Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding Requirements for Secure Communication Between Routing Engines in FIPS Mode


The internal IPsec SA provides a secure way to mutually authenticate and encrypt communications between Routing Engines.

The cryptographic boundary on a modular switch is the Routing Engine. For this reason, QFX10008, and QFX10016 switches with dual (redundant) Routing Engines require an internal, manual IP Security (IPsec) security association (SA) configured on each Routing Engine for the Routing Engines to communicate with each other. The Crypto Officer must use the console of each Routing Engine to configure the IPsec SA. Only four parameters are required: SA direction, security parameter index (SPI), a key value for authentication, and a key value for encryption. The SAs must be identical. All values, including the keys, must be statically specified in the configuration and must match on both ends of the connection. For communication to take place, each Routing Engine must have the same configured options.

For details, see:

SA Direction

The internal, manual IPsec security association (SA) established by you, the Crypto Officer, on a Routing Engine can have the same SPI, authentication key, and encryption key for inbound and outbound communication, or one set of values for the inbound tunnel and another set for the outbound tunnel:

  • Bidirectional—Apply the same SA values in both directions between Routing Engines.

  • Inbound—Apply the SA values only to the inbound IPsec tunnel.

  • Outbound—Apply the SA values only to the outbound IPsec tunnel.

If you do not configure the SA to be bidirectional, you must configure two unidirectional IPsec tunnels, one in each direction.


We do not recommend the use of unidirectional IPsec tunnels.


The security parameter index (SPI) is an arbitrary value between 256 and 16639 that uniquely identifies the SA to use at the receiving Routing Engine. The sending Routing Engine uses the SPI to identify and select the SA it uses to secure every packet. The receiving Routing Engine uses the SPI to identify and select the encryption algorithm and key it uses to decrypt packets.

IPsec Keys

The internal, manual IPsec SA established by you, the Crypto Officer, on a Routing Engine requires an authentication key, as well as an encryption key. For this type of SA, we recommend you create preshared keys in hexadecimal format, for maximum key strength. Each key requires a specific cryptographic algorithm:

  • Authentication algorithm

    • HMAC-SHA-256 (64 hexadecimal characters)

  • Encryption algorithm

    • 3DES-CBC (48 hexadecimal characters)

You use the configuration mode command prompt to enter the value for each key twice. If the two entries do not match, the key is not set.

IPsec Limitations

On a switch with Junos OS in FIPS mode enabled, you cannot configure IPsec SAs to use the IPsec Authentication Header (AH) protocol or the Data Encryption Standard (DES) encryption algorithm. Instead, you must use the Encapsulating Security Payload (ESP) protocol for both encryption and authentication.