group-vpn
Syntax
group-vpn {
member {
ike {
gateway gateway-name;
policy;
proposal;
traceoptions;
}
ipsec {
vpn vpn-name {
df-bit (clear | copy | set);
exclude rule rule-name {
source-address ip-address/mask;
destination-address ip-address/mask;
application application;
}
fail-open rule rule-name {
source-address ip-address/mask;
destination-address ip-address/mask;
application application;
}
group id;
group-vpn-external-interface interface;
ike-gateway gateway-name;
recovery-probe;
}
}
}
server {
group name {
anti-replay-time-window milliseconds;
description description;
group-id number;
ike-gateway gateway-name;
ipsec-sa;
member-threshold number;
server-cluster;
}
ike {
gateway gateway-name;
policy;
proposal;
}
ipsec {
proposal proposal-name;
}
traceoptions (Security Group VPN);
}
}
Hierarchy Level
[edit security]
Description
Configure Group VPNs in Group VPNv2. Group VPNv2 extends IPsec architecture to support SAs that are shared by a group of security devices. With Group VPNv2, any-to-any connectivity is achieved by preserving the original source and destination IP addresses in the outer header.
Options
| member | Configure group VPN member. |
| ike | Configure IPsec group VPN on the group member. |
| policy | Configure an IKE policy. |
| proposal | Define an IKE proposal. You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer. |
| traceoptions | Configure group VPN tracing options to aid in troubleshooting the IKE or server issues. |
| ipsec | Configure IPsec for Phase 2 exchange on the group member. |
| vpn | Configure IPsec VPN for Phase 2 exchange on the group member. |
| server | Configure group VPN server. |
| group | Configure group VPN on the group server. |
| anti-replay-time-window | Configure antireplay time in milliseconds. Specify a value from 1
to 60,000. Each IPsec packet contains a timestamp. The group member
checks whether the packet’s timestamp falls within the configured |
| description | Description of the group. |
| group-id number | Identifier for this group VPN. Specify a value from 1 to 4,294,967,295. |
| ike-gateway gateway-name | Define the group member for Phase 1 negotiation. There can be multiple instances of this option configured. When a group member sends its registration request to the server, the server checks to see that the member is configured for the group. |
| ipsec-sa | Configure the group SAs to be downloaded to members. There can be multiple group SAs downloaded to group members. |
| member-threshold | Specify the maximum number of group VPN members that can be accepted in the group. There is no default number. |
| server-cluster | Configure the Group Domain of Interpretation (GDOI) group controller/key server (GCKS) cluster for the specified group. All servers in a group VPN server cluster must be SRX Series Firewalls. |
| server-member-communication | Enable and configure server to member communication. When these options are configured, group members receive new keys before current keys expire. |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 10.2.