Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Logical Systems and Tenant Systems User Guide for Security Devices Logical Systems

Logical Systems and Tenant Systems User Guide for Security Devices

keyboard_arrow_up
close
keyboard_arrow_left
Logical Systems and Tenant Systems User Guide for Security Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

VPNs in Logical Systems

date_range 28-Nov-23
arrow_backward
arrow_forward

A VPN is an encrypted connection over the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted. VPN prevents unauthorized access eavesdropping on the traffic, and allows the user to conduct work remotely. For more information, see the following topics:

Understanding Route-Based VPN Tunnels in Logical Systems

A VPN connection can secure traffic that passes between a logical system and a remote site across a WAN. With route-based VPNs, you configure one or more security policies in a logical system to regulate the traffic flowing through a single IP Security (IPsec) tunnel. For each IPsec tunnel, there is one set of IKE and IPsec security associations (SAs) that must be configured at the root level by the primary administrator.

Note:

The external interface configured under the gateway configuration can only be a part of the root logical system.

Note:

Only route-based VPNs are supported in logical systems. Policy-based VPNs are not supported.

In addition to configuring IKE and IPsec SAs for each VPN, the primary administrator must also assign a secure tunnel (st0) interface to a user logical system. An st0 interface can only be assigned to a single user logical system. However, multiple user logical systems can each be assigned their own st0 interface.

Note:

The st0 unit 0 interface should not be assigned to a logical system, as an SA cannot be set up for this interface.

The user logical system administrator can configure the IP address and other attributes of the st0 interface assigned to the user logical system. The user logical system administrator cannot delete an st0 interface assigned to their user logical system.

For route-based VPNs, a security policy refers to a destination address and not a specific VPN tunnel. For cleartext traffic in a user logical system to be sent to the VPN tunnel for encapsulation, the user logical system administrator must make the following configurations:

  • Security policy that permits traffic to a specified destination.

  • Static route to the destination with the st0 interface as the next hop.

When Junos OS looks up routes in the user logical system to find the interface to use to send traffic to the destination address, it finds a static route through the st0 interface. Traffic is routed to the VPN tunnel as long as the security policy action is permit.

Note:

Traffic selectors are not supported in logical systems.

The primary logical system and a user logical system can share a route-based VPN tunnel. An st0 interface assigned to a user logical system can also be used by the primary logical system. For the primary logical system, the primary administrator configures a security policy that permits traffic to the remote destination and a static route to the remote destination with the st0 interface as the next hop.

VPN monitoring is configured by the primary administrator in the primary logical system. For the VPN monitor source interface, the primary administrator must specify the st0 interface; a physical interface for a user logical system cannot be specified.

See Also

Example: Configuring IKE and IPsec SAs for a VPN Tunnel (Primary Administrators Only)

The primary administrator is responsible for assigning an st0 interface to a user logical system and configuring IKE and IPsec SAs at the root level for each VPN tunnel. This example shows how to assign an st0 interface to a user logical system and configure IKE and IPsec SA parameters.

Requirements

Before you begin:

Overview

In this example you configure a VPN tunnel for the ls-product-design user logical system. This example configures the VPN tunnel parameters described in Table 1.

Table 1: Logical System VPN Tunnel Configuration

Feature

Name

Configuration Parameters

Tunnel interface

st0 unit 1

Assigned to ls-product-design logical system

IKE proposal

ike-phase1-proposal

  • Preshared keys authentication

  • Diffie-Hellman group 2

  • sha1 authentication algorithm

  • aes-128-cbc encryption algorithm

IKE policy

  • Main mode

  • References IKE proposal ike-phase1-proposal

  • ASCII preshared key 395psksecr3t

IKE gateway

ike-gw

  • External interface ge-0/0/3.0

  • References IKE policy ike-phase1-policy

  • Address 2.2.2.2

IPsec proposal

ipsec-phase2-proposal

  • ESP protocol

  • hmac-sha1-96 authentication algorithm

  • aes-128-cbc encryption algorithm

IPsec policy

vpn-policy1

  • References ipsec-phase2-proposal

  • perfect-forward-secrecy keys group2

VPN

ike-vpn

  • bind-interface st0.1

  • References ike-gw gateway

  • References vpn-policy1 policy

VPN monitoring

For ike-vpn VPN:

  • source-interface st0.1

  • destination-ip 4.0.0.1

Topology

Figure 1 shows the topology for logical systems VPN tunnel.

Figure 1: Logical systems VPN tunnelLogical systems VPN tunnel

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set logical-systems ls-product-design interfaces st0 unit 1
set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys 
set security ike proposal ike-phase1-proposal dh-group group2 
set security ike proposal ike-phase1-proposal authentication-algorithm sha1 
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc 
set security ike policy ike-phase1-policy mode main 
set security ike policy ike-phase1-policy proposals ike-phase1-proposal 
set security ike policy ike-phase1-policy pre-shared-key ascii-text "$ABC123" 
set security ike gateway ike-gw ike-policy ike-phase1-policy 
set security ike gateway ike-gw address 2.2.2.2
set security ike gateway ike-gw external-interface ge-0/0/3.0
set security ipsec proposal ipsec-phase2-proposal protocol esp 
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96 
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc 
set security ipsec policy vpn-policy1 perfect-forward-secrecy keys group2 
set security ipsec policy vpn-policy1 proposals ipsec-phase2-proposal 
set security ipsec vpn ike-vpn bind-interface st0.1 
set security ipsec vpn ike-vpn vpn-monitor source-interface st0.1 
set security ipsec vpn ike-vpn vpn-monitor destination-ip 4.0.0.1
set security ipsec vpn ike-vpn ike gateway ike-gw 
set security ipsec vpn ike-vpn ike ipsec-policy vpn-policy1
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To assign a VPN tunnel interface to a user logical system and configure IKE and IPsec SAs:

  1. Log in to the primary logical system as the primary administrator and enter configuration mode.

    content_copy zoom_out_map
    [edit]
admin@host> configure
admin@host#

  2. Assign a VPN tunnel interface.

    content_copy zoom_out_map
    [edit logical-systems ls-product-design]
admin@host# set interfaces st0 unit 1

  3. Configure an IKE proposal.

    content_copy zoom_out_map
    [edit security ike]
admin@host# set proposal ike-phase1-proposal authentication-method pre-shared-keys
admin@host# set proposal ike-phase1-proposal dh-group group2
admin@host# set proposal ike-phase1-proposal authentication-algorithm sha1
admin@host# set proposal ike-phase1-proposal encryption-algorithm aes-128-cbc

  4. Configure an IKE policy.

    content_copy zoom_out_map
    [edit security ike]
admin@host# set policy ike-phase1-policy mode main
admin@host# set policy ike-phase1-policy proposals ike-phase1-proposal
admin@host# set policy ike-phase1-policy pre-shared-key ascii-text 395psksecr3t

  5. Configure an IKE gateway.

    content_copy zoom_out_map
    [edit security ike]
admin@host# set gateway ike-gw external-interface ge-0/0/3.0
admin@host# set gateway ike-gw ike-policy ike-phase1-policy
admin@host# set gateway ike-gw address 2.2.2.2

  6. Configure an IPsec proposal.

    content_copy zoom_out_map
    [edit security ipsec]
admin@host# set proposal ipsec-phase2-proposal protocol esp
admin@host# set proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
admin@host# set proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc

  7. Configure an IPsec policy.

    content_copy zoom_out_map
    [edit security ipsec]
admin@host# set policy vpn-policy1 proposals ipsec-phase2-proposal
admin@host# set policy vpn-policy1 perfect-forward-secrecy keys group2

  8. Configure the VPN.

    content_copy zoom_out_map
    [edit security ipsec]
admin@host# set vpn ike-vpn bind-interface st0.1
admin@host# set vpn ike-vpn ike gateway ike-gw
admin@host# set vpn ike-vpn ike ipsec-policy vpn-policy1

  9. Configure VPN monitoring.

    content_copy zoom_out_map
    [edit security ipsec]
admin@host# set vpn ike-vpn vpn-monitor source-interface st0.1
admin@host# set vpn ike-vpn vpn-monitor destination-ip 4.0.0.1
Results

From configuration mode, confirm your configuration by entering the show interfaces, show security ike, and show security ipsec commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

content_copy zoom_out_map
[edit]
admin@host# show interfaces
    st0 {
        unit 1;
    }
[edit]
admin@host# show security ike 
    proposal ike-phase1-proposal {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm aes-128-cbc;
    }
        policy ike-phase1-policy {
            mode main;
            proposals ike-phase1-proposal;
            pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
        }
        gateway ike-gw {
            ike-policy ike-phase1-policy;
            address 2.2.2.2;
            external-interface ge-0/0/3.0;
        }
[edit]
admin@host# show security ipsec
    proposal ipsec-phase2-proposal {
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm aes-128-cbc;
    }
        policy vpn-policy1 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-phase2-proposal;
        }
        vpn ike-vpn {
            bind-interface st0.1;
            vpn-monitor {
                source-interface st0.1;
                destination-ip 4.0.0.1;
            }
            ike {
                gateway ike-gw;
                ipsec-policy vpn-policy1;
            }
        }

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the IKE on Logical System

Purpose

Verify that the IKE support on Logical Systems.

Action

From operational mode, enter the show security ike sa detail command.

content_copy zoom_out_map
user@host> show security ike sa detail
IKE peer 2.2.2.2, Index 7796166, Gateway Name: GW1
  Role: Initiator, State: UP
  Initiator cookie: a1a6b1516bc43d54, Responder cookie: f0846e4239c817f8
  Exchange type: Aggressive, Authentication method: Pre-shared-keys
  Local: 3.3.3.2:500, Remote: 2.2.2.2:500
  Lifetime: Expires in 3585 seconds
  Reauth Lifetime: Disabled
  IKE Fragmentation: Disabled, Size: 0
  Remote Access Client Info: Unknown Client
  Peer ike-id: 2.2.2.2
  AAA assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha256-128 
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha256
   Diffie-Hellman group  : DH-group-14
  Traffic statistics:
   Input  bytes  :                 1056
   Output bytes  :                 1311
   Input  packets:                    2
   Output packets:                    4
   Input  fragmentated packets:       0
   Output fragmentated packets:       0
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0
    Local: 3.3.3.2:500, Remote: 2.2.2.2:500
    Local identity: r0r2_store1@juniper.net
    Remote identity: 2.2.2.2
    Flags: IKE SA is created
Meaning

The output displays summary information about ike details.

Verifying the IPsec on Logical System

Purpose

Verify that the IPsec SA support on Logical Systems.

Action

From operational mode, enter the show security ipsec sa detail command.

content_copy zoom_out_map
user@host> show security ipsec sa detail
ID: 67109793 Virtual-system: root, VPN Name: VPN1
  Local Gateway: 3.3.3.2, Remote Gateway: 2.2.2.2
  Traffic Selector Name: VPN1_TS1
  Local Identity: ipv4(51.0.1.0-51.0.1.255)
  Remote Identity: ipv4(41.0.1.0-41.0.1.255)
  Version: IKEv1
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 
  Tunnel events: 
    Wed Aug 16 2017 23:50:07 -0700: IPSec SA negotiation successfully completed (1 times)
    Wed Aug 16 2017 23:50:07 -0700: IKE SA negotiation successfully completed (1 times)
    Wed Aug 16 2017 23:49:46 -0700: Negotiation failed with error code AUTHENTICATION_FAILED received from peer (2 times)
    Wed Aug 16 2017 23:49:30 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
  Direction: inbound, SPI: e651d79e, AUX-SPI: 0, VPN Monitoring: -
    Hard lifetime: Expires in 2552 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1988 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: 8ac9ce8, AUX-SPI: 0, VPN Monitoring: -
    Hard lifetime: Expires in 2552 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1988 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
Meaning

The output displays summary information about ipsec details.

See Also

Example: Configuring a Route-Based VPN Tunnel in a User Logical Systems

This example shows how to configure a route-based VPN tunnel in a user logical system.

Requirements

Before you begin:

Overview

In this example, you configure the ls-product-design user logical system as shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

You configure the route-based VPN parameters described in Table 2.

Table 2: User Logical System Route-Based VPN Configuration

Feature

Name

Configuration Parameters

Tunnel interface

st0 unit 1

  • IPv4 protocol family (inet)

  • IP address 10.11.11.150/24

Static route

  • Destination 192.168.168.0/24

  • Next hop st0.1

Security policy

through-vpn

Permit the following traffic:

  • From zone: ls-product-design-trust

  • To zone: ls-product-design-untrust

  • Source address: any

  • Destination address: 192.168.168.0/24

  • Application: any

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set interfaces st0 unit 1 family inet address 10.11.11.150/24
set routing-options static route 192.168.168.0/24 next-hop st0.1
set security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust policy through-vpn match source-address any
set security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust policy through-vpn match destination-address 192.168.168.0/24
set security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust policy through-vpn match application any
set security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust policy through-vpn then permit
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a route-based VPN tunnel in a user logical system:

  1. Log in to the user logical system as the logical system administrator and enter configuration mode.

    content_copy zoom_out_map
    [edit]
lsdesignadmin1@host:ls-product-design>configure
lsdesignadmin1@host:ls-product-design#

  2. Configure the VPN tunnel interface.

    content_copy zoom_out_map
    [edit interfaces]
lsdesignadmin1@host:ls-product-design# set st0 unit 1 family inet address 10.11.11.150/24

  3. Create a static route to the remote destination.

    content_copy zoom_out_map
    [edit routing-options]
lsdesignadmin1@host:ls-product-design# set static route 192.168.168.0/24 next-hop st0.1

  4. Configure a security policy to permit traffic to the remote destination.

    content_copy zoom_out_map
    [edit security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust]
lsdesignadmin1@host:ls-product-design# set policy through-vpn match source-address any
lsdesignadmin1@host:ls-product-design# set policy through-vpn match destination-address 192.168.168.0/24
lsdesignadmin1@host:ls-product-design# set policy through-vpn match application any
lsdesignadmin1@host:ls-product-design# set policy through-vpn then permit
Results

From configuration mode, confirm your configuration by entering the show interfaces st0, show routing-options, and show security policies commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

content_copy zoom_out_map
[edit]
lsdesignadmin1@host:ls-product-design# show interfaces st0
    unit 1 {
        family inet {
            address 10.11.11.150/24;
        }
    }
    lsdesignadmin1@host:ls-product-design# show routing-options
        static {
            route 192.168.168.0/24 next-hop st0.1;
        }
    [edit]
    lsdesignadmin1@host:ls-product-design# show security policies 
        from-zone ls-product-design-trust to-zone ls-product-design-untrust {
            policy through-vpn {
                match {
                    source-address any;
                    destination-address 192.168.168.0/24;
                    application any;
                }
                then {
                    permit;
                }
            }
            ...
        }

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Note:

Before starting the verification process, you need to send traffic from a host in the user logical system to a host in the 192.168.168.0/24 network. For example, initiate a ping from a host in the 12.1.1.0/24 subnet in the ls-product-design user logical system to the host 192.168.168.10.

Verifying the IKE Phase 1 Status

Purpose

Verify the IKE Phase 1 status.

Action

From operational mode, enter the show security ike security-associations command. After obtaining an index number from the command, use the show security ike security-associations index index_number detail command.

For sample outputs and meanings, see the “Verification” section of Example: Configuring a Route-Based VPN.

Verifying the IPsec Phase 2 Status

Purpose

Verify the IPsec Phase 2 status.

Action

From operational mode, enter the show security ipsec security-associations command. After obtaining an index number from the command, use the show security ipsec security-associations index index_number detail command.

For sample outputs and meanings, see the “Verification” section of Example: Configuring a Route-Based VPN.

See Also

Related Documentation

arrow_backward PREVIOUS Secure Wire for Logical Systems
NEXT arrow_forward Content Security for Logical Systems
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top