Navigation
Security Services Configuration Statements
To configure security services, you can include the following configuration statements at the [edit security] hierarchy level:
[edit security] authentication-key-chains {key-chain key-chain-name {key key {secret secret-data;start-time yyyy-mm-dd.hh:mm:ss;}}}certificates {cache-size bytes;cache-timeout-negative seconds; certification-authority ca-profile-name {ca-name ca-identity;crl file-name;encoding (binary | pem);enrollment-url url-name;file certificate-filename;ldap-url url-name;}enrollment-retry attempts;local certificate-filename {certificate-key-string;load-key-file URL key-filename;}maximum-certificates number;path-length certificate-path-length; }ike {proposal ike-proposal-name {authentication-algorithm (md5 | sha1); authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures); description description;dh-group (group1 | group2); encryption-algorithm (3des-cbc | des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc); lifetime-seconds seconds; }policy ike-peer-address {description description;encoding (binary | pem);identity identity-name;local-certificate certificate-filename;local-key-pair private-public-key-file;mode (aggressive | main);pre-shared-key (ascii-text key | hexadecimal key);proposals [ proposal-names ]; }}ipsec {security-association {manual {direction (bidirectional | inbound | outbound) {protocol esp;spi spi-value;encryption {algorithm 3des-cbc;key ascii-text ascii-text-string;}}}}proposal ipsec-proposal-name {authentication-algorithm (hmac-md5-96 | hmac-sha1-96); description description;encryption-algorithm (3des-cbc | des-cbc); lifetime-seconds seconds; protocol (ah | esp | bundle); }policy ipsec-policy-name {description description;perfect-forward-secrecy {keys (group1 | group2); }proposals [ proposal-names ]; }security-association sa-name {description description;dynamic {ipsec-policy policy-name; replay-window-size (32 | 64);}manual {direction (inbound | outbound | bidirectional) {authentication {algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); }auxiliary-spi auxiliary-spi;encryption {algorithm (des-cbc | 3des-cbc); key (ascii-text key | hexadecimal key); }protocol (ah | esp | bundle); spi spi-value; }}mode (tunnel | transport);}}pki {auto-re-enrollment {certificate-id {ca-profile ca-profile-name;challenge-password password;re-enroll-trigger-time-percentage percentage;re-generate-keypair;validity-period days;}}ca-profile ca-profile-name {ca-identity ca-identity;enrollment {url url-name;retry number-of-attempts;retry-interval seconds;}revocation-check {disable;crl {disable on-download-failure;refresh-interval number-of-hours;url {url-name;password;}}}}traceoptions {file filename <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>;flag flag;}}ssh-known-hosts {host {dsa-key key;rsa-key key;rsa1-key key;}}traceoptions {file filename <files number> < size size>;flag all;flag database;flag general;flag ike;flag parse;flag policy-manager;flag routing-socket;flag timer;}
 | Note: Most of the configuration statements do not have default values. If you do not specify an identifier for a statement that does not have a default value, you cannot commit the configuration. For information about IP Security (IPsec) monitoring and troubleshooting, see the Junos OS Operational Mode Commands. |
