Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


ike (Security)


Hierarchy Level


Define Internet Key Exchange (IKE) configuration. IKE is a key management protocol that creates dynamic SAs; it negotiates SAs for IPsec. An IKE configuration defines the algorithms and keys used to establish a secure connection with a peer security gateway.


respond-bad-spi max-responses—(Optional) Number of times to respond to invalid SPI values per gateway. Enable response to invalid IPsec Security Parameter Index (SPI) values. If the security associations (SAs) between two peers of an IPsec VPN become unsynchronized, the device resets the state of a peer so that the two peers are synchronized.

  • Range: 1 through 30

  • Default: 5

traceoptions—Configure IKE tracing options to aid in troubleshooting the IKE issues. This helps troubleshoot one or multiple tunnels negotiation by standard tracefile configuration. IKE tracing allows the user to view the detailed packet exchange and the negotiation information in Phase 1 and Phase 2. IKE tracing is not enabled by default. By default , all IKE or IPsec negotiations are logged into /var/log/kmd. But user can also specify customized file name while configuring the IKE traceoptions.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 8.5.

Support for IPv6 addresses added in Junos OS Release 11.1.

inet6 option added in Junos OS Release 11.1.

group15, group16, group21, ecdsa-signatures-521, and sha-512 options introduced in Junos OS Release 19.1R1 on SRX Series devices.

level options introduced in Junos OS Release 21.1R1.