Allow IPSec Traffic Passthrough



  • Hi guys,

    I configured the SRX to allow the IPSec traffic based on the Configuring the IKE and ESP ALG (CLI)

    When I run the command show security ike-esp-nat, I notice a lot of session don’t have the responder cookie like below. It is normal?

    Initiator cookie: 18ce209ddf5b16fa
    Responder cookie: 00000000
    Session-ID:      34047
    ALG state :      1
    Timeout:          9852

    Initiator cookie: 2d9e4e5e154d7e52
    Responder cookie: 00000000
    Session-ID:      234717
    ALG state :      1
    Timeout:          9782

    BTW, what is the recommended value for the state-timeout, esp-gate-timeout and esp-session-timeout in the ike-esp-nat? The Juniper example used the following value.

    user@host# show security alg
    ike-esp-nat {
    enable;
    state-timeout 360;
    esp-gate-timeout 20;
    esp-session-timeout 2400;


 

43
Online

38.4k
Users

12.7k
Topics

44.5k
Posts