Message Image

Skip main navigation (Press Enter).

SRX

last person joined: 22 hours ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

conversion from SSG config to SRX : p2-proposal with no-pfs

Jump to Best Answer

Erdem03-22-2016 08:37

Given that the conversion tool ignores this completely, I am having trouble deciphering how to translate ...

Erdem03-24-2016 02:21Best Answer

You do not specifically set "no-pfs", but rather just leave-off the "perfect-forward-secret" setting ...

Erdem04-04-2016 12:06

awesome, thanks

1. conversion from SSG config to SRX : p2-proposal with no-pfs

0 Recommend
Erdem
Posted 03-22-2016 08:37

Reply Reply Privately
Given that the conversion tool ignores this completely, I am having trouble deciphering how to translate this line from my SSG.

basically I have this

set ike p2-proposal "nopfs-esp-aes256-sha" no-pfs esp aes256 sha-1 second 28800

which I'm guessing should translate to something like this on the SRX

proposal nopfs-esp-aes256-sha { authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; lifetime-seconds 28800; }

but what I am unsure of is how "no-pfs" enters the picture. I'm guessing with this command missing, that it just is a default of nothing? Has anyone encountered this? thanks for any help. Docomentation says nothing on the SRX about "NO" pfs so I am confused.
2. RE: conversion from SSG config to SRX : p2-proposal with no-pfs
Best Answer

0 Recommend
Erdem
Posted 03-24-2016 02:21

Reply Reply Privately
You do not specifically set "no-pfs", but rather just leave-off the "perfect-forward-secret" setting within the ipsec policy (note that it is not in the proposal, but rather the policy setting).
3. RE: conversion from SSG config to SRX : p2-proposal with no-pfs

0 Recommend
Erdem
Posted 04-04-2016 12:06

Reply Reply Privately
awesome, thanks

Powered by Higher Logic