Example: Enabling IKE and ESP ALG and Setting Timeouts (CLI)

In the following example, you enable the IKE/ESP ALG and set timeouts.

  1. To enable the IKE ESP ALG, set this CLI.

    The IKE ESP ALG will handle all traffic specified in any policy to which the ALG is attached. Additionally, if this CLI is present, the current default IPsec pass-through behavior will be disabled for all IPsec pass-through traffic, regardless of policy. If this CLI is NOT set, IKE ESP ALG will be disabled, and IPsec pass-through traffic will be handled following the default IPsec pass-through behavior.

    [edit]user@host# edit security alg ike-esp-natuser@host# set enable
  2. The state-timeout sets the timeout of ALG state information. ALG state information will be aged out using this timeout value. The timeout range is 180 through 86400 seconds. The default timeout is 14400 seconds.
    [edit]user@host# edit security alg ike-esp-natuser@host# set state-timeout 360
  3. The esp-gate-timeout sets the timeout of the ESP gates created after a phase 2 exchange has completed. The timeout range is 2 through 30 seconds. The default timeout is 5 seconds.
    [edit]user@host# edit security alg ike-esp-natuser@host# set esp-gate-timeout 20
  4. The esp-session-timeout sets the idle timeout of the ESP sessions created from the IPsec gates; if no traffic hits the session, it will be aged out after this period of time. The timeout range is 60 through 2400 seconds. The default timeout is 1800 seconds.
    [edit]user@host# edit security alg ike-esp-natuser@host# set esp-session-timeout 2400
  5. Confirm your configuration by entering the show security alg command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
    [edit]user@host# show security algike-esp-nat {enable;state-timeout 360;esp-gate-timeout 20;esp-session-timeout 2400;}
  6. Commit the configuration if you are done configuring the device.
    [edit]user@host# edit security alguser@host# commit

Related Topics

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.