Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?



  • Enhancements to increase traffic selector flexibility (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 21.1R1, you can do the following to add flexibility to your traffic selectors in different deployment scenarios:

    • Configure the routing metric for a traffic selector.

    • Define the source port range, destination port range, and protocol for a traffic selector.

    • Define multiple terms within a traffic selector, instead of creating multiple traffic selectors (or child security associations or SAs) for a VPN. Each term comprises the local and remote IP prefixes, the source and destination port ranges, and the protocol identifier. You can use these parameters in a single IPsec SA negotiation. In earlier Junos OS releases, you configure each traffic selector with one set of local and remote IP prefixes to be used in an IPsec SA negotiation with a peer.

    This feature is supported only if the junos-ike package is installed in your device.

    We recommend you configure the same metric value if you define multiple traffic selectors under the same [edit security ipsec vpn vpn_name] hierarchy level with same value for remote-ip ip-address/netmask. If you configure different metric values, then the metric value of the st0 route installed will be same as the traffic selector that is negotiated or installed first.

    [See traffic-selector and show security ipsec security-associations detail.]