Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configure a Keychain (TCP-AO)


This example shows you how to create a TCP-AO keychain to authenticate a BGP or LDP session.

This example shows you how to create a TCP-AO keychain to authenticate a BGP or LDP session.

This example uses the following hardware and software components:

  • MX Series or PTX Series routers.

  • Junos OS Release 20.3R1 or later version.

In this example, you can create a keychain new_auth_key with 2 keys, key 0 and key 1 on devices R1 and R2.

  1. To create a keychain new_auth_key with the first key, (key 0):Note

    Copy the following commands, paste them into a text file, remove any line breaks and change any details necessary to match your network configuration, copy and paste the commands into the CLI.


    R2 (with send-id and recv-id values reversed)

    Consider the following parameters while configuring a keychain:




    Enter a unique name.


    Enter a unique key ID.


    Enter a unique password.


    Enter a unique time in YYYY-MM-DD.HH:MM format to specify the start time of the key.


    Enter algorithm ao

    send-id and recv-id

    Enter any two numbers between 0 and 255. You must not use these numbers for any other key within that keychain.


    Choose either hmac-sha-1-96 or aes-128-cmac-96.


    Choose enabled to enable the TCP-AO option.

  2. To add another key (key 1), after creating key 0:


    R2 (with send-id and recv-id values reversed)

  3. Enter commit from configuration mode on both devices to activate your changes.
  4. To verify the keychain new_auth_key with the 2 keys configured, use the show security authentication-key-chains command from configuration mode.

    The following is sample output based on this example:

    user@R1# show security authentication-key-chains

You have successfully created a keychain!

To delete a keychain, use the delete security authentication-key-chains key-chain key_chain name command from configuration mode.

  • You can associate only one TCP-AO keychain with a BGP or LDP session during its life-time. You cannot point another keychain to the session in its life-time.

  • We recommend a minimum interval of 30 minutes between the start-time of any two subsequent keys within a keychain.

  • Once a keychain is configured and in use by a TCP connection, you cannot change the send-id or recv-id values of its active key. However, you can change the other parameters in the key, and any new connection associated with the updated keychain will take the updated parameters for its connection establishment.

To display information about existing keychains (if any) from the operational mode, use the show security keychain command. Here’s a sample output:

user@R1> show security keychain