SRX Services Gateway
Reply
Contributor
Markw78
Posts: 49
Registered: ‎01-11-2011
0

Add Peer IKE ID to negotiation

I need to add a Peer IKE ID to my tunnel.  Not seeing or finding a command to do this, aside from a username having an ike-id set?   On my Sonicwall its just a Checkbox on the VPN Propsal page, "Peer IKE ID" then you can put in the IP, FQDN, etc...  where does this go on the SRX?

 

Thanks

Mark

Distinguished Expert
Distinguished Expert
pk
Posts: 806
Registered: ‎10-09-2008
0

Re: Add Peer IKE ID to negotiation

[ Edited ]

Hi

 

Here's an option

 

lab@srx# set security ike gateway gw1 local-identity ?
Possible completions:
  distinguished-name   Use a distinguished name specified in local certificate
> hostname             Use a fully-qualified domain name
> inet                 Use an IPv4 address
> user-at-hostname     Use an e-mail address

 

[Edit] And also here, depending on the side

 

lab@srx# set security ike gateway gw1 dynamic ? 
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  connections-limit    Maximum number of users connected to gateway
> distinguished-name   Use a distinguished name:
  hostname             Use a fully-qualified domain name
  ike-user-type        Type of the IKE ID
  inet                 Use an IPV4 address to identify the dynamic peer
  user-at-hostname     Use an e-mail address

 

please tell me if this is what you are looking for.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Contributor
Markw78
Posts: 49
Registered: ‎01-11-2011
0

Re: Add Peer IKE ID to negotiation

The only thing I wonder now is, it says local-identity... this is the IP the remote side has configured and owns, not my own IKE ID.  Is that the correct field and just a misleading term?

 

set security ike gateway gw1 local-identity 

 

I hadn't checked after the gw name!  Thanks!  I believe that is it, barring my additional question above.

Distinguished Expert
Distinguished Expert
pk
Posts: 806
Registered: ‎10-09-2008
0

Re: Add Peer IKE ID to negotiation

Hi

local-identity is your ike id. If you want to connect to someone and specify your
id, you use this option.

If you want someone to connect to your srx, you use gateway dynamic [id-type]
and then he/she specifies local-identity in his/her config.

Not sure which one is your case.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Contributor
Markw78
Posts: 49
Registered: ‎01-11-2011
0

Re: Add Peer IKE ID to negotiation

[ Edited ]

I don't think either of those...

I am connecting to someone who has a specific IKE ID on their tunnel, that is different than the gateway I am connecting to.

 

My SRX ip is 1.1.1.1  (this would actually be my public IP)

I do not set a local IKE-ID

 

The VPN Gateway address I am connecting to is 2.2.2.2 (This would actually be the peer public IP)

The peer IKE ID is 10.10.1.5  (This is actually a private address used here). 

 

Sometimes a picture is worth 1000 words...

I've attached a picture of the setting on the Sonicwall VPN, I don't know what they call this on the Cisco side (which is what the peer device is)

 

Does that help?  The red box is what I need to duplicate on the SRX.  That has a private IP owned by the peer network in it, however it is NOT included in any SA's.

 

Thanks!

Mark

Distinguished Expert
Distinguished Expert
pk
Posts: 806
Registered: ‎10-09-2008
0

Re: Add Peer IKE ID to negotiation

I assume your config should be

 

set security ike gateway gw1 address 2.2.2.2
set security ike gateway gw1 local-identity inet 10.10.1.5

 

But not 100% sure.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Contributor
Markw78
Posts: 49
Registered: ‎01-11-2011
0

Re: Add Peer IKE ID to negotiation

One way to find out :smileyhappy:  Thats what I configured, we're going to try a hard swap of firewalls next weekend.   I will save this URL and mark it as the solution if it works out!

Visitor
packetflowz
Posts: 4
Registered: ‎05-04-2012
0

Re: Add Peer IKE ID to negotiation

So uhh, did it work out?!  I have the exact same problem (Sonicwall to SRX conversion) and some VPN's have specified the peer IKE ID like this....

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.