Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

gateway (Security IKE)

Syntax

Hierarchy Level

Description

Configure an IKE gateway.

Options

gateway-name

Name of the gateway.

address

Specify the IPv4 or IPv6 address or the hostname of the primary Internet Key Exchange (IKE) gateway and up to four backup gateways.

  • Values:

    • address—IPv4 or IPv6 address or hostname of an IKE gateway.

aaa

Specify that extended authentication is performed in addition to IKE Phase 1 authentication for remote users trying to access a VPN tunnel.

advpn

Enable Auto Discovery VPN (ADVPN) protocol on the specified gateway. ADVPN dynamically establishes VPN tunnels between spokes to avoid routing traffic through the Hub.

dead-peer-detection

Enable the device to use dead peer detection (DPD).

dynamic

Specify the identifier for the remote gateway with a dynamic IPv4 or IPv6 address. Use this statement to set up a VPN with a gateway that has an unspecified IPv4 or IPv6 address.

external-interface

Name of the interface to be used to send traffic to the IPsec VPN. Specify the outgoing interface for IKE SAs. This interface is associated with a zone that acts as its carrier, providing firewall security for it.

fragmentation

Disable IKEv2 packet fragmentation and, optionally, configure the maximum size of an IKEv2 message before the message is split into fragments that are individually encrypted and authenticated.

disable

Disables IKEv2 fragmentation. IKEv2 fragmentation is enabled by default.

size bytes

Maximum size, in bytes, of an IKEv2 message before it is split into fragments. The size applies to both IPv4 and IPv6 messages.

  • Range: 500 to 1300 bytes

  • Default: 576 bytes for IPv4 messages and 1280 bytes for IPv6 messages

general-ikeid

Accept peer IKE-ID in general.

ike-policy

Specify the IKE policy to be used for the gateway.

local-address

Local IP address for IKE negotiations. Specify the local gateway address. Multiple addresses in the same address family can be configured on an external physical interface to a VPN peer. If this is the case, we recommend that local-address be configured. If there is only one IPv4 and one IPv6 address configured on an external physical interface, local-address configuration is not necessary.

The local-address value must be an IP address that is configured on an interface on the SRX Series device. We recommend that local-address belong to the external interface of the IKE gateway. If local-address does not belong to the external interface of the IKE gateway, the interface must be in the same zone as the external interface of the IKE gateway and an intra-zone security policy must be configured to permit traffic. The local-address value and the remote IKE gateway address must be in the same address family, either IPv4 or IPv6.

local-identity

Specify the local IKE identity to send in the exchange with the destination peer to establish communication.

nat-keepalive

Specify the interval at which NAT keepalive packets (seconds) can be sent so that NAT translation continues. Default value changed from 5 seconds to 20 seconds in Junos OS Release 12.1X46-D10.

  • Default: 20

  • Range: 1 through 300

no-nat-traversal

Disable IPSec NAT traversal. Disables UDP encapsulation of IPsec Encapsulating Security Payload (ESP) packets, otherwise known as Network Address Translation Traversal (NAT-T). NAT-T is enabled by default.

tcp-encap-profile

Specify the TCP encapsulation profile to be used for TCP connections for remote access clients.

version

Specify the IKE version to use to initiate the connection.

  • Values:

    • v1-only—The connection must be initiated using IKE version 1. This is the default.

    • v2-only—The connection must be initiated using IKE version 2

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5. Support for IPv6 addresses added in Junos OS Release 11.1. The inet6 option added in Junos OS Release 11.1. Support for the advpn option added in Junos OS Release 12.3X48-D10.

Option fragmentation is introduced in Junos OS Release 15.1X49-D80.

general-ikeid option under [edit security ike gateway gateway-name dynamic] hierarchy is introduced in Junos OS Release 21.1R1.