With dynamic VPN, a unique Internet Key Exchange (IKE) ID is used for each user connection. When there are a large number of users who need to access the VPN, configuring an individual IKE gateway, IPsec VPN, and a security policy for each user can be cumbersome. The group IKE ID and shared IKE ID features allow a number of users to share an IKE gateway configuration, thus reducing the number of VPN configurations required.
Note: We recommend that you configure group IKE IDs for dynamic VPN deployments because group IKE IDs provide a unique preshared key and IKE ID for each user.
Group IKE IDs
When group IKE IDs are configured, the IKE ID of each user is a concatenation of a user-specific part and a part that is common to all group IKE ID users. For example, the user Bob might use ”Bob.juniper.net“ as his full IKE ID, where ”.juniper.net“ is common to all users. The full IKE ID is used to uniquely identify each user connection.
Although group IKE IDs do not require XAuth, XAuth is required by dynamic VPN to retrieve network attributes like client IP addresses. A warning is displayed if XAuth is not configured for a dynamic VPN that uses group IKE IDs.
Note: We recommend that users use the same credentials for both WebAuth and XAuth authentication when group IKE IDs are configured.
Multiple users can use the same group IKE ID, but a single user cannot use the same group IKE ID for different connections. If a user needs to have connections from different remote clients, they need to have different group IKE IDs configured, one for each connection. If a user only has one group IKE ID configured and attempts a second connection from another PC, the first connection will be terminated to allow the second connection to go through.
To configure a group IKE ID:
- Configure ike-user-type group-ike-id at the [edit security ike gateway gateway-name dynamic] hierarchy level.
- Configure the hostname configuration statement at the [edit security ike gateway gateway-name dynamic] hierarchy level. This configuration is the common part of the full IKE ID for all users.
- Configure the pre-shared-key configuration statement at the [edit security ike policy policy-name] hierarchy level. The configured preshared key is used to generate the actual preshared key.
Shared IKE IDs
When a shared IKE ID is configured, all users share a single IKE ID and a single IKE preshared key. Each user is authenticated through the mandatory XAuth phase, where the credentials of individual users are verified either with an external RADIUS server or with a local access database. XAuth is required for shared IKE IDs.
The XAuth user name together with the configured shared IKE ID is used to distinguish between different user connections. Because the user name is used to identify each user connection, both the WebAuth user name and XAuth user name must be the same.
Multiple users can use the same shared IKE ID, but a single user cannot use the same shared IKE ID for different connections. If a user needs to have connections from different remote clients, they need to have different shared IKE IDs configured, one for each connection. If a user has only one shared IKE ID configured and attempts a second connection from another client, the first connection will be terminated to allow the second connection to go through. Also, because the user name is needed to identify each user connection along with the IKE ID, the user must use the same credentials for both WebAuth and XAuth authentication.
To configure a shared IKE ID:
- Configure ike-user-type shared-ike-id at the [edit security ike gateway gateway-name dynamic] hierarchy level.
- Configure the hostname configuration statement at the [edit security ike gateway gateway-name dynamic] hierarchy level. The configured hostname is shared by all users configured in the dynamic VPN access profile.
- Configure the pre-shared-key configuration statement at the [edit security ike policy policy-name] hierarchy level. The configured preshared key is shared by all users configured in the dynamic VPN access profile.
for ref: http://www.getgreennetworking.com/techpubs/en_US/junos11.1/information-products/topic-collections/security/software-all/security/index.html?topic-54649.html
thanks,
raheel