mode (Security Group VPN)
Statement introduced in Junos OS Release 8.5. Support for group-vpn hierarchies added in Junos OS Release 10.2.
Define the mode used for Internet Key Exchange (IKE) Phase 1 negotiations. Use aggressive mode only when you need to initiate an IKE key exchange without ID protection, as when a peer unit has a dynamically assigned IP address. (The main option is not supported on dynamic VPN implementations.) Group VPNv2 is supported on SRX300, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600 devices and vSRX instances.
IKEv2 protocol does not negotiate using mode configuration.
The device deletes existing IKE and IPsec SAs when you update the mode configuration in the IKE policy.
main—Main mode. Main mode is the recommended key-exchange method because it conceals the identities of the parties during the key exchange.
Configuring mode main for group VPN servers or members is not supported when the remote gateway has a dynamic address and the authentication method is pre-shared-keys.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.