gateway (Security IKE)

Syntax

Hierarchy Level

Description

Configure an IKE gateway.

Options

gateway-name

Name of the gateway.

address

Specify either the IPv4 or IPv6 addresses or the hostnames of the primary Internet Key Exchange (IKE) gateway (peer) and up to four backup gateways.

Consider the following points before configuring multiple peer addresses with IPsec VPN running iked process:

The option supports one primary address and upto a maximum of 4 backup addresses, all belonging to the same inet family.
You must configure DPD before configuring multiple peer addresses.
Only site-to-site VPN configuration supports multiple peer addresses.
HA configuration doesn't support multiple peer addresses.
CAUTION:
Exercise caution when modifying the peer address:
- If you delete an active peer address, the peer address list is updated and the next available peer address is considered active. This is a catastrophic operation and the VPN tunnel is torn down and a new tunnel is negotiated as per the peer address list.
- If you delete an inactive peer address, the peer address list is updated but does not cause any catastrophic event as there is no impact on the tunnel.
- If you add a new peer address, it will be appended to the end of the list, and there is no impact on the tunnel.

Values:
- address—IPv4 or IPv6 addresses or hostnames of an IKE gateway.
  
  This is a list of values. Priority of the peer addresses is based on the order of addresses in the list.
Range:
- Supports upto 5 peer addresses which includes an active peer address and upto 4 backup peer addresses.

aaa

Specify that extended authentication is performed in addition to IKE Phase 1 authentication for remote users trying to access a VPN tunnel.

advpn

Enable Auto Discovery VPN (ADVPN) protocol on the specified gateway. ADVPN dynamically establishes VPN tunnels between spokes to avoid routing traffic through the Hub.

dead-peer-detection

Enable the device to use dead peer detection (DPD).

dynamic

Specify the identifier for the remote gateway with a dynamic IPv4 or IPv6 address. Use this statement to set up a VPN with a gateway that has an unspecified IPv4 or IPv6 address.

external-interface

Name of the interface to be used to send traffic to the IPsec VPN. Specify the outgoing interface for IKE SAs. This interface is associated with a zone that acts as its carrier, providing firewall security for it.

fragmentation

Disable IKEv2 packet fragmentation and, optionally, configure the maximum size of an IKEv2 message before the message is split into fragments that are individually encrypted and authenticated.

disable

Disables IKEv2 fragmentation. IKEv2 fragmentation is enabled by default.

size bytes

Maximum size, in bytes, of an IKEv2 message before it is split into fragments. The size applies to both IPv4 and IPv6 messages.

Range: 500 to 1300 bytes
Default: 576 bytes for IPv4 messages and 1280 bytes for IPv6 messages

general-ikeid

Accept peer IKE-ID in general.

ike-policy

Specify the IKE policy to be used for the gateway.

local-address

Local IP address for IKE negotiations. Specify the local gateway address. Multiple addresses in the same address family can be configured on an external physical interface to a VPN peer. If this is the case, we recommend that local-address be configured. If there is only one address configured (IPv4 or IPv6) on an external physical interface, local-address configuration is not necessary.

The local-address value must be an IP address that is configured on an interface on the SRX Series Firewall. We recommend that local-address belong to the external interface of the IKE gateway. If local-address does not belong to the external interface of the IKE gateway, the interface must be in the same zone as the external interface of the IKE gateway and an intra-zone security policy must be configured to permit traffic. The local-address value and the remote IKE gateway address must be in the same address family, either IPv4 or IPv6.

local-identity

Specify the local IKE identity to send in the exchange with the destination peer to establish communication.

nat-keepalive

Specify the interval at which NAT keepalive packets (seconds) can be sent so that NAT translation continues. Default value changed from 5 seconds to 20 seconds in Junos OS Release 12.1X46-D10.

Default: 20
Range: 1 through 300

node-local Mark an IPsec VPN tunnel between Multinode High Availability nodes and a VPN peer device as a node-local tunnel. Node-local tunnels support dynamic routing protocols that facilitate the device to add the routes dynamically. These routes remain local to a node and are not bound to any services redundancy group (SRG). Use this option only for Multinode High Availability.

no-nat-traversal

Disable IPSec NAT traversal. Disables UDP encapsulation of IPsec Encapsulating Security Payload (ESP) packets, otherwise known as Network Address Translation Traversal (NAT-T). NAT-T is enabled by default.

tcp-encap-profile

Specify the TCP encapsulation profile to be used for TCP connections for remote access clients.

version

Specify the IKE version to use to initiate the connection.

Values:
- v1-only—The connection must be initiated using IKE version 1. This is the default.
- v2-only—The connection must be initiated using IKE version 2

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5. Support for IPv6 addresses added in Junos OS Release 11.1. The inet6 option added in Junos OS Release 11.1. Support for the advpn option added in Junos OS Release 12.3X48-D10.

Option fragmentation is introduced in Junos OS Release 15.1X49-D80.

Option tcp-encap-profile is introduced in Junos OS Release 15.1X49-D80.

general-ikeid option under [edit security ike gateway gateway-name dynamic] hierarchy is introduced in Junos OS Release 21.1R1.

Option node-local is introduced in Junos OS Release 23.2R1.

Support for multiple peer addresses in the address option for IPsec VPN running iked process is introduced in Junos OS Release 23.4R1.

ON THIS PAGE