Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


ike (Security IPsec VPN)


Hierarchy Level


Define an IKE-keyed IPsec VPN.



To enable the anti-replay-window-size option, you first need to configure the option for each VPN object or at the global level. You can configure the anti-replay window size in the range of 64 to 8192 (power of 2). If the anti-replay window size is not configured, the window size is 64 by default. If anti-replay-window-size command is configured at both the global and VPN object levels, the configuration on VPN object takes precedence over global configuration.

anti-replay-window-size is supported only on SRX5000 line with SRX5K-SPC3 card installed.


Name of the remote IKE gateway.


Specify the maximum amount of idle time to delete a security association (SA) when there is no traffic flow.

  • Default: Disabled

  • Range: 60 through 999,999 seconds


Specify the maximum number of seconds to allow the installation of a rekeyed outbound security association (SA) on the device.

  • Default:

    • 1 second, prior to Junos OS Release 23.4R1 (without iked process)

    • Starting Junos OS Release 23.4R1 with iked process:
      • 3 seconds, for IKEv1 initiator and IKEv2 responder.

      • 0 seconds, for rest of the scenarios

  • Range: 0 through 10 seconds.

    You can configure 0-10 seconds from CLI, and it takes effect in data plane only for IKEv1 initiator or IKEv2 responder. CLI configured value takes precedence over the default value.


Specify the IPsec policy name.


Disable the antireplay checking feature of IPsec. Antireplay is an IPsec feature that can detect when a packet is intercepted and then replayed by attackers. By default, antireplay checking is enabled.


Optionally specify the IPsec proxy ID to use in negotiations. The default is the identity based on the IKE gateway. If the IKE gateway is an IPv6 site-to-site gateway, the default proxy ID is ::/0. If the IKE gateway is an IPv4 gateway or a dynamic endpoint or dialup gateway, the default proxy ID is

  • local—Specify the local IPv4 or IPv6 address and subnet mask for the proxy identity.

  • remote—Specify the remote IPv4 or IPv6 address and subnet mask for the proxy identity.

  • service—Specify the service (port and protocol combination) to protect. Name of the service is as defined with system-services (Interface Host-Inbound Traffic) and system-services (Zone Host-Inbound Traffic).

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5. Support.

Statement anti-replay-window-size is introduced in Junos OS Release 19.2R1.

Support for idle-time and  install-interval options with IPsec VPN running iked process is added in Junos OS Release 23.4R1.