Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

security-association (IPSec)

Syntax

Hierarchy Level

Description

Configure a manual IPsec security association (SA) to be applied to an OSPF or OSPFv3 interface or virtual link. IPsec can provide authentication and confidentiality to OSPF or OSPFv3 routing packets.

Options

sa-name

Name of the SA.

description

Specify a text description for the SA.

direction

Direction of the manual SA. For this feature, the direction must be bidirectional. Decrypt and authenticate the incoming and outgoing traffic using the same algorithm, keys, or SPI in both directions, unlike inbound and outbound SAs that use different attributes in both directions.

  • Values: algorithm—Hash algorithm that authenticates packet data. It can be one of the following:

    • hmac-md5-96—Produces a 128-bit digest. This is the default.

    • hmac-sha1-96—Produces a 160-bit digest.

    • hmac-sha-256—Produces a 256-bit digest.

    • hmac-sha-384—Produces a 384-bit digest.

    • hmac-sha-512—Produces a 512-bit digest.

    Starting in Junos OS Release 22.2R1, MX240, MX480, and MX960 with MX-SPC3, SRX Series Firewalls and vSRX Virtual Firewall running iked process supports all the listed authentication algorithms.

    key—Type of authentication key. It can be one of the following:

    • ascii-text key—ASCII text key. For hmac-md5-96, the key is 16 ASCII characters; for hmac-sha1-96, the key is 20 ASCII characters.

    • hexadecimal key—Hexadecimal key. For hmac-md5-96, the key is 32 hexadecimal characters; for hmac-sha1-96, the key is 40 hexadecimal characters.

  • Values: encryption—Configure an encryption algorithm and key for a manual Security Association (SA). It can be one of the following:

    • algorithm—Select the encryption algorithm for the internal Routing-Engine-to-Routing-Engine IPsec security association (SA) configuration.

      • des-cbc—Encryption algorithm with block size of 8 bytes (64 bits) and key size 48 bits.

      • 3des-cbc—Encryption algorithm with block size of 8 bytes (64 bits) and key size of 192 bits.

        For 3des-cbc, we recommend that the first 8 bytes be different from the second 8 bytes, and the second 8 bytes be the same as the third 8 bytes.

      • aes-128-cbc—Advanced encryption algorithm that has a key size of 16 bytes; its key size is 128 bits long.
      • aes-192-cbc—Advanced encryption algorithm that has a key size of 24 bytes; its key size is 192 bits long.
      • aes-256-cbc—Advanced encryption algorithm that has a key size of 32 bytes; its key size is 256 bits long.

      Starting in Junos OS Release 22.2R1, MX240, MX480, and MX960 with MX-SPC3, SRX Series Firewalls and vSRX Virtual Firewall running iked process supports all the listed encryption algorithms.

    • key—Type of encryption key. It can be one of the following:

      • ascii-text key—ASCII text key. For the des-cbc option, the key contains 8 ASCII characters; for 3des-cbc, the key contains 24 ASCII characters.

      • hexadecimal key—Hexadecimal key. For the des-cbc option, the key contains 16 hexadecimal characters; for the 3des-cbc option, the key contains 48 hexadecimal characters.

protocol

Define the IPsec protocol for a manual security association (SA). The protocol can be one of the following:

  • ah—Authentication Header protocol. If you configure AH protocol, it is mandatory to configure the authentication algorithm and the key.

  • esp—Encapsulating Security Payload (ESP) protocol. This is the default.

    If you configure ESP protocol, it is mandatory to configure either authentication algorithm or encryption algorithm or both. If you did not configure ESP protocol and did not configure either authentication or encryption algorithm, then we do not provide authentication or encryption support.

spi spi-value

Configure the security parameter index (SPI) for a security association (SA). An arbitrary value that uniquely identifies which SA to use at the receiving host (the destination address in the packet).

  • Range: 256 through 16,639

mode

SA mode. For this feature, the mode must be transport.

Required Privilege Level

view-level—To view this statement in the configuration.

control-level—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 12.1X46-D20.

Authentication algorithm configuration options, hmac-md5-96, hmac-sha1-96, hmac-sha-256, hmac-sha-384, and hmac-sha-512 are added in Junos OS Release 22.2R1 for MX240, MX480, and MX960 with MX-SPC3, SRX Series Firewalls and vSRX Virtual Firewall running iked process.

Encryption algorithm configuration options, des-cbc, 3des-cbc, aes-128-cbc, aes-192-cbc, and aes-256-cbc are added in Junos OS Release 22.2R1 for MX240, MX480, and MX960 with MX-SPC3, SRX Series Firewalls and vSRX Virtual Firewall running iked process.