gateway (Security IKE)
Syntax
gateway gateway-name { aaa { access-profile access-profile { config-payload-password config-payload-password; } client { password; username; } use-routing-instance-address; no-push-to-identity-management; } address [ip-addresses-or-hostnames]; advpn { suggester { disable; } partner { connection-limit number; idle-threshold packets/sec; idle-time seconds; disable; } } dead-peer-detection { (always-send | optimized | probe-idle-tunnel); interval seconds; threshold number; } dynamic { connections-limit number; distinguished-name { container container-string; wildcard wildcard-string } general-ikeid; hostname domain-name; ike-user-type (group-ike-id | shared-ike-id); inet ip-address; inet6 ipv6-address; reject-duplicate-connection; user-at-hostname e-mail-address; } external-interface external-interface-name; fragmentation { disable; size bytes; } general-ikeid; ike-policy policy-name; local-address (ipv4-address | ipv6-address); local-identity { (distinguished-name | hostname hostname | inet ip-address | inet6 ipv6-address | key-id | user-at-hostname e-mail-address); } nat-keepalive seconds; no-nat-traversal; node-local; remote-identity { (distinguished-name <container container-string> <wildcard wildcard-string> | hostname hostname | inet ip-address | inet6 ipv6-address | key-id | user-at-hostname e-mail-address); } tcp-encap-profile profile-name; version (v1-only | v2-only); }
Hierarchy Level
[edit security ike]
Description
Configure an IKE gateway.
Options
gateway-name |
Name of the gateway. |
||||
address |
Specify either the IPv4 or IPv6 addresses or the hostnames of the primary Internet Key Exchange (IKE) gateway (peer) and up to four backup gateways. Consider the following points before configuring multiple peer addresses with IPsec VPN running iked process:
|
||||
aaa |
Specify that extended authentication is performed in addition to IKE Phase 1 authentication for remote users trying to access a VPN tunnel. |
||||
advpn |
Enable Auto Discovery VPN (ADVPN) protocol on the specified gateway. ADVPN dynamically establishes VPN tunnels between spokes to avoid routing traffic through the Hub. |
||||
dead-peer-detection |
Enable the device to use dead peer detection (DPD). |
||||
dynamic |
Specify the identifier for the remote gateway with a dynamic IPv4 or IPv6 address. Use this statement to set up a VPN with a gateway that has an unspecified IPv4 or IPv6 address. |
||||
external-interface |
Name of the interface to be used to send traffic to the IPsec VPN. Specify the outgoing interface for IKE SAs. This interface is associated with a zone that acts as its carrier, providing firewall security for it. |
||||
fragmentation |
Disable IKEv2 packet fragmentation and, optionally, configure the maximum size of an IKEv2 message before the message is split into fragments that are individually encrypted and authenticated.
|
||||
general-ikeid |
Accept peer IKE-ID in general. |
||||
ike-policy |
Specify the IKE policy to be used for the gateway. |
||||
local-address |
Local IP address for IKE negotiations. Specify the local gateway address.
Multiple addresses in the same address family can be configured on an
external physical interface to a VPN peer. If this is the case, we
recommend that The |
||||
local-identity |
Specify the local IKE identity to send in the exchange with the destination peer to establish communication. |
||||
nat-keepalive |
Specify the interval at which NAT keepalive packets (seconds) can be sent so that NAT translation continues. Default value changed from 5 seconds to 20 seconds in Junos OS Release 12.1X46-D10.
|
||||
node-local | Mark an IPsec VPN tunnel between Multinode High Availability nodes and a VPN peer device as a node-local tunnel. Node-local tunnels support dynamic routing protocols that facilitate the device to add the routes dynamically. These routes remain local to a node and are not bound to any services redundancy group (SRG). Use this option only for Multinode High Availability. | ||||
no-nat-traversal |
Disable IPSec NAT traversal. Disables UDP encapsulation of IPsec Encapsulating Security Payload (ESP) packets, otherwise known as Network Address Translation Traversal (NAT-T). NAT-T is enabled by default. |
||||
tcp-encap-profile |
Specify the TCP encapsulation profile to be used for TCP connections for remote access clients. |
||||
version |
Specify the IKE version to use to initiate the connection.
|
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 8.5. Support for IPv6 addresses added in
Junos OS Release 11.1. The inet6
option added in Junos OS Release
11.1. Support for the advpn
option added in Junos OS Release
12.3X48-D10.
Option fragmentation
is introduced in Junos OS Release
15.1X49-D80.
Option tcp-encap-profile
is introduced in Junos OS Release
15.1X49-D80.
general-ikeid
option under [edit security ike gateway
gateway-name dynamic]
hierarchy is introduced in
Junos OS Release 21.1R1.
Option node-local
is introduced in Junos OS Release 23.2R1.
Support for multiple peer addresses in the address
option for IPsec
VPN running iked process is introduced in Junos OS Release 23.4R1.