Group support
IP security supports grouping IKE IDs in a tunnel definition to associate multiple IDs with a single security policy without having to create separate tunnel definitions.
Grouping is especially useful when setting up connections to several remote hosts, because you can avoid setting up or managing multiple tunnel definitions. Also, if changes must be made to a security policy, you do not need to change multiple tunnel definitions.
A group must be defined before using that group name in a tunnel definition. The group's size is limited to 1 KB. On the initiator's side of the negotiation, you can use groups as a remote ID in data management tunnel definitions only. On the responders side of the negotiation, you can use groups as a remote ID in key management and data management tunnel definitions.
A group is composed of a group name and a list of IKE IDs and ID types. IDs can be the same type or a mix of the following:
- IPv4 addresses
- IPv6 addresses
- FQDN
- user@FQDN
- X500 DN types
During a Security Association negotiation, the IDs in a group are searched linearly for the first match.
Refer to Command-line interface for IKE tunnel configuration for information about defining groups from the command line.