Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Application Layer Gateways User Guide Data ALGs

Application Layer Gateways User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Application Layer Gateways User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

IKE and ESP ALG

date_range 18-Feb-25
arrow_backward
arrow_forward

Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) are a part of the IP Security (IPsec) protocol. IKE and ESP traffic is exchanged between the clients and the server. The IKE and ESP ALG helps in resolving the IPsec VPNs issues when the IPsec VPN passes through the device of which NAT is enabled.

Use Feature Explorer to confirm platform and release support for specific features.

Review the Platform-Specific IKE ALG Behavior section for notes related to your platform.

Understanding the IKE and ESP ALG

An NFX Series or SRX Series Firewall can be used solely as a Network Address Translation (NAT) device when placed between VPN clients on the private side of the NAT gateway and the virtual private network (VPN) gateways on the public side.

Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic is exchanged between the clients and the server. However, if the clients do not support NAT-Traversal (NAT-T) and if the device assigns the same NAT-generated IP address to two or more clients, the device will be unable to distinguish and route return traffic properly.

Note:

If the user wants to support both NAT-T-capable and non-NAT-T-capable clients, then some additional configurations are required. If there are NAT-T capable clients, the user must enable the source NAT address persistence.

The ALG for IKE and ESP monitors IKE traffic between the client and the server and permits only one IKE Phase 2 message exchange between any given client/server pair, not just one exchange between any client and any server.

ALG for IKE and ESP traffic has been created and NAT has been enhanced to implement the following:

  • To enable the devices to pass IKE and ESP traffic with a source NAT pool

  • To allow the device to be configured to return the same NAT-generated IP address for the same IP address without NAT ("address-persistent NAT"). As a result, the device is able to associate a client's outgoing IKE traffic with its return traffic from the server, especially when the IKE session times out and needs to be reestablished.

  • The resulting ESP traffic between the client and the server is also allowed, especially in the direction from the server to the client.

  • The return ESP traffic matches the following:

    • The server IP address as source IP

    • The client IP address as destination IP

Understanding IKE and ESP ALG Operation

Application Layer Gateway (ALG) for Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic has the following behavior:

  • An IKE and ESP ALG monitors IKE traffic between the client and the server, and it permits only one IKE Phase 2 message exchange between the client and the server at any given time.

  • For a Phase 2 message:

    • If a Phase 2 message exchange between the client and server does not happen, the IKE ALG gates are opened for the relevant ESP traffic from the client to the server and from the server to the client.

    • If both IKE ALG gates are not opened successfully, or if the Phase 2 message exchange already took place, then the Phase 2 message is dropped.

  • When ESP traffic hits the IKE ALG gates, sessions are created to capture subsequent ESP traffic, and to perform the proper NATing (that is, the source IP address translation from the client to the server traffic and the destination IP address translation from the server to the client traffic).

  • When the ESP traffic does not hit either one or both of the gates, then the gates naturally time out.

  • Once the IKE ALG gates are collapsed or timed out, another IKE Phase 2 message exchange is permitted.

  • IKE NAT-T traffic on floating port 4500 is not processed in an IKE ALG. To support a mixture of NAT-T-capable and non-capable clients, you need to enable source NAT address persistent.

Example: Configuring the IKE and ESP ALG

This example shows how to configure the IKE and ESP ALG to pass through IKE and ESP traffic with a source NAT pool on Juniper Networks devices.

Requirements

Before you begin:

Overview

In this example, the ALG for IKE and ESP is configured to monitor and allow IKE and ESP traffic to be exchanged between the clients and the server located on opposite sides of a Juniper Networks device.

This example shows how to configure a source NAT pool and rule set, configure a custom application to support the IKE and ESP ALG, and associate this ALG to a policy.

If you want to support a mixture of NAT-traversal (NAT-T) capable clients and noncapable clients, you must enable persistent source NAT translation (so that once a particular source NAT is associated with a given IP address, subsequent source NAT translations use the same IP address). You also must configure a custom IKE NAT traversal application to support the encapsulation of IKE and ESP in UDP port 4500. This configuration enables IKE and ESP to pass through the NAT-enabled device.

Topology

Configuration

Configuring a NAT Source Pool and Rule Set

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security nat source pool pool1 address 10.10.10.1/32 to 10.10.10.10/32
set security zones security-zone green address-book address sa1 1.1.1.0/24
set security zones security-zone red address-book address da1 2.2.2.0/24
set security nat source rule-set rs1 from zone green 
set security nat source rule-set rs1 to zone red 
set security nat source rule-set rs1 rule r1 match source-address 1.1.1.0/24 
set security nat source rule-set rs1 rule r1 match destination-address 2.2.2.0/24 
set security nat source rule-set rs1 rule r1 then source-nat pool pool1
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a source NAT pool:

  1. Create a NAT source pool.

    content_copy zoom_out_map
    [edit ]
user@host# set security nat source pool pool1 address 10.10.10.1/32 to 10.10.10.10/32

  2. Configure security zone address book entries.

    content_copy zoom_out_map
    [edit]
user@host# set security zones security-zone green address-book address sa1 1.1.1.0/24
user@host# set security zones security-zone red address-book address da1 2.2.2.0/24

  3. Create a NAT source rule set.

    content_copy zoom_out_map
    [edit security nat source rule-set rs1]
user@host# set from zone green
user@host# set to zone red
user@host# set rule r1 match source-address 1.1.1.0/24
user@host# set rule r1 match destination-address 2.2.2.0/24 
user@host# set rule r1 then source-nat pool pool1
Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
user@host# show security nat
source {
    pool pool1 {
        address {
            10.10.10.1/32 to 10.10.10.10/32;
        }
    }
    rule-set rs1 {
        from zone green;
        to zone red;
        rule r1 {
            match {
                source-address 1.1.1.0/24;
                destination-address 2.2.2.0/24;
            }
            then {
                source-nat {
                    pool {
                        pool1;
                    }
                }
            }
        }
    }

If you are done configuring the device, enter commit from configuration mode.

Configuring a Custom Application and Associating it to a Policy

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set applications application custom-ike-alg source-port 500 destination-port 500 protocol udp application-protocol ike-esp-nat
set security policies from-zone green to-zone red policy pol1 match destination-address da1 
set security policies from-zone green to-zone red policy pol1 match application custom-ike-alg 
set security policies from-zone green to-zone red policy pol1 then permit
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a custom application and associate it to a policy:

  1. Configure a custom application.

    content_copy zoom_out_map
    [edit]
user@host# set applications application custom-ike-alg source-port 500 destination-port 500 protocol udp application-protocol ike-esp-nat

  2. Associate the custom application to a policy.

    content_copy zoom_out_map
    [edit security policies from-zone green to-zone red policy pol1]
user@host# set match source-address sa1
user@host# set match destination-address da1
user@host# set match application custom-ike-alg
user@host# set then permit
Results

From configuration mode, confirm your configuration by entering the show applications and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show applications
application custom-ike-alg {
    application-protocol ike-esp-nat;
    protocol udp;
    source-port 500;
    destination-port 500;
}
content_copy zoom_out_map
[edit]
user@host# show security zones
security-zone Trust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-0/0/1.0;
    }
}
security-zone green {
    address-book {
        address sa1 1.1.1.0/24;
    }
}
security-zone red {
    address-book {
        address da1 2.2.2.0/24;
    }
}

If you are done configuring the device, enter commit from configuration mode.

Configuring IKE and ESP ALG Support for Both NAT-T Capable and Noncapable Clients

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security nat source address-persistent
set applications application custom-ike-natt protocol udp source-port 4500 destination-port 4500 
set security policies from-zone green to-zone red policy pol1 match source-address sa1 
set security policies from-zone green to-zone red policy pol1 match destination-address da1 
set security policies from-zone green to-zone red policy pol1 match application custom-ike-natt 
set security policies from-zone green to-zone red policy pol1 then permit
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure IKE and ESP ALG support for both NAT-T capable and noncapable clients:

  1. Globally enable persistent source NAT translation.

    content_copy zoom_out_map
    [edit]
user@host# set security nat source address-persistent

  2. Configure the IKE NAT-T application.

    content_copy zoom_out_map
    [edit]
user@host# set applications application custom-ike-natt protocol udp source-port 4500 destination-port 4500

  3. Associate the NAT-T application using a policy.

    content_copy zoom_out_map
    [edit security policies from-zone green to-zone red policy pol1]
user@host# set match source-address sa1
user@host# set match destination-address da1
user@host# set match application custom-ike-natt
user@host# set then permit
Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security nat
source {
    address-persistent;
}
content_copy zoom_out_map
[edit]
user@host# show security policies
from-zone green to-zone red {
    policy pol1 {
        match {
            source-address sa1;
            destination-address da1;
            application [ custom-ike-alg custom-ike-natt ];
        }
        then {
            permit;
        }
    }
}
default-policy {
    permit-all;
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying IKE and ESP ALG Custom Applications

Purpose

Verify that the custom applications to support the IKE and ESP ALG are enabled.

Action

From operational mode, enter the show security alg status command.

content_copy zoom_out_map
user@host> show security alg status
content_copy zoom_out_map
ALG Status :
  DNS      : Enabled
  FTP      : Enabled
  H323     : Enabled
  MGCP     : Enabled
  MSRPC    : Enabled
  PPTP     : Enabled
  RSH      : Disabled
  RTSP     : Enabled
  SCCP     : Enabled
  SIP      : Enabled
  SQL      : Enabled
  SUNRPC   : Enabled
  TALK     : Enabled
  TFTP     : Enabled
  IKE-ESP  : Enabled
Meaning

The output shows the ALG status as follows:

  • Enabled—Shows the ALG is enabled.

  • Disabled—Shows the ALG is disabled.

Verifying the Security Polices of ALG

Purpose

Verify that the application custom IKE ALG and application custom IKE NATT are set.

Action

From operational mode, enter the show security policies command.

content_copy zoom_out_map
user@host> show security policies
content_copy zoom_out_map
Default policy: permit-all
From zone: green, To zone: red
Policy: pol1, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
Source addresses: sa1
Destination addresses: da1
Applications: custom-ike-alg, custom-ike-natt
Action: permit
Meaning

The sample output shows that custom IKE ALG and custom IKE NATT applications are set.

Example: Enabling the IKE and ESP ALG and Setting Timeouts

This example shows how to enable the IKE and ESP ALG and set the timeout values to allow time for the ALG to process ALG state information, ESP gates, and ESP sessions.

Requirements

Understand the concepts behind ALG for IKE and ESP. See Understanding IKE and ESP ALG Operation.

Overview

The IKE and ESP ALG processes all traffic specified in any policy to which the ALG is attached. In this example, you configure the set security alg ike-esp-nat enable statement so the current default IPsec pass-through behavior is disabled for all IPsec pass-through traffic, regardless of policy.

You then set the timeout values to allow time for the IKE and ESP ALG to process ALG state information, ESP gates, and ESP sessions. In this example, you set the timeout of ALG state information. The timeout range is 180 through 86400 seconds. The default timeout is 14400 seconds. You then set the timeout of the ESP gates created after an IKE Phase 2 exchange has completed. The timeout range is 2 through 30 seconds. The default timeout is 5 seconds. Finally, you set the idle timeout of the ESP sessions created from the IPsec gates. If no traffic hits the session, it is aged out after this period of time. The timeout range is 60 through 2400 seconds. The default timeout is 1800 seconds.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security alg ike-esp-nat enable
set security alg ike-esp-nat esp-gate-timeout 20 
set security alg ike-esp-nat esp-session-timeout 2400 
set security alg ike-esp-nat state-timeout 360
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To enable the IKE and ESP ALG and set the timeout values:

  1. Enable the IKE and ESP ALG.

    content_copy zoom_out_map
    [edit]
user@host# set security alg ike-esp-nat enable

  2. Set the timeout for the ALG state information.

    content_copy zoom_out_map
    [edit security alg ike-esp-nat]
user@host# set state-timeout 360

  3. Set the timeout for the ESP gates created after an IKE Phase 2 exchange has completed.

    content_copy zoom_out_map
    [edit security alg ike-esp-nat]
user@host# set esp-gate-timeout 20

  4. Set the idle timeout for the ESP sessions created from the IPsec gates.

    content_copy zoom_out_map
    [edit security alg ike-esp-nat]
user@host# set esp-session-timeout 2400
Results

From configuration mode, confirm your configuration by entering the show security alg command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security alg
ike-esp-nat {
    enable;
    state-timeout 360;
    esp-gate-timeout 20;
    esp-session-timeout 2400;
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the ALG for IKE and ESP and Timeout Settings

Purpose

Verify that the ALG for IKE and ESP is enabled and the timeout settings for this feature are correct.

Action

From operational mode, enter the show security alg ike-esp-nat command.

See Also

Platform-Specific IKE ALG Behavior

Use Feature Explorer to confirm platform and release support for specific features.

Use the following table to review platform-specific behaviors for your platform:

Platform

Difference

SRX Series
  • SRX1500, SRX5600, and SRX5800 devices that support IKE, supports IKE negotiations with NAT traversal. These negotiations fail if the IKE peer is behind a NAT device that changes the source IP address during negotiation. For example, a NAT device with DIP changes the source IP because the IKE protocol switches the UDP port from 500 to 4500.

Related Documentation

arrow_backward PREVIOUS FTP ALG
NEXT arrow_forward PPTP ALG
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top