Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

VPNs

  • Support for robust protection against DDoS attacks on IKE protocol with iked process (MX240, MX480, and MX960 with SPC3, SRX1500, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Starting in Junos OS Release 23.4R1, you can efficiently monitor and mitigate DDoS attacks on IKEv1 and IKEv2 protocols when your firewall runs the iked process for the IPsec VPN service.

    To support the feature, we introduce the following configuration statements at the [edit security ike] hierarchy level:

    • session—Tune parameters to manage the behavior of negotiations with the remote peers to protect the security associations. Configure the parameters at the [edit security ike session half-open] and [edit security ike session full-open] hierarchy levels.

    • blocklists—Define multiple blocklists and their associated rules for blocking an IKE ID. Configure the blocklists at the [edit security ike session blocklists] hierarchy level. You must attach a blocklist to one or more IKE policies at the [edit security ike policy policy-name blocklist blocklist-name] hierarchy level.

    Use the following commands to view and clear statistics and other details about the in-progress, failed, blocked, and backoff peers:

    • show security ike peer statistics and show security ike peer.

    • clear security ike peers statistics and clear security ike peers.

    [See IKE Protection from DDoS Attacks, session (Security IKE), blocklists (Security IKE), show security ike peers statistics, show security ike peers, clear security ike peers statistics, and clear security ike peers.]