ike-esp-nat
Syntax
ike-esp-nat {
enable;
esp-gate-timeout seconds;
esp-session-timeout seconds;
state-timeout seconds;
traceoptions {
flag {
all {
extensive
}
}
}
}
Hierarchy Level
[edit logical-systems name security alg], [edit logical-systems name tenants name security alg], [edit security alg], [edit services alg], [edit tenants name security alg]
Description
Enabling tracing can adversely impact scale and performance and may increase security risk. We strongly recommend using the trace, tracing, or traceoptions commands only under the guidance of a JTAC support engineer. After collecting the debug information, immediately disable tracing to minimize risk and restore normal system performance.
Configure Application Layer Gateway (ALG) for Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic with Network Address Translation (NAT).
Options
Enable—Enable the IKE-ESP ALG.esp-gate-timeout seconds—Set the timeout for the ESP gates created after an IKE Phase 2 exchange has completed.Range: 2 through 30 seconds.
Default: 5 seconds.
esp-session-timeout seconds—Set the idle timeout for the ESP sessions created from the IPsec gates.Range: 60 through 2400 seconds.
Default: 1800 seconds.
state-timeout seconds—Set the timeout for the ALG state information.Range: 180 through 86,400 seconds.
Default: 14,400 seconds.
traceoptions—Set the IKE-ESP ALG trace options.flag—Specify which tracing operation to perform.all—Trace all operations.extensive—Set trace verbosity level to extensive.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 8.5.
Statement supported at hierarchy [edit logical-systems
name tenants name security alg tenant] in Junos OS Release 18.3R1.