Understanding Group Servers and Members
The center of a group VPN is the group server. The group server performs the following tasks:
- Controls group membership
- Generates encryption keys
- Manages group SAs and keys and distributes them to group members
Group members encrypt traffic based on the group SAs and keys provided by the group server.
A group server can service multiple groups. A single security device can be a member of multiple groups.
Each group is represented by a group identifier, which is a number between 1 and 65,535. The group server and group members are linked together by the group identifier. There can be only one group identifier per group, and multiple groups cannot use the same group identifier.
The following is a high-level view of group VPN server and member actions:
- The group server listens on UDP port 848 for members to register. A member device must provide correct IKE Phase 1 authentication to join the group. Preshared key authentication on a per-member basis is supported.
- Upon successful authentication and registration, the member device retrieves group SAs and keys from the server with a GDOI groupkey-pull exchange.
- The server adds the member to the membership for the group.
- Group members exchange packets encrypted with group SA keys.
The server periodically sends SA and key refreshes to group members with rekey (GDOI groupkey-push) messages. Rekey messages are sent before SAs expire; this ensures that valid keys are available for encrypting traffic between group members.
The server also sends rekey messages to provide new keys to members when there is a change in group membership or when the group SA has changed.
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- Group VPN Overview
- Understanding the GDOI Protocol
- Understanding Colocation Mode
- Understanding Dynamic Policies
- Understanding Antireplay
- Group VPN Configuration Overview