Understanding Group Keys

The group server maintains a database to track the relationship among VPN groups, group members, and group keys. There are two kinds of group keys that the server downloads to members:

• Key Encryption Key (KEK)—Used to encrypt rekey messages. One KEK is supported per group.
• Traffic Encryption Key (TEK)—Used to encrypt and decrypt IPsec data traffic between group members.

The key associated with an SA is accepted by a group member only if there is a matching scope policy configured on the member. An accepted key is installed for the group VPN, whereas a rejected key is discarded.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Group VPN Overview
• Understanding the GDOI Protocol
• Understanding Group Servers and Members
• Understanding Dynamic Policies
• Group VPN Configuration Overview
• Understanding Rekey Messages
• Understanding Member Reregistration