Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

mode (Security Group VPN)

Syntax

Hierarchy Level

Description

Define the mode used for Internet Key Exchange (IKE) Phase 1 negotiations. Use aggressive mode only when you need to initiate an IKE key exchange without ID protection, as when a peer unit has a dynamically assigned IP address. (The main option is not supported on dynamic VPN implementations.) Group VPNv2 is supported on SRX300, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600 devices and vSRX instances.

  • IKEv2 protocol does not negotiate using mode configuration.

  • The device deletes existing IKE and IPsec SAs when you update the mode configuration in the IKE policy.

Options

  • aggressive—Aggressive mode.

  • main—Main mode. Main mode is the recommended key-exchange method because it conceals the identities of the parties during the key exchange.

    Configuring mode main for group VPN servers or members is not supported when the remote gateway has a dynamic address and the authentication method is pre-shared-keys.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5. Support for group-vpn hierarchies added in Junos OS Release 10.2.