Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Understanding Server-Member Communication
Server-member communication allows the server to send GDOI groupkey-push messages to members. If server-member communication is not configured for the group, members can send GDOI groupkey-pull messages to register and reregister with the server, but the server is not able to send rekey messages to members.
Server-member communication is configured for the group by using the server-member-communication configuration statement at the [edit security group-vpn server] hierarchy. The following options can be defined:
- Encryption algorithm used for communications between the server and member. You can specify 3des-cbc, aes-128-cbc, aes-192-cbc, aes-256-cbc, or des-cbc. There is no default algorithm.
- Authentication algorithm (md5 or sha1) used to authenticate the member to the server. There is no default algorithm.
- Whether the server sends unicast or multicast rekey messages to group members and parameters related to the communication type. See Understanding Rekey Messages.
- Interval at which the server sends heartbeat messages to the group member. This allows the member to determine whether the server has rebooted, which would require the member to reregister with the server. The default is 300 seconds. See Understanding Heartbeat Messages.
- Lifetime for the key encryption key (KEK). The default is 3600 seconds.
 | Note: Configuring server-member communication is necessary for the group server to send rekey messages to members, but there might be situations in which this behavior is not desired. For example, if group members are dynamic peers (such as in a home office), the devices are not always up and the IP address of a device might be different each time it is powered up. Configuring server-member communication for a group of dynamic peers can result in unnecessary transmissions by the server. If you want IKE Phase 1 SA negotiation to always be performed to protect GDOI negotiation, do not configure server-member communication. |
If server-member communication for a group is not configured, the membership list displayed by the show security group-vpn server registered-members command shows group members who have registered with the server; members can be active or not. When server-member communication for a group is configured, the group membership list is cleared. If the communication type is configured as unicast, the show security group-vpn server registered-members command shows only active members. If the communication type is configured as multicast, the show security group-vpn server registered-members command shows members who have registered with the server after the configuration; the membership list does not necessarily represent active members because members might drop out after registration.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Understanding Group Keys
- Understanding Rekey Messages
- Understanding Member Reregistration
- Understanding VPN Group Configuration
- Example: Configuring Server-Member Communication for Unicast Rekey Messages
- Example: Configuring Server-Member Communication for Multicast Rekey Messages
