session (Security IKE)
Syntax
session {
full-open {
incoming-exchange-max-rates {
ike-rekey value;
ipsec-rekey value;
keepalive value;
}
}
half-open {
timeout seconds;
backoff-timeouts {
init-phase-failure value;
auth-phase-failure value;
}
discard-duplicate;
max-count value;
thresholds {
send-cookie count;
reduce-timeout count timeout seconds;
}
}
}Hierarchy Level
[edit security ike]
Description
Defines IKE session configuration.
In the configuration hierarchy, you can set the system level parameters of the IKE session to manage the behavior of the negotiations with the remote peer. You configure these settings to control high load scenarios.
Options
| full-open |
Define the full open IKE session parameters. |
| half-open |
Define the half open IKE session parameters. |
| incoming-exchange-max-rates |
Define the full open IKE session incoming exchange maximum rates. You can use this parameter to set the maximum rates for various exchanges initiated by the remote peer after establishing an IKE SA. |
| ike-rekey value |
Specify the value of the incoming peer initiated IKE rekey maximum rate. The rate is applicable on a per peer basis.
|
| ipsec-rekey value |
Specify the value of the incoming peer initiated IPsec SA rekey maximum rate. The rate is applicable on a per tunnel basis.
|
| keepalive value |
Specify the value of the incoming peer initiated keepalive, also knows as DPD, maximum rate. The rate is applicable on a per peer basis.
|
| backoff-timeouts |
Define the half-open IKE session backoff timeouts. You set these timeouts to allow some duration for the remote peer to back off in the event of a session initiation failure, ensuring that the same peer cannot initiate a new session initiation request immediately during that period. After the backoff timeout, the peer can initiate a new session. The scope is applicable at global level and not per peer level. |
| auth-phase-failure value |
Specify the backoff timeout when there's a failure during the IKE_AUTH phase.
|
| init-phase-failure value |
Specify the backoff timeout when there's a failure during the SA_INIT phase.
|
| discard-duplicate |
Discard duplicate IKE session initiation requests from the peer. Discard the IKE initiation requests without sending any response, when the half open IKE SA is already present for the same remote peer. The scope is applicable at global level and not per peer level.
|
| max-count value |
Maximum numbers of half open IKE sessions where the local end is the responder. The scope is applicable at global level and not per peer level.
|
| thresholds |
Define the half open IKE session thresholds. You can set the limits on half open IKE SA count for actions against new a connection. The values denote percentage of the total half open IKE SAs. The scope is applicable at global level and not per peer level. If you set the |
| reduce-timeout count timeout seconds |
Specify the minimum number of half open IKE sessions for enforcing
reduce-timeout action at Set a limit from which you can reduce the lifetime of new half open IKE SAs.
Specify the reduced timeout value at
|
| send-cookie count |
Specify the minimum number of half open IKE sessions for enforcing cookie action. Specify the threshold limit from which the responder requests remote peers to retry session initiation with a cookie sent back to the peer in the initial response.
|
| timeout seconds |
Specify the half open IKE session timeout. This is the lifetime value of a half-open IKE SA that is applicable on the responder for the new sessions. For the existing sessions where there is no explicit configuration, the value is set to default. Initiator continues to use 60 seconds timeout value. The scope is applicable at global level and not per peer level.
|
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
session statement introduced in Junos OS Release 23.4R1.