group (Group VPN Server)

Syntax

group name{activation-time-delay seconds;anti-replay-time-window seconds;description text;group-id number;ike-gateway gateway-name;ipsec-sa name {proposal name;match-policy name {destination ip-address/netmask;destination-port number;protocol number;source ip-address/netmask;source-port number;}}no-anti-replay;server-address ip-address;server-member-communication {certificate certificate-id;communication-type (multicast | unicast);encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);heartbeat seconds;lifetime-seconds seconds;multicast-group address;multicast-outgoing-interface interface;number-of-retransmission number;retransmission-period seconds;sig-hash-algorithm (md5 | sha1);}}

Hierarchy Level

[edit security group-vpn server]

Release Information

Statement introduced in Release 10.2 of Junos OS.

Description

Configure group VPN on the group server.

Options

activation-time-delay—Time, in seconds, before a group member can use a new key when a member reregisters with the group server. When a member registers for the first time with the server (the member does not have a key), there is no delay. When the server sends a rekey message to the member, the member waits twice the activation-time-delay value before using the new key. Specify a value from 10 to 900. The default is 15 seconds.

Note: The lifetime-seconds values of all IPsec SA proposals and of the server-member-communication in the group must be at least 10 times the activation-time-delay value.

anti-replay-time-window—Configure antireplay time in seconds. Specify a value from 60 to 360. The default is 100 seconds.

description—Description of the group.

group-id—Identifier for this group VPN. Specify a value from 1 to 65,535.

ike-gateway—Define the group member for Phase 1 negotiation. There can be multiple instances of this option configured, one for each member of the group. When a group member sends its registration request to the server, the server checks to see that the member is configured for the group.

ipsec-sa name—Define the group SAs to be downloaded to members. There can be multiple group SAs downloaded to group members. A group SA definition consists of the following:

proposal name—Specify the name of the IPsec proposal configured with the proposal configuration statement at the [edit security group-vpn server ipsec] hierarchy.
match-policy name—Configure the group policy with source address, source port, destination address, destination port, and protocol.
Use 0.0.0.0 to specify any source or destination. Use 0 to specify any source port, destination port, or protocol.

no-anti-replay—Disable the antireplay mechanism.

server-address—(Required) IP address of the group server.

Note: We recommend that you use the loopback address of the device for server-address.

server-member-communication—Enable and configure server to member communication. When these options are configured, group members receive new keys before current keys expire. These options also enable members to receive heartbeat messages from the server; members can detect server reboots when heartbeats are missed.

The following options can be configured for server-member-communication:

certificate—Specify the certificate identification. Only RSA keys are supported.
communications-type—Configure unicast (the default) or multicast. If multicast is specified, you need to specify an IPv4 multicast address for the multicast-group option.
encryption-algorithm—Encryption used for communications between the group server and group member. Specify 3des-cbc, aes-128-cbc, aes-192-cbc, aes-256-cbc, or des-cbc.
heartbeat— Interval, in seconds, at which the group server sends heartbeats to the group member. Specify a value from 60 to 3600. The default is 300 seconds.
lifetime-seconds—Lifetime, in seconds, for the key encryption key (KEK). Specify a value from 180 to 86,400. The default is 3600 seconds.
multicast-group—If communications-type is multicast, specify the multicast address for the group.
multicast-outgoing-interface—If communications-type is multicast, specify the name of the interface on which multicast packets are sent.
number-of-retransmission—For unicast communications, the number of times the group server retransmits messages to a group member when there is no reply. For multicast communications, the number of copies of a message the group server sends to group members. Specify a value from 0 to 60. The default is 2.
retransmission-period—The time period between a transmission and the first retransmission when there is no reply from the group member. Specify a value from 2 to 60. The default is 4 seconds.
sig-hash-algorithm—Authentication algorithm used to authenticate the group member to the group server. Specify md5 or sha1.

Usage Guidelines

For configuration instructions and examples, see the Junos OS Security Configuration Guide

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.