Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


ipsec (High Availability)


Hierarchy Level


Define IPsec configuration for the multinode high availability feature. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows between these two points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. An IPsec tunnel is created between two participant devices to secure VPN communication.



Configure an IPsec VPN. A VPN provides a means by which remote computers communicate securely across a public WAN such as the Internet.

You must mention the same VPN name for vpn-profile in set chassis high-availability peer-id peer-id vpn-profile profile-name configuration.


Configure a interchassis link tunnel for secure HA traffic flow between the nodes. Only site-to-site IPsec VPN tunnels are supported for interchassis link tunnels. Both PSK and PKI authentication methods are supported.


Name of the remote IKE gateway.


Specify the IPsec policy name.


Name of the IPsec proposal. An IPsec proposal lists protocols and algorithms (security services) to be negotiated with the remote IPsec peer.


Text description of IPsec proposal.


Define encryption algorithm. The device deletes existing IPsec SAs when you update the encryption-algorithm configuration in the IPsec proposal.

A commit error is thrown if any value other than aes-256-gcm is configured.

  • Values:

    • aes-256-gcm—AES GCM 256-bit encryption algorithm.

      For an IKE proposal, AES 256-bit authenticated encryption algorithm is supported with IKEv2 only. When this option is used, aes-256-gcm should be configured at the [edit security ipsec proposal proposal-name] hierarchy level, and the authentication-algorithm option should not be configured at the [edit security ike proposal proposal-name] hierarchy level.


Lifetime in seconds.

  • Range: 180 through 86400

  • Default: 3600 seconds


Define the IPsec protocol for a manual or dynamic security association (SA).

A commit error is thrown if any value other than esp is configured.

  • Values:

    • esp—Encapsulated Security Payload header


Define an IPsec policy. An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection.


Enter descriptive text for an IPsec policy.


Specify one or more proposals for an IPsec policy.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 20.4R1.