Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

ipsec (High Availability)

Syntax

Hierarchy Level

Description

Define IPsec configuration for the multinode high availability feature. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows between these two points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. An IPsec tunnel is created between two participant devices to secure VPN communication.

Options

vpn-name

Configure an IPsec VPN. A VPN provides a means by which remote computers communicate securely across a public WAN such as the Internet.

You must mention the same VPN name for vpn-profile in set chassis high-availability peer-id peer-id vpn-profile profile-name configuration.
ha-link-encryption

Configure a interchassis link tunnel for secure HA traffic flow between the nodes. Only site-to-site IPsec VPN tunnels are supported for interchassis link tunnels. Both PSK and PKI authentication methods are supported.
gateway-name

Name of the remote IKE gateway.
ipsec-policy-name

Specify the IPsec policy name.
proposal-name

Name of the IPsec proposal. An IPsec proposal lists protocols and algorithms (security services) to be negotiated with the remote IPsec peer.
description

Text description of IPsec proposal.
encryption-algorithm

Define encryption algorithm. The device deletes existing IPsec SAs when you update the encryption-algorithm configuration in the IPsec proposal.

A commit error is thrown if any value other than aes-256-gcm is configured.

  • Values:

    • aes-256-gcm—AES GCM 256-bit encryption algorithm.

      For an IKE proposal, AES 256-bit authenticated encryption algorithm is supported with IKEv2 only. When this option is used, aes-256-gcm should be configured at the [edit security ipsec proposal proposal-name] hierarchy level, and the authentication-algorithm option should not be configured at the [edit security ike proposal proposal-name] hierarchy level.

lifetime-seconds

Lifetime in seconds.

  • Range: 180 through 86400

  • Default: 3600 seconds
protocol

Define the IPsec protocol for a manual or dynamic security association (SA).

A commit error is thrown if any value other than esp is configured.

  • Values:

    • esp—Encapsulated Security Payload header
policy-name

Define an IPsec policy. An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection.
description

Enter descriptive text for an IPsec policy.
proposal-name

Specify one or more proposals for an IPsec policy.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 20.4R1.

Related Documentation