Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

ipsec (Security Group VPN Member)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 10.2. df-bit, exclude rule, fail-open rule, and recovery-probe options added in Junos OS Release 15.1X49-D30 for vSRX.

Description

Configure IPsec for Phase 2 exchange on the group member. Group VPNv2 is supported on SRX300, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600 devices and vSRX instances.

Options

vpn vpn-nameName of the VPN.
df-bitSpecifies pre-fragmentation and post-fragmentation of IPsec traffic on the group member. One of the following options can be configured:
  • clear—Sets the outer IP do not fragment (DF) bit to 0. When the packet size is larger than the path maximum transmission unit (path MTU), pre-fragmentation is done if the DF bit is not set in the inner packet and post-fragmentation is done if the DF bit is set in the inner packet. This is the default.

  • copy—Copies the DF bit from the inner header to the outer header. When the packet size is larger than the path PMTU, pre-fragmentation is done if the DF bit is not set in the inner packet. If the DF bit is set in the inner packet, the packet is dropped and an ICMP message is sent back.

  • set—Sets the outer IP DF bit to 1. When the packet size is larger than the path MTU, pre-fragmentation is done if the DF bit is not set in the inner packet. If the DF bit is set in the inner packet, the packet is dropped and an ICMP message is sent back

exclude ruleSpecifies traffic to be excluded from Group VPN encryption. A maximum of 10 exclude rules can be configured. Source and destination addresses must be specified in ip-address/mask format; address books and address sets are not supported. Predefined and user-defined applications are supported, but application sets are not supported.
fail-open ruleSpecifies the traffic to be sent in cleartext mode if there is no valid SA key available to protect the traffic. Traffic that is not specified by the fail-open rule is blocked if there is no valid SA key available to protect the traffic. A maximum of 10 fail-open rules can be configured. Source and destination addresses must be specified in ip-address/mask format; address books and address sets are not supported. Predefined and user-defined applications are supported, but application sets are not supported.
group idIdentifier configured for the Group VPN.
group-vpn-external-interface interfaceInterface used by the group member to connect to the Group VPN peers. The interface must belong to the same zone as the to-zone configured at the [edit security ipsec-policy] hierarchy level for Group VPN traffic.
ike-gateway gateway-nameName of the IKE gateway for the Group VPN.
recovery-probeEnables initiation of groupkey-pull exchanges at specific intervals to update the member’s SA from the group server if the group member is determined to be out of synchronization with the group server and other group members. This option is disabled by default.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Related Documentation