Changes In Default Behavior And Syntax In Junos Os Release 10.3 For J-Srx Series Services Gateways - Dell PowerConnect J-8208 Release Note

Junos 10.3 OS Release Notes
Changes in Default Behavior and Syntax in Junos OS Release 10.3 for J-SRX Series Services
Gateways
6
The group VPN in Release 10.3 of Junos OS has been tested with Cisco GET VPN servers
running Version 12.4(22)T and Version 12.4(24)T.
To avoid traffic disruption, do not enable rekey on a Cisco server when the VPN group
includes a Dell security device. The Cisco GET VPN server implements a proprietary ACK
for unicast rekey messages. If a group member does not respond to the unicast rekey
messages, the group member is removed from the group and is not able to receive rekeys.
An out-of-date key causes the remote peer to treat IPsec packets as bad SPIs. The Dell
security device can recover from this situation by reregistering with the server to download
the new key.
Antireplay must be disabled on the Cisco server when a VPN group of more than two
members includes a Dell security device. The Cisco server supports time-based antireplay
by default. A Dell security device will not be able to interoperate with a Cisco group
member if time-based antireplay is used since the timestamp in the IPsec packet is
proprietary. Dell security devices are not able to synchronize time with the Cisco GET
VPN server and Cisco GET VPN members as the sync payload is also proprietary.
Counter-based antireplay can be enabled if there are only two group members.
According to Cisco documentation, the Cisco GET VPN server triggers rekeys 90 seconds
before a key expires and the Cisco GET VPN member triggers rekeys 60 seconds before
a key expires. When interacting with a Cisco GET VPN server, a Dell security device member
would match Cisco behavior.
A Cisco GET VPN member accepts all keys downloaded from the GET VPN server. Policies
associated with the keys are dynamically installed. A policy does not have to be configured
on a Cisco GET VPN member locally, but a deny policy can optionally be configured to
prevent certain traffic from passing through the security policies set by the server. For
example, the server can set a policy to have traffic between subnet A and subnet B be
encrypted by key 1. The member can set a deny policy to allow OSPF traffic between
subnet A and subnet B not be encrypted by key 1. However, the member cannot set a
permit policy to allow more traffic to be protected by the key. The centralized security
policy configuration does not apply to the Dell security device.
On a Dell security device, the
tunnel rule in a scope policy references the group VPN. This allows multiple policies
referencing a VPN to share an SA. This configuration is required to interoperate with Cisco
GET VPN servers.
Logical key hierarchy (LKH), a method for adding and removing group members, is not
supported with group VPN on Dell security devices.
GET VPN members can be configured for cooperative key servers (COOP KSs), an ordered
list of servers with which the member can register or reregister. Multiple group servers
cannot be configured on group VPN members.
The following current system behavior, configuration statement usage, and operational
mode command usage might not yet be documented in the Junos OS documentation:
ipsec-group-vpn configuration statement in the permit