Which two statements about the new deployment are true?

You are asked to deploy a group VPN between various sites associated with your company.
The gateway devices at the remote locations are SRX240 devices. Which two statements
about the new deployment are true? (Choose two.)

A.
The networks at the various sites must use NAT.

B.
The participating endpoints in the group VPN can belong to a chassis cluster.

C.
The networks at the various sites cannot use NAT.

D.
The participating endpoints in the group VPN cannot be part of a chassis cluster.

Show Hint

← Previous question

Next question →

Leave a Reply 6

lsys

C and D are correct

MacAodh

https://www.juniper.net/techpubs/en_US/junos15.1×49-d40/topics/concept/vpn-security-group-limitations-understanding.html

Wrong version of Junos but only because on the 12.1 page they don’t mention the NAT.. Applies regardless

jncip

From AJSEC:

Group VPN Limitations

As with any new feature set, there are some limitations and features that are not yet supported as of
the Junos OS 12.1R1.9 version. The slide outlines the features and functionality that is not currently
supported when using a group VPN.
• A group VPN must be configured in main instance. It is not supported in a non-default
routing instances.
• A group VPN is not supported in a chassis cluster environment. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
• There is no support for co-operative key servers where two key servers maintain a group
membership state between them and members can simultaneously register to both key
servers.
• Route-based group VPN is not available.
• A group VPN requires globally routable addresses even for hosts behind a VPN Gateway.
Hence, the group VPN solution will not work over the Internet or in NAT environments. <<<<<<<<<<<<<<<<<<<<<<<<<<<
• Simple Network Management Protocol (SNMP) in not currently available with group
VPNs.
• Group VPN configuration and monitoring is not available through the J-Web interface.