SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  VPN local & remote identity

    Posted 07-22-2017 04:15

    local & remote identity are used to pecify the IKE-ID as FQDN, UFQDN, DN, IP address .

     

    my question: why under edit security IKE gateway there is : Dynamic option & Remote identity option 

     

    i see that both of them do the same function: specify the remote IKE-ID as FQDN or UFQDN or IP or DN



  • 2.  RE: VPN local & remote identity
    Best Answer



  • 3.  RE: VPN local & remote identity

    Posted 07-24-2017 00:51

    i have the articles but i still find remote identity and dynamic is confusing because both of them do the same function.



  • 4.  RE: VPN local & remote identity

    Posted 07-24-2017 12:01

    Understood. The key is that they are used for producing the similar result, namely for IDentifying the remote peer but in different scenarios. I have capitalized some keywords just for emphasis.
    This use case is Remote IKE IDs for=====>>> "Site-to-Site VPNs"
    In this scenario, IKE identity DOES NOT HAVE to be CONFIGURED
    In certain network setups, the IKE ID RECEIVED from the peer (which can be an IPv4 or IPv6 address, fully qualified domain name [FQDN], distinguished name, or e-mail address) DOES NOT MATCH the IKE gateway CONFIGURED on the SRX Series device. This can lead to a Phase 1 validation failure.
    By default, the the IKE identity that SRX USE is the IP ADDRESS CONFIGURED for the IKE gateway.

    This use case is Remote IKE IDs for =====>>> "Dynamic endpoint VPNs" a.k.a Remote Access Users
    On the dynamic endpoint, an IKE identity MUST BE CONFIGURED for the device to identify itself to its peer. No IP address is configured since it would not be known and could change at anytime, seeing as the client is using DHCP so you basically tell the SRX do not expect an IP as the peer IKE ID, but expect something else.
    By default, the SRX Series device expects the IKE identity to be one of the following:DN, FQDN, UFQDN - 
    Flexibility to support shared IKE ID or individual IKE ID for Remote access clients.

    If you read over the information say a couple more times, in the first link under these two Sub-headings, it will become very clear. As you will observer, it is what is expected from the peer, based on the type of VPN and what configuration can be used to override that expectation.
    Here is a local analogy. Your Drivers license and passport are means of identifying you. When the Police pulls you over for whatever reason, the expected ID is State Drivers License which alows you to drive legally (travelling). If say you are a foreigner and just arrived with your countrys' DL, then to override that expectation you have to provide your passport or I-94 form (speaking from experience:)). On the other hand when entering a foreign country you are expected to provide the Passport for ID when you are travelling to a foreign country. Don't know what the override would be in this case:)
    https://www.juniper.net/documentation/en_US/junos/topics/concept/security-vpn-ike-identity-understanding.html
    Remote IKE IDs and Site-to-Site VPNs
    Remote IKE IDs and Dynamic Endpoint VPNs



  • 5.  RE: VPN local & remote identity

    Posted 08-14-2019 05:10
      |   view attached

    I having problem to configure the FQDN - it pop up and said that

    SRX 300

    Error(s):
    'address'

    1) Unable to parse gateway address 0
    2) configuration check-out failed.

     

    i try to set the FQDN but fail.. i did try in the CLI editor .. no good!

     

    Any advise



  • 6.  RE: VPN local & remote identity

    Posted 08-14-2019 15:28
    zenchowmv,
     
    You are talking about using FQDNs for "gateway address" and this post was refering to the use of FQDN for IKE-IDs. Please open a new thread and we will gladly help you.