Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

close
keyboard_arrow_left
Junos CLI Reference
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

ike (Security)

date_range 08-Jun-24

Syntax

content_copy zoom_out_map
ike {
    gateway (Security IKE) name {
        ( address | dynamic (Security) distinguished-name (Security) < container> < wildcard> hostname inet inet6  user-at-hostname <connections-limit connections-limit> <ike-user-type (group-ike-id | shared-ike-id)> <reject-duplicate-connection>);
        aaa {
             access-profile;
            client password password username username;
        }
        advpn {
            partner {
                connection-limit connection-limit;
                disable;
                idle-threshold idle-threshold;
                idle-time seconds;
            }
            suggester {
                disable;
            }
        }
        dead-peer-detection (always-send | optimized | probe-idle-tunnel);
        external-interface external-interface;
        fragmentation {
            disable;
            size size;
        }
        general-ikeid;
         ike-policy;
         local-address;
        local-identity (distinguished-name | hostname identity-hostname | inet identity-ipv4 | inet6 identity-ipv6 | key-id string-key-id | user-at-hostname identity-user);
        remote-identity distinguished-name <container container> <wildcard wildcard>hostname identity-hostnameinet identity-ipv4inet6 identity-ipv6 key-id string-key-id user-at-hostname identity-user;
         tcp-encap-profile profile-name;
        version (v1-only | v2-only);
    }
    policy name {
        certificate {
            local-certificate (Security) local-certificate;
            peer-certificate-type (pkcs7 | x509-signature);
            policy-oids policy-oids;
            trusted-ca (ca-profile ca-profile | trusted-ca-group trusted-ca-group  );
        }
        description description;
        mode (aggressive | main);
        pre-shared-key (ascii-text ascii-text | hexadecimal hexadecimal);
        seeded-pre-shared-key (ascii-text key | hexadecimal key);
        proposal-set (Security IKE) (basic | compatible | prime-128 | prime-256 | standard | suiteb-gcm-128 | suiteb-gcm-256);
        proposals [ proposals ... ];
        reauth-frequency reauth-frequency;
    }
    proposal proposal-name {
        authentication-algorithm (md5 | sha-256 | sha-384 | sha-512 | sha1);
        authentication-method (certificates | dsa-signatures | ecdsa-signatures-256 | ecdsa-signatures-384 | ecdsa-signatures-521 | pre-shared-keys | rsa-signatures);
        description description;
        dh-group dh-group (group1 | group14 | group15 | group16 | group19 | group2 | group20 | group21 | group24 | group5);
        encryption-algorithm  (3des-cbc | aes-128-cbc | aes-128-gcm | aes-192-cbc | aes-256-cbc | aes-256-gcm | des-cbc);
        lifetime-seconds seconds;
    }
    respond-bad-spi <max-responses>;
    session {
        full-open {
            incoming-exchange-max-rates {
                ike-rekey value;
                ipsec-rekey value;
                keepalive value;
            }
        }
        half-open {                                            
            timeout seconds;
            backoff-timeouts {
               init-phase-failure value;
               auth-phase-failure value;
            }
            discard-duplicate;
            max-count value;
            thresholds {
                send-cookie count;
                reduce-timeout count timeout seconds;
            }
         }
    }
    blocklists {
        blocklist-name {
            description text-description;
            rule rule-name {
                match {
                    role (initiator | responder);
                    id-type (inet | inet6 | hostname | distinguished-name | user-at-hostname | key-id);
                    id-pattern value;
                }
                then {
                    (discard | reject);
                     backoff timeout-value;
                }
            }
       }
   }
    traceoptions {
        file {
            filename;
            files number;
            match regular-expression;
            size maximum-file-size;
            (world-readable | no-world-readable);
        }

        level (critical | error | terse | warning | detail);
        flag flag (all | certificates | config | database | general | high-availability | ike | next-hop-tunnels | parse | policy-manager | routing-socket | thread | timer)reference/configuration-statement/security-edit-ike-security;
        no-remote-trace;
        rate-limit messages-per-second;
    }
}

Hierarchy Level

content_copy zoom_out_map
[edit security]

Description

Define Internet Key Exchange (IKE) configuration. IKE is a key management protocol that creates dynamic SAs; it negotiates SAs for IPsec. An IKE configuration defines the algorithms and keys used to establish a secure connection with a peer security gateway.

Options

respond-bad-spi max-responses—(Optional) Number of times to respond to invalid SPI values per gateway. Enable response to invalid IPsec Security Parameter Index (SPI) values. If the security associations (SAs) between two peers of an IPsec VPN become unsynchronized, the device resets the state of a peer so that the two peers are synchronized.

  • Range: 1 through 30

  • Default: 5

traceoptions—Configure IKE tracing options to aid in troubleshooting the IKE issues. This helps troubleshoot one or multiple tunnels negotiation by standard tracefile configuration. IKE tracing allows the user to view the detailed packet exchange and the negotiation information in Phase 1 and Phase 2. IKE tracing is not enabled by default. By default , all IKE or IPsec negotiations are logged into /var/log/kmd. But user can also specify customized file name while configuring the IKE traceoptions.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 8.5.

Support for IPv6 addresses added in Junos OS Release 11.1.

Support for inet6 option added in Junos OS Release 11.1.

Support for group15, group16, group21, ecdsa-signatures-521, and sha-512 options added in Junos OS Release 19.1R1 on SRX5000 line with junos-ike package installed.

Starting in Junos OS Release 20.2R1, we’ve changed the help text description as NOT RECOMMENDED for the CLI options md5 and sha1 for devices running IKED with junos-ike package installed.

Support for group15, group16, and group21 options added in Junos OS Release 20.3R1 on vSRX Virtual Firewall instances with junos-ike package installed.

Support for group15, group16, and group21 options added in Junos OS Release 21.1R1 on vSRX Virtual Firewall 3.0 instances with junos-ike package installed.

level option introduced in Junos OS Release 21.1R1.

Support for seeded-pre-shared-key option added in Junos OS Release 21.1R1.

Support for session and blocklists option added in Junos OS Release 23.4R1

external-footer-nav