Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

ike (Security IPsec VPN)

Syntax

Hierarchy Level

Description

Define an IKE-keyed IPsec VPN.

Options

anti-replay-window-size

To enable the anti-replay-window-size option, you first need to configure the option for each VPN object or at the global level. You can configure the anti-replay window size in the range of 64 to 8192 (power of 2). If the anti-replay window size is not configured, the window size is 64 by default. If anti-replay-window-size command is configured at both the global and VPN object levels, the configuration on VPN object takes precedence over global configuration.

anti-replay-window-size is supported only on SRX5000 line with SRX5K-SPC3 card installed.
gateway-name

Name of the remote IKE gateway.
idle-time

Specify the maximum amount of idle time to delete a security association (SA) when there is no traffic flow.

  • Default: Disabled

  • Range: 60 through 999,999 seconds
install-interval

Specify the maximum number of seconds to allow the installation of a rekeyed outbound security association (SA) on the device.

  • Default:

    • 1 second, prior to Junos OS Release 23.4R1 (without iked process)

    • Starting Junos OS Release 23.4R1 with iked process:

      • 3 seconds, for IKEv1 initiator and IKEv2 responder.

      • 0 seconds, for rest of the scenarios

  • Range: 0 through 10 seconds.

    You can configure 0-10 seconds from CLI, and it takes effect in data plane only for IKEv1 initiator or IKEv2 responder. CLI configured value takes precedence over the default value.
ipsec-policy

Specify the IPsec policy name.
no-anti-replay

Disable the antireplay checking feature of IPsec. Antireplay is an IPsec feature that can detect when a packet is intercepted and then replayed by attackers. By default, antireplay checking is enabled.
proxy-identity

Optionally specify the IPsec proxy ID to use in negotiations. The default is the identity based on the IKE gateway. If the IKE gateway is an IPv6 site-to-site gateway, the default proxy ID is ::/0. If the IKE gateway is an IPv4 gateway or a dynamic endpoint or dialup gateway, the default proxy ID is 0.0.0.0/0.

  • local—Specify the local IPv4 or IPv6 address and subnet mask for the proxy identity.

  • remote—Specify the remote IPv4 or IPv6 address and subnet mask for the proxy identity.

  • service—Specify the service (port and protocol combination) to protect. Name of the service is as defined with system-services (Interface Host-Inbound Traffic) and system-services (Zone Host-Inbound Traffic).

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5. Support.

Statement anti-replay-window-size is introduced in Junos OS Release 19.2R1.

Support for idle-time and  install-interval options with IPsec VPN running iked process is added in Junos OS Release 23.4R1.

Related Documentation