Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

ipsec (Security)

Syntax

Hierarchy Level

Description

CAUTION:

Enabling tracing can adversely impact scale and performance and may increase security risk. We strongly recommend using the trace, tracing, or traceoptions commands only under the guidance of a JTAC support engineer. After collecting the debug information, immediately disable tracing to minimize risk and restore normal system performance.

Define IPsec configuration. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows between these two points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. An IPsec tunnel is created between two participant devices to secure VPN communication.

Options

anti-replay-window-size

Anti-replay window size.

  • Range: 64 through 8192 bytes

  • Default: 64 bytes
hw-offload-disable

Disable hardware offloading of IPsec tunnel processing in the Packet Forwarding Engine ASIC for all VPN tunnels.
internal

Configure internal IPsec. When the internal IPsec is configured, IPsec-based rlogin and remote command (rcmd) are enforced, so an attacker cannot gain unauthorized information.
policy

Define an IPsec policy. An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection.
proposal

Name of the IPsec proposal. An IPsec proposal lists protocols and algorithms (security services) to be negotiated with the remote IPsec peer.
security-association

Configure a manual IPsec security association (SA) to be applied to an OSPF or OSPFv3 interface or virtual link. IPsec can provide authentication and confidentiality to OSPF or OSPFv3 routing packets.
traceoptions

Configure IPsec tracing options. Trace operations track IPsec events and record them in a log file in the /var/log directory.
vpn vpn-name

Configure an IPsec VPN. A VPN provides a means by which remote computers communicate securely across a public WAN such as the Internet
vpn-monitor-options

Configure VPN monitoring options

interval seconds

Interval at which to send ICMP requests to the peer.

  • Range: 2 through 3600 seconds

  • Default: 10 seconds
threshold number

Number of consecutive unsuccessful pings before the peer is declared unreachable.

  • Range: 1 through 65,535 pings

  • Default: 10 pings

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

hw-offload-disable option added in Junos OS Release 25.2R1.

group15, group16, group21, hmac-sha-512 and hmac-sha-384 options introduced in Junos OS Release 19.1R1 on SRX Series Firewalls.

Statement modified in Junos OS Release 8.5.

Related Documentation