Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

ipsec (Security Group VPN Member)

Syntax

Hierarchy Level

Description

Configure IPsec for Phase 2 exchange on the group member. Group VPNv2 is supported on SRX300, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600 devices and vSRX Virtual Firewall instances.

Options

vpn vpn-name

Name of the VPN.
df-bit

Specifies pre-fragmentation and post-fragmentation of IPsec traffic on the group member. One of the following options can be configured:

  • clear—Sets the outer IP do not fragment (DF) bit to 0. When the packet size is larger than the path maximum transmission unit (path MTU), pre-fragmentation is done if the DF bit is not set in the inner packet and post-fragmentation is done if the DF bit is set in the inner packet. This is the default.

  • copy—Copies the DF bit from the inner header to the outer header. When the packet size is larger than the path PMTU, pre-fragmentation is done if the DF bit is not set in the inner packet. If the DF bit is set in the inner packet, the packet is dropped and an ICMP message is sent back.

  • set—Sets the outer IP DF bit to 1. When the packet size is larger than the path MTU, pre-fragmentation is done if the DF bit is not set in the inner packet. If the DF bit is set in the inner packet, the packet is dropped and an ICMP message is sent back
exclude rule

Specifies traffic to be excluded from Group VPN encryption. A maximum of 10 exclude rules can be configured. Source and destination addresses must be specified in ip-address/mask format; address books and address sets are not supported. Predefined and user-defined applications are supported, but application sets are not supported.
fail-open rule

Specifies the traffic to be sent in cleartext mode if there is no valid SA key available to protect the traffic. Traffic that is not specified by the fail-open rule is blocked if there is no valid SA key available to protect the traffic. A maximum of 10 fail-open rules can be configured. Source and destination addresses must be specified in ip-address/mask format; address books and address sets are not supported. Predefined and user-defined applications are supported, but application sets are not supported.
group id

Identifier configured for the Group VPN.
group-vpn-external-interface interface

Interface used by the group member to connect to the Group VPN peers. The interface must belong to the same zone as the to-zone configured at the [edit security ipsec-policy] hierarchy level for Group VPN traffic.
ike-gateway gateway-name

Name of the IKE gateway for the Group VPN.
recovery-probe

Enables initiation of groupkey-pull exchanges at specific intervals to update the member’s SA from the group server if the group member is determined to be out of synchronization with the group server and other group members. This option is disabled by default.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 10.2. df-bit, exclude rule, fail-open rule, and recovery-probe options added in Junos OS Release 15.1X49-D30 for vSRX Virtual Firewall.

Related Documentation