Table of Contents
Advertisement
Creating Custom IKE Phase1 Proposals
Copyright © 2010, Juniper Networks, Inc.
broken. By also exchanging authentication algorithms, IKE can confirm that the
communication in the VPN tunnel is secure.
Because all security parameters are dynamically assigned, VPN nodes must negotiate
the exact set of security parameters that will be used to send and receive data to other
VPN nodes. To enable negotiations, each VPN node contains a list of proposals; each
proposal is a set of encryption keys and authentication algorithms. When a VPN node
attempts to send data through the VPN tunnel, IKE compares the proposals from each
VPN node and selects a proposal that is common to both nodes. If IKE cannot find a
proposal that exists on both nodes, the connection is not established.
IKE negotiations include two phases:
In Phase 1, two members establish a secure and authenticated communication channel.
In Phase 2, two members negotiate Security Associations for services (such as IPSec)
that require key material and parameters.
By default, NSM includes several common IKE phase1 and phase2 proposals. To view
these proposals, from VPN Manager, select IKE Phase1 Proposals or IKE Phase2
Proposals.
Create a custom proposals for a specific combination of authentication and encryption
that is not available in the predefined proposals, or to match the name of proposals on
a non-security device.
To create a custom IKE Phase1 proposal, select Custom IKE Phase and click the icon.
Enter a name and choose a color for the object, then configure the following settings:
Authentication Method—Select the authentication method.
Preshared Key. Use this option to generate an ephemeral secret and authenticate
data using MD5 or SHA hash algorithms against the secret.
RSA Certificate.
DSA Certificate.
Diffie-Hellman Group—The Diffie-Hellman group provides asymmetric encryption to
encrypt the keys needed to decrypt the data. The larger the modulus of the group, the
more secure the generated key is—and the more time it takes to generate the key.
Select the group that meets your security requirements and user needs:
Group 1. Uses a 768-bit modulus.
Group 2. Uses a 1024-bit modulus
Group 5. Uses a 1536-bit modulus.
Group 14. Uses a 2048–bit modulus.
Chapter 8: Configuring Objects
423
Advertisement
Table of Contents
