SRX Services Gateway
SRX Services Gateway

SRX Dynamic IPSec VPN Questions

‎08-08-2014 10:57 AM

Hello Everyone,


I have succesfully configured a Dynamic VPN in my SRX 550 but I have some questions I want to ask.


This is supposed to be an IPSec Dynamic VPN so why when we authenticate against the SRX we do not use the IKE Preshared Key? I mean I only have to enter the XAUTH user and password information but never the preshared key.

So how does that work? Where is the device authentication in phase 1 in here?


And the last question goes as follows, Is it possible to have more than 1 user  having different IP address assignments? I believe the answer is no as I have tried but the config never works as you can only have one access profile for firewall authentication and XAUTH authentication AND you can only have one IP Subnet per access profile.

am I right?






SRX Services Gateway

Re: SRX Dynamic IPSec VPN Questions

‎08-08-2014 07:19 PM



Phase 1 authetication is still via Pre-Shared-Key only and the username /password that you enter is for XAuth.


And for the second question, why would you want to assign same user IP from two subnets ? I dont think its possible.




SRX Services Gateway
Accepted by topic author Jcarvaja
‎08-26-2015 01:27 AM

Re: SRX Dynamic IPSec VPN Questions

‎08-08-2014 10:04 PM

Hi Jcarvaja,

Preshared key and other related configuration are downloaded by the client after first authentication.

When setting up the Dynamic VPN connection for the first time, the user needs to login twice.

From the second connection onwards, the user will only be prompted for the second authentication.

The reason for this is that the first time that a VPN connection is made, the VPN client configuration parameters lieke preshared key, including a unique token, will be downloaded from the SRX device.

From the second connection onwards the token will be used instead of the first authentication. This means that the user is then only requested to provide credentials once, using the credentials from the access profile configured under security ike gateway.

Answer for second questions is No.

Only one subnet can be configured for all the remote users.


Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too