Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Configure Application Layer Gateway (ALG) for Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic with Network Address Translation (NAT).


  • Enable —Enable the IKE-ESP ALG.

  • esp-gate-timeout seconds—Set the timeout for the ESP gates created after an IKE Phase 2 exchange has completed.

    Range: 2 through 30 seconds.

    Default: 5 seconds.

  • esp-session-timeout seconds—Set the idle timeout for the ESP sessions created from the IPsec gates.

    Range: 60 through 2400 seconds.

    Default: 1800 seconds.

  • state-timeout seconds—Set the timeout for the ALG state information.

    Range: 180 through 86,400 seconds.

    Default: 14,400 seconds.

  • traceoptions—Set the IKE-ESP ALG trace options.

    • flag —Specify which tracing operation to perform.

      • all—Trace all operations.

        • extensive—Set trace verbosity level to extensive.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.

Statement supported at hierarchy [edit logical-systems name tenants name security alg tenant] in Junos OS Release 18.3R1.