Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?





Hierarchy Level

Release Information

Statement introduced in Junos OS Release 8.5.

responder-only option added in Junos OS Release 19.1R1.


Specify when IKE is activated: immediately after VPN information is configured and configuration changes are committed, or only when data traffic flows. If this configuration is not specified, IKE is activated only when data traffic flows.


  • immediately—IKE is activated immediately after VPN configuration changes are committed.


    Starting with Junos OS Release 15.1X49-D70, a warning message is displayed if you configure the establish-tunnels immediately option for an IKE gateway with group-ike-id or shared-ike-id IKE user types (for example, with AutoVPN or a remote access VPN). The establish-tunnels immediately option is not appropriate for these VPNs because multiple VPN tunnels may be associated with a single VPN configuration. Committing the configuration will succeed, however the establish-tunnels immediately configuration is ignored. The state of the tunnel interface will be up all the time, which was not the case in previous releases when the establish-tunnels immediately option was configured.

  • on-traffic—IKE is activated only when data traffic flows and must to be negotiated with the peer gateway. This is the default behavior.

  • responder-only—Responds to IKE negotiations that are initiated by the peer gateway, but does not initiate IKE negotiations from the device. This option is required when another vendor’s peer gateway expects the protocol and port values in the traffic selector from the initiating gateway.

  • responder-only-no-rekey —Option does not establish any VPN tunnel from the device, so the VPN tunnel is initiated from the remote peer. An established tunnel does not start any rekeying from the device and relies on the remote peer to initiate this rekeying. If rekeying does not occur, then the tunnel is brought down after hard-lifetime expires.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Related Documentation