Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

manual (Security IPsec)

Syntax

Hierarchy Level

Description

Define a manual IPsec security association (SA).

Options

authentication algorithm

Hash algorithm that authenticates packet data. It can be one of the following

  • hmac-md5-96—Produces a 128-bit digest.

  • hmac-sha-256-128—Provides data origin authentication and integrity protection. This version of the hmac-sha-256 authenticator produces a 256-bit digest and specifies truncation to 128 bits.

  • hmac-sha1-96—Hash algorithm that authenticates packet data. It produces a 160-bit digest. Only 96 bits are used for authentication.

  • authentication key—Type of authentication key. It can be one of the following:

    • ascii-text key—ASCII text key. For hmac-md5-96, the key is 16 ASCII characters; for hmac-sha1-96, the key is 20 ASCII characters.

    • hexadecimal key—Hexadecimal key. For hmac-md5-96, the key is 32 hexadecimal characters; for hmac-sha1-96, the key is 40 hexadecimal characters.

encryption algorithm

Select the encryption algorithm for the internal Routing-Engine-to-Routing-Engine IPsec security association (SA) configuration. It can be one of the following:

  • des-cbc—Encryption algorithm with block size of 8 bytes (64 bits) and key size 48 bits.

  • 3des-cbc—Encryption algorithm with block size of 8 bytes (64 bits) and key size of 192 bits.

    For 3des-cbc, we recommend that the first 8 bytes be different from the second 8 bytes, and the second 8 bytes be the same as the third 8 bytes.

  • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm.

  • aes-128-gcm—Advanced Encryption Standard (AES) 128-bit encryption algorithm.

  • aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm.

  • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm.

  • aes-256-gcm—Advanced Encryption Standard (AES) 256-bit encryption algorithm.

  • encryption key—Type of encryption key. It can be one of the following:

    • ascii-text key—ASCII text key. For the des-cbc option, the key contains 8 ASCII characters; for 3des-cbc, the key contains 24 ASCII characters.

    • hexadecimal key—Hexadecimal key. For the des-cbc option, the key contains 16 hexadecimal characters; for the 3des-cbc option, the key contains 48 hexadecimal characters.

external-interface

Specify the outgoing interface for the manual security association

gateway

For a manual security association, specify the IPv4 or IPv6 address of the peer

protocol

Define an IPsec protocol for the manual security association

  • Values:

    • ah—Authentication Header protocol

    • esp—ESP protocol (To use the ESP protocol, you must also use the tunnel statement at the [edit security ipsec security-association sa-name mode] hierarchy level)

spi

Configure a security parameter index (SPI) for a security association (SA). An arbitrary value that uniquely identifies which security association (SA) to use at the receiving host (the destination address in the packet).

  • Range: 256 through 16,639

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 8.5. Support for IPv6 addresses added in Junos OS Release 11.1.

Support for hmac-sha-256-128 added to SRX5400, SRX5600, and SRX5800 devices in Junos OS Release 12.1X46-D20. Support for authentication algorithms (SHA1: hmac-sha1-96 and SHA2: hmac-sha-256-128) in PowerMode IPsec (PMI) mode is introduced for SRX4100, SRX4200, and vSRX in Junos OS Release 19.3R1. Support for vSRX 3.0 is introduced in Junos OS Release 20.1R1.

Support for cipher algorithms aes-128-cbc, aes-192-cbc, and aes-256-cbc in PowerMode IPsec (PMI) mode is introduced for SRX4100, SRX4200, and vSRX in Junos OS Release 19.3R1. Support for vSRX 3.0 is introduced in Junos OS Release 20.1R1.