Understanding IPsec SA Configuration for Group VPN

After the server and member have established a secure and authenticated channel in Phase 1 negotiation, they proceed through Phase 2. Phase 2 negotiation establishes the IPsec SAs that are shared by group members to secure data that is transmitted among members. While the IPsec SA configuration for group VPN is similar to the configuration for standard VPNs, a group member does not need to negotiate the SA with other group members.

Phase 2 IPsec configuration for group VPN consists of the following information:

A proposal for the security protocol, authentication, and encryption algorithm to be used for the SA. The IPsec SA proposal is configured on the group server with the proposal configuration statement at the [edit security group-vpn server ipsec] hierarchy.
A group policy that references the proposal. A group policy specifies the traffic (protocol, source address, source port, destination address, and destination port) to which the SA and keys apply. The group policy is configured on the server with the ipsec-sa configuration statement at the [edit security group-vpn server group ] hierarchy.

An Autokey IKE that references the group identifier, the group server (configured with the ike-gateway configuration statement), and the interface used by the member to connect to the group. The Autokey IKE is configured on the member with the ipsec vpn configuration statement at the [edit security group-vpn member] hierarchy.

Note: To prevent packet fragmentation issues, we recommend that the interface used by the group member to connect to the MPLS network be configured for a maximum transmission unit (MTU) size no larger than 1400 bytes. Use the set interface mtu configuration statement to set the MTU size.

Understanding IPsec SA Configuration for Group VPN

Related Topics