Table 13: Initiator Proposals and Policy Rules
Responder Policy
Rule
Initiator Requests
(Rekeyed)
Initiator Requests
(First Time)
Aggressive Mode
Setting
Aggressive or Main modes
(follows initiator)
Follows First Time
Main mode
Accepted
Aggressive or Main modes
(follows initiator)
Follows First Time
Aggressive mode
Requested
Aggressive mode
Aggressive Mode
Aggressive mode
Required
Main mode
Main Mode
Main mode
None
The router responds to phase 1 negotiations with the highest-priority policy rule that
matches the initiator. A match means that all parameters, including the exchange
type, match.
IKE Policies
An IKE policy defines a combination of security parameters to be used during the
IKE SA negotiation. IKE policies are configured on both security gateway peers, and
there must be at least one policy on the local peer that matches a policy on the
remote peer. Failing that, the two peers are not able to successfully negotiate the
IKE SA, and no data flow is possible.
IKE policies are global to the router. Every ISM on a router uses the same set of
policies when negotiating IKE SAs. The agreed-on IKE SA between the local system
and a remote security gateway may vary, because it depends on the IKE policies
used by each remote peer. However, the initial set of IKE policies the router uses is
always the same and independent of which peer the router is negotiating with.
During negotiation, the router might skip IKE policies that require parameters that
are not configured for the remote security gateway with which the IKE SA is being
negotiated.
You can define up to ten IKE policies, with each policy having a different combination
of security parameters. A default IKE policy that contains default values for every
policy parameter is available. This policy is used only when IKE policies are not
configured and IKE is required.
The following sections describe each of the parameters contained in an IKE policy.
Priority
Priority allows better (more secure) policies to be given preference during the
negotiation process. However, every IKE policy is considered secure enough to secure
the IKE SA flow.
During IKE negotiation, all policies are scanned, one at a time, starting from the
highest-priority policy and ending with the lowest-priority policy. The first policy that
142
■
IKE Overview
JUNOSe 11.1.x IP Services Configuration Guide
Summary of Contents for IP SERVICES - CONFIGURATION GUIDE V 11.1.X
Page 6: ...vi...
Page 8: ...viii JUNOSe 11 1 x IP Services Configuration Guide...
Page 18: ...xviii Table of Contents JUNOSe 11 1 x IP Services Configuration Guide...
Page 20: ...xx List of Figures JUNOSe 11 1 x IP Services Configuration Guide...
Page 22: ...xxii List of Tables JUNOSe 11 1 x IP Services Configuration Guide...
Page 28: ...2 Chapters JUNOSe 11 1 x IP Services Configuration Guide...
Page 138: ...112 Monitoring J Flow Statistics JUNOSe 11 1 x IP Services Configuration Guide...
Page 286: ...260 Monitoring IP Tunnels JUNOSe 11 1 x IP Services Configuration Guide...
Page 312: ...286 Monitoring IP Reassembly JUNOSe 11 1 x IP Services Configuration Guide...
Page 357: ...Part 2 Index Index on page 333 Index 331...
Page 358: ...332 Index JUNOSe 11 1 x IP Services Configuration Guide...