Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Understanding Dynamic Policies
The group server distributes group SAs and keys to members of a specified group. All members that belong to the same group can share the same set of IPsec SAs. But not all SAs configured for a group are installed on every group member. The SA installed on a specific member is determined by the policy associated with the group SA and the security policies configured on the member.
In a VPN group, each group SA and key that the server pushes to a member is associated with a group policy. The group policy describes the traffic on which the key should be used, including protocol, source address, source port, destination address, and destination port.
 | Note: Group policies that are identical (configured with the same source address, destination address, source port, destination port, and protocol values) cannot exist for a single group. An error is returned if you attempt to commit a configuration that contains identical group policies for a group. If this is the case, you must delete one of the identical group policies. |
On a group member, a scope policy must be configured that defines the scope of the group policy downloaded from the server. A group policy distributed from the server is compared against the scope policies configured on the member. For a group policy to be installed on the member, the following conditions must be met:
- Any addresses specified in the group policy must be within the range of addresses specified in the scope policy.
- The source port, destination port, and protocol specified in the group policy must match those configured in the scope policy.
A group policy that is installed on a member is called a dynamic policy.
A scope policy can be part of an ordered list of security policies for a specific from-zone and to-zone context. Junos OS performs a security policy lookup on incoming packets starting from the top of the ordered list.
Depending on the position of the scope policy within the ordered list of security policies, there are several possibilities for dynamic policy lookup:
- If an incoming packet matches a scope policy, the search
process continues for a matching dynamic policy. If there is a matching
dynamic policy, that policy action (permit) is performed. If there
is no matching dynamic policy, then the packet is dropped.
Note: In this release, only the tunnel action is allowed for a scope policy. Other actions are not supported.
- If the incoming packet matches a security policy before the scope policy is considered, dynamic policy lookup does not occur.
You configure a scope policy on a group member by using the policies configuration statement at the [edit security] hierarchy. Use the ipsec-group-vpn configuration statement in the permit tunnel rule to reference the group VPN; this allows group members to share a single SA.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Security Policies Overview
- Understanding Security Policy Ordering
- Example: Configuring a Security Policy to Permit or Deny All Traffic
- Understanding the GDOI Protocol
- Understanding Group Servers and Members
- Group VPN Configuration Overview
