Statement introduced in Junos OS Release 8.5. Support for IPv6 addresses added in Junos OS Release 11.1. Support for copy-outer-dscp added in Junos OS Release 15.1X49-D30. verify-path keyword and destination-ip added in Junos OS Release 15.1X49-D70. packet-size option added in Junos OS Release 15.1X49-D120.
Configure an IPsec VPN. A VPN provides a means by which remote computers communicate securely across a public WAN suchas the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The trafficthat flows between these two points passes through shared resources such as routers, switches, and othernetwork equipment that make up the public WAN. To secure VPN communication while passing throughthe WAN, the two participants create an IP Security (IPsec) tunnel. IPsec is a suite of related protocols for cryptographically securing communications at the IP Packet Layer.
default-spc2-profile—Default group for distributing tunnels on SPC2 only
default-spc3-profile—Default group for distributing tunnels on SPC3 only
distribution-profile-name—Name of the distribution profile.
On SRX5400, SRX5600, and SRX5800 devices, the DF-bit configuration for VPN only works if the original packet size is smaller than the st0 interface MTU, and larger than the external interface-ipsec overhead.
clear—Clear (disable) the DF bit from the outer header. This is the default.
copy—Copy the DF bit to the outer header.
set—Set (enable) the DF bit in the outer header.
immediately—IKE is activated immediately after VPN configuration changes are committed.
Starting with Junos OS Release 15.1X49-D70, a warning message is displayed if you configure the establish-tunnels immediately option for an IKE gateway with group-ike-id or shared-ike-id IKE user types (for example, with AutoVPN or a remote access VPN). The establish-tunnels immediately option is not appropriate for these VPNs because multiple VPN tunnels may be associated with a single VPN configuration. Committing the configuration will succeed, however the establish-tunnels immediately configuration is ignored. The state of the tunnel interface will be up all the time, which was not the case in previous releases when the establish-tunnels immediately option was configured.
on-traffic—IKE is activated only when data traffic flows and must to be negotiated with the peer gateway. This is the default behavior.
responder-only—Responds to IKE negotiations that are initiated by the peer gateway, but does not initiate IKE negotiations from the device. This option is required when another vendor’s peer gateway expects the protocol and port values in the traffic selector from the initiating gateway. responder-only option added in Junos OS Release 19.1R1.
responder-only-no-rekey—Option does not establish any VPN tunnel from the device, so the VPN tunnel is initiated from the remote peer. An established tunnel does not start any rekeying from the device and relies on the remote peer to initiate this rekeying. If rekeying does not occur, then the tunnel is brought down after hard-lifetime expires.
input—Match on input to interface
output—Match on output from interface
Range: 256 through 9192
Range: 1025 through 65536. Do not use 4500.
Default: If you do not include the udp-dest-port statement, the default UDP destination port is 4565.
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.