Example: Configuring Server-Member Communication for Multicast Rekey Messages

This example shows the configuration that enables the server to send multicast rekey messages to group members.

Before you begin:

  1. Configure the group server and members for IKE Phase 1 negotiation and Phase 2 IPsec SA. See Example: Configuring Group VPN (CLI) or Example: Configuring Group VPN with Server-Member Colocation (CLI).
  2. On the group server, configure the group g1. See Example: Configuring Group VPN (CLI) or Example: Configuring Group VPN with Server-Member Colocation (CLI).
  3. Configure the interface ge-0/0/1.0. This is the interface the server will use for sending multicast messages. See JUNOS Software Routing Protocols and Policies Configuration Guide for Security Devices.
  4. Configure the multicast group address 226.1.1.1. See JUNOS Software Routing Protocols and Policies Configuration Guide for Security Devices.

Note: IP multicast protocols must be configured to allow delivery of multicast traffic in the network. This example does not show multicast configuration. For information about configuring multicast protocols on Juniper Networks security devices, see the JUNOS Software Routing Protocols and Policies Configuration Guide for Security Devices.

Configuration instructions in this topic describe how to specify the following server-member communication for the group g1:

Default values are used for server heartbeats, KEK lifetime, and retransmissions.

To configure server-member communication:

  1. Set the communications type to multicast.
    [edit security group-vpn server group g1 server-member-communication]user@host# set communications-type multicast
  2. Set the multicast group to 226.1.1.1.
    [edit security group-vpn server group g1 server-member-communication]user@host# set multicast-group 226.1.1.1
  3. Set the ge-0/0/1/0 interface for outgoing multicast messages.
    [edit security group-vpn server group g1 server-member-communication]user@host# set multicast-outgoing-interface ge-0/0/1.0
  4. Set the encryption algorithm to 3des-cbc.
    [edit security group-vpn server group g1 server-member-communication]user@host# set encryption-algorithm 3des-cbc
  5. Set the member authentication to sha1.
    [edit security group-vpn server group g1 server-member-communication]user@host# set sig-hash-algorithm sha1
  6. Confirm your configuration by entering the show security group-vpn server group g1 server-member-communication command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
    [edit]user@host# show security group-vpn server group g1 server-member-communicationcommunication-type multicast;multicast-group 226.1.1.1; multicast-outgoing-interface ge-0/0/1.0; encryption-algorithm 3des-cbc; sig-hash-algorithm sha1;
  7. Commit the configuration if you are done configuring the device.
    [edit]user@host# commit

Related Topics