group-vpn
Syntax
group-vpn {
member {
ike {
gateway gateway-name;
policy;
proposal;
traceoptions;
}
ipsec {
vpn vpn-name {
df-bit (clear | copy | set);
exclude rule rule-name {
source-address ip-address/mask;
destination-address ip-address/mask;
application application;
}
fail-open rule rule-name {
source-address ip-address/mask;
destination-address ip-address/mask;
application application;
}
group id;
group-vpn-external-interface interface;
ike-gateway gateway-name;
recovery-probe;
}
}
}
server {
group name {
anti-replay-time-window milliseconds;
description description;
group-id number;
ike-gateway gateway-name;
ipsec-sa;
member-threshold number;
server-cluster;
}
ike {
gateway gateway-name;
policy;
proposal;
}
ipsec {
proposal proposal-name;
}
traceoptions (Security Group VPN);
}
}
Hierarchy Level
[edit security]
Description
Enabling tracing can adversely impact scale and performance and may increase security risk. We strongly recommend using the trace, tracing, or traceoptions commands only under the guidance of a JTAC support engineer. After collecting the debug information, immediately disable tracing to minimize risk and restore normal system performance.
Configure Group VPNs in Group VPNv2. Group VPNv2 extends IPsec architecture to support SAs that are shared by a group of security devices. With Group VPNv2, any-to-any connectivity is achieved by preserving the original source and destination IP addresses in the outer header.
Options
| member | Configure group VPN member. |
| ike | Configure IPsec group VPN on the group member. |
| policy | Configure an IKE policy. |
| proposal | Define an IKE proposal. You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer. |
| traceoptions | Configure group VPN tracing options to aid in troubleshooting the IKE or server issues. |
| ipsec | Configure IPsec for Phase 2 exchange on the group member. |
| vpn | Configure IPsec VPN for Phase 2 exchange on the group member. |
| server | Configure group VPN server. |
| group | Configure group VPN on the group server. |
| anti-replay-time-window | Configure antireplay time in milliseconds. Specify a value from 1
to 60,000. Each IPsec packet contains a timestamp. The group member
checks whether the packet’s timestamp falls within the configured |
| description | Description of the group. |
| group-id number | Identifier for this group VPN. Specify a value from 1 to 4,294,967,295. |
| ike-gateway gateway-name | Define the group member for Phase 1 negotiation. There can be multiple instances of this option configured. When a group member sends its registration request to the server, the server checks to see that the member is configured for the group. |
| ipsec-sa | Configure the group SAs to be downloaded to members. There can be multiple group SAs downloaded to group members. |
| member-threshold | Specify the maximum number of group VPN members that can be accepted in the group. There is no default number. |
| server-cluster | Configure the Group Domain of Interpretation (GDOI) group controller/key server (GCKS) cluster for the specified group. All servers in a group VPN server cluster must be SRX Series Firewalls. |
| server-member-communication | Enable and configure server to member communication. When these options are configured, group members receive new keys before current keys expire. |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 10.2.