Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


internal (Security IPsec)



Hierarchy Level

Release Information

Statement introduced in Junos OS Release 12.1X45-D10.

Support for ike-ha-link-encryption option added in Junos OS Release 12.1X47-D15.

Support for iked_encryption option added in Junos OS Release 12.1X47-D10.

Support for aes-128-cbc option added in Junos OS Release 19.1R1.

Support for ike-ha-link-encryption option added for vSRX in Junos OS Release 19.4R1


Enable secure login and to prevent attackers from gaining privileged access through this control port by configuring the internal IP security (IPsec) security association (SA).

When the internal IPsec is configured, IPsec-based rlogin and remote command (rcmd) are enforced, so an attacker cannot gain unauthorized information.


security-associationSpecify an IPsec SA. An SA is a simplex connection that allows two hosts to communicate with each other securely by means of IPsec.
manual encryptionSpecify a manual SA. Manual SAs require no negotiation; all values, including the keys, are static and specified in the configuration.
algorithm 3des-cbcSpecify the encryption algorithm for the internal Routing-Engine-to-Routing-Engine IPsec SA configuration.
algorithm aes-128-cbcSpecify the encryption algorithm for high availability encryption link.
iked-ha-link-encryptionEnable encryption for internal messages.


  • enable—Enable HA link encryption IKE internal messages

key ascii-textSpecify the encryption key. You must ensure that the manual encryption key is in ASCII text and 24 characters long; otherwise, the configuration will result in a commit failure.

Required Privilege Level

interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.