server (Security Group VPN)
Syntax
server {
group name {
anti-replay-time-window milliseconds;
description description;
group-id number;
ike-gateway [gateway-name];
ipsec-sa name {
match-policy policy-name {
destination ip-address/netmask;
destination-port number;
protocol number;
source ip-address/netmask;
source-port number;
}
proposal proposal-name;
}
member-threshold number;
server-cluster {
ike-gateway gateway-name;
retransmission-period seconds;
server-role (root-server | sub-server);
}
server-member-communication {
certificate certificate-id;
communication-type unicast;
encryption-algorithm (aes-128-cbc | aes-192-cbc | aes-256-cbc);
lifetime-seconds seconds;
number-of-retransmission number;
retransmission-period seconds;
sig-hash-algorithm (sha-256 | sha-384);
}
}
ike {
gateway gateway-name {
address ip-address ;
dead-peer-detection {
always-send;
interval seconds;
threshold number;
}
dynamic {
(hostname hostname | inet ip-address | user-at-hostname e-mail-address);
}
ike-policy policy-name;
local-address ip-address;
local-identity {
(hostname hostname | inet ip-address | user-at-hostname e-mail-address);
}
remote-identity {
(hostname [hostname] | inet ip-address | user-at-hostname e-mail-address);
}
routing-instance routing-instance;
}
policy policy-name {
description text;
mode (aggressive | main);
pre-shared-key (ascii-text key | hexadecimal key);
proposals [proposal-name];
}
proposal proposal-name {
authentication-algorithm (sha-256 | sha-384);
authentication-method pre-shared-keys;
description description;
dh-group (group14 | group24);
encryption-algorithm (aes-128-cbc | aes-192-cbc | aes-256-cbc);
}
}
ipsec {
proposal proposal-name {
authentication-algorithm hmac-sha-256-128;
description description;
encryption-algorithm (aes-128-cbc | aes-192-cbc | aes-256-cbc);
lifetime-seconds seconds;
}
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
gateway-filter {
local-address ip-address;
remote-address ip-address;
}
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
Hierarchy Level
[edit security group-vpn]
Description
Configure group VPN server. You can configure the following on the group server:
Phase 1 IKE SA for group members
Phase 2 IPsec proposal
Group identifier, group members, server-member communications, and group policies to be downloaded to members
Group VPN trace options
Options
| gateway gateway-name | Configure IKE gateway for group VPN server. |
| ike | Configure Phase 1 security association (SA) with a member on the group server. |
| ipsec | Configure an IPsec proposal for Phase 2 exchange on the group server. |
| traceoptions | Configure group VPN tracing options to aid in troubleshooting the IKE issues. |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 10.2.