Understanding IKE Phase 1 Configuration for Group VPN

An IKE Phase 1 SA between the group server and a group member establishes a secure channel in which to negotiate IPsec SAs that are shared by a group. For standard IPsec VPNs on Juniper Networks security devices, Phase 1 SA configuration consists of specifying an IKE proposal, policy, and gateway. For group VPN, the IKE Phase 1 SA configuration is similar to the configuration for standard IPsec VPNs, but is performed at the [edit security group-vpn] hierarchy.

In the IKE proposal configuration, you set the authentication method and the authentication and encryption algorithms that will be used to open a secure channel between participants. In the IKE policy configuration, you set the mode (main or aggressive) in which the Phase 1 channel will be negotiated, specify the type of key exchange to be used, and reference the Phase 1 proposal. In the IKE gateway configuration, you reference the Phase 1 policy.

The IKE Phase 1 configuration on the group server must match the IKE Phase 1 configuration on group members. On the server, use the [edit security group-vpn server ike] hierarchy to configure IKE Phase 1 SA. On a group member, use the [edit security group-vpn member ike] hierarchy to configure IKE Phase 1 SA.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• IPsec VPN Configuration Overview
• Group VPN Overview
• Understanding the GDOI Protocol
• Understanding Group Servers and Members
• Group VPN Configuration Overview
• Understanding IPsec SA Configuration for Group VPN