SRX

I need to add a Peer IKE ID to my tunnel.  Not seeing or finding a command to do this, aside from a username having an ike-id set?   On my Sonicwall its just a Checkbox on the VPN Propsal page, "Peer IKE ID" then you can put in the IP, FQDN, etc...  where does this go on the SRX?

Thanks

Mark

Hi

Here's an option

lab@srx# set security ike gateway gw1 local-identity ?
Possible completions:
  distinguished-name   Use a distinguished name specified in local certificate
> hostname             Use a fully-qualified domain name
> inet                 Use an IPv4 address
> user-at-hostname     Use an e-mail address

[Edit] And also here, depending on the side

lab@srx# set security ike gateway gw1 dynamic ? 
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  connections-limit    Maximum number of users connected to gateway
> distinguished-name   Use a distinguished name:
  hostname             Use a fully-qualified domain name
  ike-user-type        Type of the IKE ID
  inet                 Use an IPV4 address to identify the dynamic peer
  user-at-hostname     Use an e-mail address

please tell me if this is what you are looking for.

The only thing I wonder now is, it says local-identity... this is the IP the remote side has configured and owns, not my own IKE ID.  Is that the correct field and just a misleading term?

set security ike gateway gw1 local-identity

I hadn't checked after the gw name!  Thanks!  I believe that is it, barring my additional question above.

Hi

local-identity is your ike id. If you want to connect to someone and specify your
id, you use this option.

If you want someone to connect to your srx, you use gateway dynamic [id-type]
and then he/she specifies local-identity in his/her config.

Not sure which one is your case.

I don't think either of those...

I am connecting to someone who has a specific IKE ID on their tunnel, that is different than the gateway I am connecting to.

My SRX ip is 1.1.1.1  (this would actually be my public IP)

I do not set a local IKE-ID

The VPN Gateway address I am connecting to is 2.2.2.2 (This would actually be the peer public IP)

The peer IKE ID is 10.10.1.5  (This is actually a private address used here). 

Sometimes a picture is worth 1000 words...

I've attached a picture of the setting on the Sonicwall VPN, I don't know what they call this on the Cisco side (which is what the peer device is)

Does that help?  The red box is what I need to duplicate on the SRX.  That has a private IP owned by the peer network in it, however it is NOT included in any SA's.

Thanks!

Mark

I assume your config should be

set security ike gateway gw1 address 2.2.2.2
set security ike gateway gw1 local-identity inet 10.10.1.5

But not 100% sure.

One way to find out 🙂  Thats what I configured, we're going to try a hard swap of firewalls next weekend.   I will save this URL and mark it as the solution if it works out!

So uhh, did it work out?!  I have the exact same problem (Sonicwall to SRX conversion) and some VPN's have specified the peer IKE ID like this....