Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

children

Syntax

Hierarchy Level

Description

Configure child details to establish a security association (SA). An SA describes a specific negotiated set of parameters to protect traffic between two host for a certain period of time.

Options

child-name

Specify the child SA name.

esp-proposal esp-proposal

Specify the algorithms to use in negotiating the child SA from among the pre-selected combinations available, which represent the encryption algorithm, integrity algorithm, and Diffie Hellman group. There are the following options:

3des-sha1-modp1536

Propose 3des SHA1 and DH group modp1536.
aes256gcm128-ecp384

Propose aes256gcm128 and DH group ecp384.
aes256gcm128-modp3072

Propose aes256gcm128 and DH group modp3072.
aes256-sha384-ecp384

Propose aes256 CBC, sha384 and DH group ecp384.

aes256-sha384-modp3072

Propose aes256 CBC, sha384 and DH group modp3072.
[ ]

Propose a set composed from the values permitted.

  • Default: aes256gcm128-ecp384
mode (transport | tunnel)

Specify the IPsec usage mode to negotiate: transport or tunnel.

tunnel

In tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode may be used with any kind of IP traffic. Of the two modes, only tunnel mode supports NAT transversal. Tunnel mode is required if you are communicating with a server behind a gateway.
transport

In transport mode, only the payload of the IP packet is encrypted or authenticated. The IP header is neither modified nor encrypted. Transport mode does not support NAT transversal. Transport mode or tunnel mode can be used when communications is between two hosts, for example, between a router and a Syslog server.

  • Default: tunnel
rekey-time rekey-time

Specify how long, in seconds, before the child SA is rekeyed. Actual rekeying occurs slightly sooner than the rekey time specified because of rekey randomization.

  • Default: 14,400

  • Range: 60 through 86,400

The remaining statements are explained separately.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Evolved Release 18.3R1.