SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Markw78
Contributor
Markw78
Posts: 49
Registered: ‎01-11-2011
0

Add Peer IKE ID to negotiation

Options

‎07-08-2011 08:53 AM

I need to add a Peer IKE ID to my tunnel.  Not seeing or finding a command to do this, aside from a username having an ike-id set?   On my Sonicwall its just a Checkbox on the VPN Propsal page, "Peer IKE ID" then you can put in the IP, FQDN, etc...  where does this go on the SRX?

 

Thanks

Mark

Message 1 of 8 (1,204 Views)
 
Reply
Distinguished Expert
Distinguished Expert
pk
Posts: 660
Registered: ‎10-09-2008
0

Re: Add Peer IKE ID to negotiation

[ Edited ]
Options

‎07-08-2011 10:09 AM - edited ‎07-08-2011 10:12 AM

Hi

 

Here's an option

 

lab@srx# set security ike gateway gw1 local-identity ?
Possible completions:
  distinguished-name   Use a distinguished name specified in local certificate
> hostname             Use a fully-qualified domain name
> inet                 Use an IPv4 address
> user-at-hostname     Use an e-mail address

 

[Edit] And also here, depending on the side

 

lab@srx# set security ike gateway gw1 dynamic ? 
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  connections-limit    Maximum number of users connected to gateway
> distinguished-name   Use a distinguished name:
  hostname             Use a fully-qualified domain name
  ike-user-type        Type of the IKE ID
  inet                 Use an IPV4 address to identify the dynamic peer
  user-at-hostname     Use an e-mail address

 

please tell me if this is what you are looking for.

Best Regards,
Peter (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC, JNCIP-(M,ENT) JNCIS-(SA,AC,FWV) JNCIA-(IDP,WX)
[Juniper Authorized Education & Support in Russia]
Message 2 of 8 (1,199 Views)
 
Reply
Markw78
Contributor
Markw78
Posts: 49
Registered: ‎01-11-2011
0

Re: Add Peer IKE ID to negotiation

Options

‎07-08-2011 10:41 AM

The only thing I wonder now is, it says local-identity... this is the IP the remote side has configured and owns, not my own IKE ID.  Is that the correct field and just a misleading term?

 

set security ike gateway gw1 local-identity 

 

I hadn't checked after the gw name!  Thanks!  I believe that is it, barring my additional question above.

Message 3 of 8 (1,196 Views)
 
Reply
Distinguished Expert
Distinguished Expert
pk
Posts: 660
Registered: ‎10-09-2008
0

Re: Add Peer IKE ID to negotiation

Options

‎07-08-2011 10:57 AM

Hi

local-identity is your ike id. If you want to connect to someone and specify your
id, you use this option.

If you want someone to connect to your srx, you use gateway dynamic [id-type]
and then he/she specifies local-identity in his/her config.

Not sure which one is your case.

Best Regards,
Peter (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC, JNCIP-(M,ENT) JNCIS-(SA,AC,FWV) JNCIA-(IDP,WX)
[Juniper Authorized Education & Support in Russia]
Message 4 of 8 (1,192 Views)
 
Reply
Markw78
Contributor
Markw78
Posts: 49
Registered: ‎01-11-2011
0

Re: Add Peer IKE ID to negotiation

[ Edited ]
Options

‎07-08-2011 11:47 AM - edited ‎07-08-2011 11:49 AM

I don't think either of those...

I am connecting to someone who has a specific IKE ID on their tunnel, that is different than the gateway I am connecting to.

 

My SRX ip is 1.1.1.1  (this would actually be my public IP)

I do not set a local IKE-ID

 

The VPN Gateway address I am connecting to is 2.2.2.2 (This would actually be the peer public IP)

The peer IKE ID is 10.10.1.5  (This is actually a private address used here). 

 

Sometimes a picture is worth 1000 words...

I've attached a picture of the setting on the Sonicwall VPN, I don't know what they call this on the Cisco side (which is what the peer device is)

 

Does that help?  The red box is what I need to duplicate on the SRX.  That has a private IP owned by the peer network in it, however it is NOT included in any SA's.

 

Thanks!

Mark

Attachment peer-ikeID.gif ‏106 KB
Message 5 of 8 (1,190 Views)
 
Reply
Distinguished Expert
Distinguished Expert
pk
Posts: 660
Registered: ‎10-09-2008
0

Re: Add Peer IKE ID to negotiation

Options

‎07-08-2011 12:09 PM

I assume your config should be

 

set security ike gateway gw1 address 2.2.2.2
set security ike gateway gw1 local-identity inet 10.10.1.5

 

But not 100% sure.

Best Regards,
Peter (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC, JNCIP-(M,ENT) JNCIS-(SA,AC,FWV) JNCIA-(IDP,WX)
[Juniper Authorized Education & Support in Russia]
Message 6 of 8 (1,185 Views)
 
Reply
Markw78
Contributor
Markw78
Posts: 49
Registered: ‎01-11-2011
0

Re: Add Peer IKE ID to negotiation

Options

‎07-08-2011 12:11 PM

One way to find out :smileyhappy:  Thats what I configured, we're going to try a hard swap of firewalls next weekend.   I will save this URL and mark it as the solution if it works out!

Message 7 of 8 (1,183 Views)
 
Reply
packetflowz
Visitor
packetflowz
Posts: 3
Registered: ‎05-04-2012
0

Re: Add Peer IKE ID to negotiation

Options

‎05-04-2012 12:20 PM

So uhh, did it work out?!  I have the exact same problem (Sonicwall to SRX conversion) and some VPN's have specified the peer IKE ID like this....

Message 8 of 8 (958 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.