Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


vpn (Security)


Hierarchy Level


Configure an IPsec VPN. A VPN provides a means by which remote computers communicate securely across a public WAN suchas the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The trafficthat flows between these two points passes through shared resources such as routers, switches, and othernetwork equipment that make up the public WAN. To secure VPN communication while passing throughthe WAN, the two participants create an IP Security (IPsec) tunnel. IPsec is a suite of related protocols for cryptographically securing communications at the IP Packet Layer.



Name of the VPN.


Configure the tunnel interface to which the route-based virtual private network (VPN) is bound.


Enable copying of Differentiated Services Code Point (DSCP) (outer DSCP+ECN) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. The benefit in enabling this feature is that after IPsec decryption, clear text packets can follow the inner CoS (DSCP+ECN) rules.


Specify a distribution-profile to distribute tunnels. The distribution-profile option is introduced to give the administrator an option to select which PICs in the chassis should handle tunnels associated with a certain VPN object. If the default profiles such as default-spc3-profile or default-spc2-profile are not selected, a new user-defined profile can be selected. In a profile, you need to mention the Flexible PIC Concentrator (FPC) slot and the PIC number. When such a profile is associated with a VPN object, all matching tunnels are distributed across these PIC's.

  • Values:

    • default-spc2-profile—Default group for distributing tunnels on SPC2 only

    • default-spc3-profile—Default group for distributing tunnels on SPC3 only

    • distribution-profile-name—Name of the distribution profile.


Specify how the device handles the Don't Fragment (DF) bit in the outer header.

On SRX5400, SRX5600, and SRX5800 devices, the DF-bit configuration for VPN only works if the original packet size is smaller than the st0 interface MTU, and larger than the external interface-ipsec overhead.

  • Values:

    • clear—Clear (disable) the DF bit from the outer header. This is the default.

    • copy—Copy the DF bit to the outer header.

    • set—Set (enable) the DF bit in the outer header.


Specify when IKE is activated: immediately after VPN information is configured and configuration changes are committed, or only when data traffic flows. If this configuration is not specified, IKE is activated only when data traffic flows.

  • Values:

    • immediately—IKE is activated immediately after VPN configuration changes are committed.

      Starting with Junos OS Release 15.1X49-D70, a warning message is displayed if you configure the establish-tunnels immediately option for an IKE gateway with group-ike-id or shared-ike-id IKE user types (for example, with AutoVPN or a remote access VPN). The establish-tunnels immediately option is not appropriate for these VPNs because multiple VPN tunnels may be associated with a single VPN configuration. Committing the configuration will succeed, however the establish-tunnels immediately configuration is ignored. The state of the tunnel interface will be up all the time, which was not the case in previous releases when the establish-tunnels immediately option was configured.

    • on-traffic—IKE is activated only when data traffic flows and must to be negotiated with the peer gateway. This is the default behavior.

    • responder-only—Responds to IKE negotiations that are initiated by the peer gateway, but does not initiate IKE negotiations from the device. This option is required when another vendor’s peer gateway expects the protocol and port values in the traffic selector from the initiating gateway. responder-only option added in Junos OS Release 19.1R1.

      This option is supported on unified iked process that is not enabled by default. Administrators must execute the request system software add optional://junos-ike.tgz command to load the junos-ike package.

    • responder-only-no-rekey—Option does not establish any VPN tunnel from the device, so the VPN tunnel is initiated from the remote peer. An established tunnel does not start any rekeying from the device and relies on the remote peer to initiate this rekeying. If rekeying does not occur, then the tunnel is brought down after hard-lifetime expires.

      This option is supported on unified iked process that is not enabled by default. Administrators must execute the request system software add optional://junos-ike.tgz command to load the junos-ike package.


Define an IKE-keyed IPsec VPN.


Define a manual IPsec security association (SA).


Negotiate multiple security association (SAs) based on configuration choice. Multiple SAs negotiates with the same traffic selector on the same IKE SA.


Configure multiple sets of local IP address prefix, remote IP address prefix, source port range, destination port range, and protocol as a traffic selector for an IPsec tunnel.


Direction for which the rule match is applied

  • Values:

    • input—Match on input to interface

    • output—Match on output from interface


No active IP packet checks before IPSec encapsulation


Maximum transmit packet size

  • Range: 256 through 9192


(Optional) Use the specified UDP destination port for the UDP header that is appended to the ESP encapsulation. Enable multiple path forwarding of IPsec traffic by adding a UDP header to the IPsec encapsulation of packets. Doing this increases the throughput of IPsec traffic. If you do not enable UDP encapsulation, all the IPsec traffic follows a single forward path rather than using multiple available paths.

  • Range: 1025 through 65536. Do not use 4500.

  • Default: If you do not include the udp-dest-port statement, the default UDP destination port is 4565.


Configure settings for VPN monitoring.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.

Support for IPv6 addresses added in Junos OS Release 11.1.

Support for copy-outer-dscp added in Junos OS Release 15.1X49-D30.

verify-path keyword and destination-ip added in Junos OS Release 15.1X49-D70.

packet-size option added in Junos OS Release 15.1X49-D120.

Support for term, protocol, source-port, destination-port, metric, and description options introduced in Junos OS Release 21.1R1.

Support for vpn-monitor option with IPsec VPN running iked process is added in Junos OS Release 23.4R1.