ike (Security)
Syntax
ike {
gateway (Security IKE) name {
( address | dynamic (Security) distinguished-name (Security) < container> < wildcard> hostname inet inet6 user-at-hostname <connections-limit connections-limit> <ike-user-type (group-ike-id | shared-ike-id)> <reject-duplicate-connection>);
aaa {
access-profile;
client password password username username;
}
advpn {
partner {
connection-limit connection-limit;
disable;
idle-threshold idle-threshold;
idle-time seconds;
}
suggester {
disable;
}
}
dead-peer-detection (always-send | optimized | probe-idle-tunnel);
external-interface external-interface;
fragmentation {
disable;
size size;
}
general-ikeid;
ike-policy;
local-address;
local-identity (distinguished-name | hostname identity-hostname | inet identity-ipv4 | inet6 identity-ipv6 | key-id string-key-id | user-at-hostname identity-user);
remote-identity distinguished-name <container container> <wildcard wildcard>hostname identity-hostnameinet identity-ipv4inet6 identity-ipv6 key-id string-key-id user-at-hostname identity-user;
tcp-encap-profile profile-name;
version (v1-only | v2-only);
}
policy name {
certificate {
local-certificate (Security) local-certificate;
peer-certificate-type (pkcs7 | x509-signature);
policy-oids policy-oids;
trusted-ca (ca-profile ca-profile | trusted-ca-group trusted-ca-group );
}
description description;
mode (aggressive | main);
pre-shared-key (ascii-text ascii-text | hexadecimal hexadecimal);
seeded-pre-shared-key (ascii-text key | hexadecimal key);
proposal-set (Security IKE) (basic | compatible | prime-128 | prime-256 | standard | suiteb-gcm-128 | suiteb-gcm-256);
proposals [ proposals ... ];
reauth-frequency reauth-frequency;
}
proposal proposal-name {
authentication-algorithm (md5 | sha-256 | sha-384 | sha-512 | sha1);
authentication-method (certificates | dsa-signatures | ecdsa-signatures-256 | ecdsa-signatures-384 | ecdsa-signatures-521 | pre-shared-keys | rsa-signatures);
description description;
dh-group dh-group (group1 | group14 | group15 | group16 | group19 | group2 | group20 | group21 | group24 | group5);
encryption-algorithm (3des-cbc | aes-128-cbc | aes-128-gcm | aes-192-cbc | aes-256-cbc | aes-256-gcm | des-cbc);
lifetime-seconds seconds;
}
respond-bad-spi <max-responses>;
session {
full-open {
incoming-exchange-max-rates {
ike-rekey value;
ipsec-rekey value;
keepalive value;
}
}
half-open {
timeout seconds;
backoff-timeouts {
init-phase-failure value;
auth-phase-failure value;
}
discard-duplicate;
max-count value;
thresholds {
send-cookie count;
reduce-timeout count timeout seconds;
}
}
}
blocklists {
blocklist-name {
description text-description;
rule rule-name {
match {
role (initiator | responder);
id-type (inet | inet6 | hostname | distinguished-name | user-at-hostname | key-id);
id-pattern value;
}
then {
(discard | reject);
backoff timeout-value;
}
}
}
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
level (critical | error | terse | warning | detail);
flag flag (all | certificates | config | database | general | high-availability | ike | next-hop-tunnels | parse | policy-manager | routing-socket | thread | timer)reference/configuration-statement/security-edit-ike-security;
no-remote-trace;
rate-limit messages-per-second;
}
}
Hierarchy Level
[edit security]
Description
Enabling tracing can adversely impact scale and performance and may increase security risk. We strongly recommend using the trace, tracing, or traceoptions commands only under the guidance of a JTAC support engineer. After collecting the debug information, immediately disable tracing to minimize risk and restore normal system performance.
Define Internet Key Exchange (IKE) configuration. IKE is a key management protocol that creates dynamic SAs; it negotiates SAs for IPsec. An IKE configuration defines the algorithms and keys used to establish a secure connection with a peer security gateway.
Options
respond-bad-spi max-responses—(Optional) Number of times to respond to invalid SPI
values per gateway. Enable response to invalid IPsec Security Parameter
Index (SPI) values. If the security associations (SAs) between two
peers of an IPsec VPN become unsynchronized, the device resets the
state of a peer so that the two peers are synchronized.
Range: 1 through 30
Default: 5
traceoptions—Configure IKE tracing options to aid in troubleshooting the
IKE issues. This helps troubleshoot one or multiple tunnels negotiation
by standard tracefile configuration. IKE tracing allows the user to
view the detailed packet exchange and the negotiation information
in Phase 1 and Phase 2. IKE tracing is not enabled by default. By
default , all IKE or IPsec negotiations are logged into /var/log/kmd.
But user can also specify customized file name while configuring the
IKE traceoptions.
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement modified in Junos OS Release 8.5.
Support for IPv6 addresses added in Junos OS Release 11.1.
Support for inet6 option added in Junos OS Release 11.1.
Support for group15, group16,
group21, ecdsa-signatures-521, and
sha-512 options added in Junos OS Release 19.1R1 on SRX5000
line with junos-ike package installed.
Starting in Junos OS Release 20.2R1, we’ve changed the help text description as
NOT RECOMMENDED for the CLI options md5 and
sha1 for devices running IKED with junos-ike
package installed.
Support for group15, group16, and
group21 options added in Junos OS Release 20.3R1 on vSRX
Virtual Firewall instances with junos-ike package installed.
Support for group15, group16, and
group21 options added in Junos OS Release 21.1R1 on vSRX
Virtual Firewall 3.0 instances with junos-ike package
installed.
level option introduced in Junos OS Release 21.1R1.
Support for seeded-pre-shared-key option added in Junos OS Release
21.1R1.
Support for session and blocklists option added in
Junos OS Release 23.4R1