manual (Security IPsec)

Syntax

Hierarchy Level

Description

Define a manual IPsec security association (SA).

Options

authentication algorithm	Hash algorithm that authenticates packet data. It can be one of the following `hmac-md5-96`—Produces a 128-bit digest. `hmac-sha-256-128`—Provides data origin authentication and integrity protection. This version of the hmac-sha-256 authenticator produces a 256-bit digest and specifies truncation to 128 bits. `hmac-sha1-96`—Hash algorithm that authenticates packet data. It produces a 160-bit digest. Only 96 bits are used for authentication. `authentication key`—Type of authentication key. It can be one of the following: `ascii-text key`—ASCII text key. For `hmac-md5-96`, the key is 16 ASCII characters; for `hmac-sha1-96`, the key is 20 ASCII characters. `hexadecimal key`—Hexadecimal key. For `hmac-md5-96`, the key is 32 hexadecimal characters; for `hmac-sha1-96`, the key is 40 hexadecimal characters.
encryption algorithm	Select the encryption algorithm for the internal Routing-Engine-to-Routing-Engine IPsec security association (SA) configuration. It can be one of the following: `des-cbc`—Encryption algorithm with block size of 8 bytes (64 bits) and key size 48 bits. `3des-cbc`—Encryption algorithm with block size of 8 bytes (64 bits) and key size of 192 bits. For `3des-cbc`, we recommend that the first 8 bytes be different from the second 8 bytes, and the second 8 bytes be the same as the third 8 bytes. `aes-128-cbc`—Advanced Encryption Standard (AES) 128-bit encryption algorithm. `aes-128-gcm`—Advanced Encryption Standard (AES) 128-bit encryption algorithm. `aes-192-cbc`—Advanced Encryption Standard (AES) 192-bit encryption algorithm. `aes-256-cbc`—Advanced Encryption Standard (AES) 256-bit encryption algorithm. `aes-256-gcm`—Advanced Encryption Standard (AES) 256-bit encryption algorithm. `encryption key`—Type of encryption key. It can be one of the following: `ascii-text key`—ASCII text key. For the `des-cbc` option, the key contains 8 ASCII characters; for `3des-cbc`, the key contains 24 ASCII characters. `hexadecimal key`—Hexadecimal key. For the `des-cbc` option, the key contains 16 hexadecimal characters; for the `3des-cbc` option, the key contains 48 hexadecimal characters.
external-interface	Specify the outgoing interface for the manual security association
gateway	For a manual security association, specify the IPv4 or IPv6 address of the peer
protocol	Define an IPsec protocol for the manual security association Values: ah—Authentication Header protocol esp—ESP protocol (To use the ESP protocol, you must also use the tunnel statement at the [edit security ipsec security-association sa-name mode] hierarchy level)
spi	Configure a security parameter index (SPI) for a security association (SA). An arbitrary value that uniquely identifies which security association (SA) to use at the receiving host (the destination address in the packet). Range: 256 through 16,639

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 8.5. Support for IPv6 addresses added in Junos OS Release 11.1.

Support for hmac-sha-256-128 added to SRX5400, SRX5600, and SRX5800 devices in Junos OS Release 12.1X46-D20. Support for authentication algorithms (SHA1: hmac-sha1-96 and SHA2: hmac-sha-256-128) in PowerMode IPsec (PMI) mode is introduced for SRX4100, SRX4200, and vSRX Virtual Firewall in Junos OS Release 19.3R1. Support for vSRX Virtual Firewall 3.0 is introduced in Junos OS Release 20.1R1.

Support for cipher algorithms aes-128-cbc, aes-192-cbc, and aes-256-cbc in PowerMode IPsec (PMI) mode is introduced for SRX4100, SRX4200, and vSRX Virtual Firewall in Junos OS Release 19.3R1. Support for vSRX Virtual Firewall 3.0 is introduced in Junos OS Release 20.1R1.

ON THIS PAGE