Example: Configuring Server-Member Communication for Unicast Rekey Messages

This example shows the configuration that enables the server to send unicast rekey messages to group members.

Before you begin:

  1. Configure the group server and members for IKE Phase 1 negotiation.
  2. Configure the group server and members for Phase 2 IPsec SA.
  3. On the group server, configure the group g1.

See Example: Configuring Group VPN (CLI) or Example: Configuring Group VPN with Server-Member Colocation (CLI).

Configuration instructions in this topic describe how to specify the following server-member communication for the group g1:

Default values are used for server heartbeats, KEK lifetime, and retransmissions.

To configure server-member communication:

  1. Set the communications type to unicast.
    [edit security group-vpn server group g1 server-member-communication]user@host# set communications-type unicast
  2. Set the encryption algorithm to 3des-cbc.
    [edit security group-vpn server group g1 server-member-communication]user@host# set encryption-algorithm 3des-cbc
  3. Set the member authentication to sha1.
    [edit security group-vpn server group g1 server-member-communication]user@host# set sig-hash-algorithm sha1
  4. Confirm your configuration by entering the show security group-vpn server group g1 server-member-communication command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
    [edit]user@host# show security group-vpn server group g1 server-member-communicationcommunication-type unicast; encryption-algorithm 3des-cbc; sig-hash-algorithm sha1;
  5. Commit the configuration if you are done configuring the device.
    [edit]user@host# commit

Related Topics

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.