SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX Dynamic IPSec VPN Questions

    Posted 08-08-2014 10:58

    Hello Everyone,

     

    I have succesfully configured a Dynamic VPN in my SRX 550 but I have some questions I want to ask.

     

    This is supposed to be an IPSec Dynamic VPN so why when we authenticate against the SRX we do not use the IKE Preshared Key? I mean I only have to enter the XAUTH user and password information but never the preshared key.

    So how does that work? Where is the device authentication in phase 1 in here?

     

    And the last question goes as follows, Is it possible to have more than 1 user  having different IP address assignments? I believe the answer is no as I have tried but the config never works as you can only have one access profile for firewall authentication and XAUTH authentication AND you can only have one IP Subnet per access profile.

    am I right?

     

    Regards

     

    Jcarvaja

    CCIE,2-CCNP, JNCIS-SEC



  • 2.  RE: SRX Dynamic IPSec VPN Questions

     
    Posted 08-08-2014 19:19

    Hello,

     

    Phase 1 authetication is still via Pre-Shared-Key only and the username /password that you enter is for XAuth.

     

    And for the second question, why would you want to assign same user IP from two subnets ? I dont think its possible.

     

    Regards

    Sarab



  • 3.  RE: SRX Dynamic IPSec VPN Questions
    Best Answer

    Posted 08-08-2014 22:04

    Hi Jcarvaja,

    Preshared key and other related configuration are downloaded by the client after first authentication.


    When setting up the Dynamic VPN connection for the first time, the user needs to login twice.

    From the second connection onwards, the user will only be prompted for the second authentication.

    The reason for this is that the first time that a VPN connection is made, the VPN client configuration parameters lieke preshared key, including a unique token, will be downloaded from the SRX device.

    From the second connection onwards the token will be used instead of the first authentication. This means that the user is then only requested to provide credentials once, using the credentials from the access profile configured under security ike gateway.

    Answer for second questions is No.

    Only one subnet can be configured for all the remote users.

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too