ipsec (Security Group VPN Member)
Syntax
ipsec {
vpn vpn-name {
df-bit (clear | copy | set);
exclude rule rule-name {
source-address ip-address/mask;
destination-address ip-address/mask;
application application;
}
fail-open rule rule-name {
source-address ip-address/mask;
destination-address ip-address/mask;
application application;
}
group id;
group-vpn-external-interface interface;
ike-gateway gateway-name;
recovery-probe;
}
t}
Hierarchy Level
[edit security group-vpn
member]
Release Information
Statement introduced in Junos OS Release
10.2. df-bit, exclude rule, fail-open rule, and recovery-probe options added in Junos OS Release
15.1X49-D30 for vSRX.
Description
Configure IPsec for Phase 2 exchange
on the group member. Group VPNv2 is supported on SRX300, SRX320, SRX340,
SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600 devices and
vSRX instances.
Options
vpn vpn-name—Name of the VPN.
df-bit—Specifies pre-fragmentation
and post-fragmentation of IPsec traffic on the group member. One of
the following options can be configured:
clear—Sets the outer IP do not fragment (DF) bit
to 0. When the packet size is larger than the path maximum transmission
unit (path MTU), pre-fragmentation is done if the DF bit is not set
in the inner packet and post-fragmentation is done if the DF bit is
set in the inner packet. This is the default.
copy—Copies the DF bit from the inner header to
the outer header. When the packet size is larger than the path PMTU,
pre-fragmentation is done if the DF bit is not set in the inner packet.
If the DF bit is set in the inner packet, the packet is dropped and
an ICMP message is sent back.
set—Sets the outer IP DF bit to 1. When the packet
size is larger than the path MTU, pre-fragmentation is done if the
DF bit is not set in the inner packet. If the DF bit is set in the
inner packet, the packet is dropped and an ICMP message is sent back
exclude rule—Specifies
traffic to be excluded from Group VPN encryption. A maximum of 10
exclude rules can be configured. Source and destination addresses
must be specified in ip-address/mask format; address books and address sets are not supported. Predefined
and user-defined applications are supported, but application sets
are not supported.
fail-open rule—Specifies
the traffic to be sent in cleartext mode if there is no valid SA key
available to protect the traffic. Traffic that is not specified by
the fail-open rule is blocked if there is no valid SA key available
to protect the traffic. A maximum of 10 fail-open rules can be configured.
Source and destination addresses must be specified in ip-address/mask format; address books and address sets
are not supported. Predefined and user-defined applications are supported,
but application sets are not supported.
group id—Identifier configured for the Group VPN.
group-vpn-external-interface interface—Interface used by the group member to
connect to the Group VPN peers. The interface must belong to the same
zone as the to-zone configured at the [edit security
ipsec-policy] hierarchy level for Group VPN traffic.
ike-gateway gateway-name—Name of the IKE gateway for the Group
VPN.
recovery-probe—Enables
initiation of groupkey-pull exchanges at specific intervals
to update the member’s SA from the group server if the group
member is determined to be out of synchronization with the group server
and other group members. This option is disabled by default.
Required Privilege Level
security—To
view this statement in the configuration.
security-control—To add this statement to the configuration.
