Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configure Tunnel Link Encryption for Multinode High Availability Nodes


This example shows how to encrypt or protect the High Availability (HA) traffic that traverse between the SRX5000 Series devices (HA nodes) when the Multinode High Availability feature is enabled.


This example uses the following hardware and software components:

  • Two SRX5000 line of devices

  • MX or vSRX devices as adjacent routers

  • Junos OS Release 20.4R1 or later


In Mulitnode High Availability mode, nodes deployed at different locations are connected by Public IPs to synchronize all the HA related information between them. Since HA traffic traverse over the internet and it can be a security issue, these packets need to be encrypted.

To protect the HA traffic between active and backup nodes, IPsec VPN tunnel is established between the nodes as soon as they come up. It is assumed that without HA link encryption, these devices can communicate with their local IP addresses as if they are on the same subnet. When HA link encryption is enabled, all the local IP based HA traffic are tunneled through IPsec. For better protection, IPsec SAs are negotiated by IKE between the nodes instead of manual VPN. In Multinode HA mode, the tunnel is installed to PFE and encrypt both the control and Real Time Objects (RTO) between the nodes.

Perform the following configuration to protect the HA traffic between the HA nodes:

  • Configure a VPN profile for the HA traffic using the vpn-profile profile-name option at the [edit chassis high-availability peer-id peer-id] hierarchy level.

  • Encrypt the HA traffic for the specific VPN profile using the ha-link-encryption option at the [edit security ipsec vpn vpn-name] hierarchy level.

This configuration creates an ICL tunnel where only IKEv2 is supported for secure HA traffic flow. ICL tunnels support only site-to-site IPsec VPN tunnels.

View HA tunnel related information using the show security ike security-associations, show security ike active-peer, show security ipsec security-associations, and show security ipsec statistics commands.

Clear HA tunnel related information using the clear security ike security-associations and clear security ipsec security-associations commands.


In this example, two SRX5000 Series devices that are at different geographical locations act as a high availability node. As the control and data traffic passes through the internet, the traffic needs to be secured. To secure the HA traffic, the HA tunnel is encrypted using IPsec protocols.

Figure 1 shows the topology in which SRX5000 Series devices supports encrypting the traffic that transverses through the HA tunnel between the layer 3 high availability nodes.

Figure 1: High Availability Tunnel Link Encryption
High Availability Tunnel
Link Encryption


CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

To configure HA tunnel to protect the traffic between the two HA nodes ( and using the IPsec protocols, configure the following:

Configuring Link Encryption on High Availability Nodes

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure both local and peer information for high availability.
  2. Configure multinode High Availability mode and associate the peer node id 2 to the Service Redundancy Group (SRG).
  3. Configure services redundancy group 1.
  4. Define an IKE proposal and the IKE proposal authentication method. Also define the Diffie-Hellman group, authentication algorithm, an encryption algorithm for the IKE proposal.
  5. Configure an IKE policy and associate the policy with the IKE proposal. Also define the authentication method.
  6. Define the gateway policy reference and gateway version. For High availability feature, you must configure the IKE version as v2-only.
  7. Specify the IPsec proposal protocol and encryption algorithm.
  8. Create the multinode high availability IPsec policy.
  9. Enable multinode high availability feature for the IPsec VPN.

    The same VPN name L3HA_IPSEC_VPN must be mentioned for vpn_profile in chassis high availability configuration. See step12.

  10. Specify the IKE gateway.
  11. Specify the L3HA IPsec policies.
  12. The IPsec VPN profile L3HA_IPSEC_VPN is attached to chassis high availability configuration to establish a secure interchassis link or tunnel between the HA nodes and
  13. Specify allowed system services for the halink security zone.
  14. Assign an interface to the halink security zone.
  15. Configure policy options.


From configuration mode, confirm your configuration by entering the show security ike, show security ipsec, show policy-options, and show chassis high-availability commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.


Confirm that the configuration is working properly.


To verify only interchassis link active peers, but not regular IKE active peers.


user@host# show security ike active-peer ha-link-encryption


Displays only the active peer of interchassis link tunnel with details such as the peer addresses and ports the active peer is using.

Verify Security Associations Created for Interchassis Link Tunnel


To verify the multi SAs created for the interchassis link encryption tunnel.


user@host# show security ipsec security-associations ha-link-encryption


The output from the show security ipsec security-associations ha-link-encryption command lists the following information:

  • The remote gateway has an IP address of

  • The SPIs, lifetime (in seconds), and usage limits (or lifesize in KB) are shown for both directions. The 1208/ value indicates that the Phase 2 lifetime expires in 1208 seconds, and that no lifesize has been specified, which indicates that it is unlimited. The Phase 2 lifetime can differ from the Phase 1 lifetime, because Phase 2 is not dependent on Phase 1 after the VPN is up.


To verify the interchassis link tunnel mode.


user@host# show security ipsec sa detail ha-link-encryption


The above output from the show security ipsec sa detail ha-link-encryption command lists the following information:

  • The local identity and remote identity make up the proxy ID for the SA.

  • Displays the IPsec SA pair for each threads in PIC.

  • Below line in the IPsec SA output indicates HA link encryption tunnel mode.

    HA Link Encryption Mode: Multi-Node
  • Authentication and encryption algorithms used.


To verify link encryption tunnel statistics on both active and backup nodes.


user@host# show security ipsec statistics ha-link-encryption

You can also use the show security ipsec statistics ha-link-encryption command to review statistics and errors for all SAs.

To clear all IPsec statistics, use the clear security ipsec statistics ha-link-encryption command.


If you see packet loss issues across a VPN, you can run the show security ipsec statistics ha-link-encryption command several times to confirm that the encrypted and decrypted packet counters are incrementing. You should also check that the other error counters are incrementing.