This is the documentation for the 19.02 version. Looking for the documentation of the latest version? Have a look here.

Security Associations

After establishing a secure channel, the two endpoints can negotiate an IPsec security association (IPsec SA) as a child entry. Multiple children can be configured as needed, though with routed IPsec only one is necessary.

tnsr(config-ipsec-crypto-ike)# child 1
tnsr(config-ike-child)# lifetime 3600

This example only has a single child, thus child 1. The child command enters IKE Child mode (ike-child).

The lifetime <x> command determines how long, in seconds, this child IPsec SA can live before it must be rekeyed. Most commonly this is set for an hour, or 3600 seconds.

tnsr(config-ike-child)# proposal 1
tnsr(config-ike-child-proposal)# encryption aes128
tnsr(config-ike-child-proposal)# integrity sha1
tnsr(config-ike-child-proposal)# group modp2048
tnsr(config-ike-child-proposal)# exit
tnsr(config-ike-child)# exit
tnsr(config-ipsec-crypto-ike)# exit
tnsr(config-ipsec-tun)# exit

Each child may have one or more proposal entries which define acceptable encryption, integrity, and DH Group (Perfect Forward Security, PFS) parameters to encrypt and validate the IPsec SA traffic. These work the same here as they do for IKE/ISAKMP as described in IKE Proposal.


Some vendor IPsec implementations refer to IPsec security association child entries as “Phase 2”, which may help when attempting to map values supplied by a peer to their corresponding values in TNSR.

This completes the configuration for the IPsec tunnel, at this point after exiting back to basic mode the tunnel will attempt to establish a connection to the peer.