07-08-2011 08:53 AM
I need to add a Peer IKE ID to my tunnel. Not seeing or finding a command to do this, aside from a username having an ike-id set? On my Sonicwall its just a Checkbox on the VPN Propsal page, "Peer IKE ID" then you can put in the IP, FQDN, etc... where does this go on the SRX?
07-08-2011 10:09 AM - edited 07-08-2011 10:12 AM
Here's an option
lab@srx# set security ike gateway gw1 local-identity ?
distinguished-name Use a distinguished name specified in local certificate
> hostname Use a fully-qualified domain name
> inet Use an IPv4 address
> user-at-hostname Use an e-mail address
[Edit] And also here, depending on the side
lab@srx# set security ike gateway gw1 dynamic ?
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
connections-limit Maximum number of users connected to gateway
> distinguished-name Use a distinguished name:
hostname Use a fully-qualified domain name
ike-user-type Type of the IKE ID
inet Use an IPV4 address to identify the dynamic peer
user-at-hostname Use an e-mail address
please tell me if this is what you are looking for.
07-08-2011 10:41 AM
The only thing I wonder now is, it says local-identity... this is the IP the remote side has configured and owns, not my own IKE ID. Is that the correct field and just a misleading term?
set security ike gateway gw1 local-identity
I hadn't checked after the gw name! Thanks! I believe that is it, barring my additional question above.
07-08-2011 10:57 AM
local-identity is your ike id. If you want to connect to someone and specify your
id, you use this option.
If you want someone to connect to your srx, you use gateway dynamic [id-type]
and then he/she specifies local-identity in his/her config.
Not sure which one is your case.
07-08-2011 11:47 AM - edited 07-08-2011 11:49 AM
I don't think either of those...
I am connecting to someone who has a specific IKE ID on their tunnel, that is different than the gateway I am connecting to.
My SRX ip is 220.127.116.11 (this would actually be my public IP)
I do not set a local IKE-ID
The VPN Gateway address I am connecting to is 18.104.22.168 (This would actually be the peer public IP)
The peer IKE ID is 10.10.1.5 (This is actually a private address used here).
Sometimes a picture is worth 1000 words...
I've attached a picture of the setting on the Sonicwall VPN, I don't know what they call this on the Cisco side (which is what the peer device is)
Does that help? The red box is what I need to duplicate on the SRX. That has a private IP owned by the peer network in it, however it is NOT included in any SA's.
07-08-2011 12:09 PM
I assume your config should be
set security ike gateway gw1 address 22.214.171.124
set security ike gateway gw1 local-identity inet 10.10.1.5
But not 100% sure.