically replaces those keys when they expire. Because IKE generates keys
automatically, you can give each key a short life span, making it expire before it can be
broken. By also exchanging authentication algorithms, IKE can confirm that the
communication in the VPN tunnel is secure.
Because all security parameters are dynamically assigned, VPN nodes must negotiate
the exact set of security parameters that will be used to send and receive data to other
VPN nodes. To enable negotiations, each VPN node contains a list of proposals; each
proposal is a set of encryption keys and authentication algorithms. When a VPN node
attempts to send data through the VPN tunnel, IKE compares the proposals from each
VPN node and selects a proposal that is common to both nodes. If IKE cannot find a
proposal that exists on both nodes, the connection is not established.
IKE negotiations include two phases:
In Phase 1, two members establish a secure and authenticated communication channel.
In Phase 2, two members negotiate Security Associations for services (such as IPSec)
that require key material and parameters.
By default, NSM includes several common IKE phase1 and phase2 proposals. To view
these proposals, from VPN Manager, select IKE Phase1 Proposals or IKE Phase2
Proposals.
Create a custom proposals for a specific combination of authentication and encryption
that is not available in the predefined proposals, or to match the name of proposals on
a non-security device.
To create a custom IKE Phase1 proposal, select Custom IKE Phase and click the icon.
Enter a name and choose a color for the object, then configure the following settings:
Authentication Method—Select the authentication method.
Preshared Key. Use this option to generate an ephemeral secret and authenticate
data using MD5 or SHA hash algorithms against the secret.
RSA Certificate.
Chapter 8: Configuring Objects
419
Advertisement
Table of Contents
Need help?
Do you have a question about the NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 and is the answer not in the manual?
Questions and answers