SRX Services Gateway
SRX Services Gateway

VPN local & remote identity

‎07-22-2017 04:15 AM

local & remote identity are used to pecify the IKE-ID as FQDN, UFQDN, DN, IP address .

 

my question: why under edit security IKE gateway there is : Dynamic option & Remote identity option 

 

i see that both of them do the same function: specify the remote IKE-ID as FQDN or UFQDN or IP or DN

5 REPLIES 5
SRX Services Gateway
Solution
Accepted by topic author AhmedMohamed
‎07-24-2017 12:51 AM

Re: VPN local & remote identity

[ Edited ]
‎07-23-2017 11:24 PM
SRX Services Gateway

Re: VPN local & remote identity

‎07-24-2017 12:51 AM

i have the articles but i still find remote identity and dynamic is confusing because both of them do the same function.

SRX Services Gateway

Re: VPN local & remote identity

‎07-24-2017 12:00 PM

Understood. The key is that they are used for producing the similar result, namely for IDentifying the remote peer but in different scenarios. I have capitalized some keywords just for emphasis.
This use case is Remote IKE IDs for=====>>> "Site-to-Site VPNs"
In this scenario, IKE identity DOES NOT HAVE to be CONFIGURED
In certain network setups, the IKE ID RECEIVED from the peer (which can be an IPv4 or IPv6 address, fully qualified domain name [FQDN], distinguished name, or e-mail address) DOES NOT MATCH the IKE gateway CONFIGURED on the SRX Series device. This can lead to a Phase 1 validation failure.
By default, the the IKE identity that SRX USE is the IP ADDRESS CONFIGURED for the IKE gateway.

This use case is Remote IKE IDs for =====>>> "Dynamic endpoint VPNs" a.k.a Remote Access Users
On the dynamic endpoint, an IKE identity MUST BE CONFIGURED for the device to identify itself to its peer. No IP address is configured since it would not be known and could change at anytime, seeing as the client is using DHCP so you basically tell the SRX do not expect an IP as the peer IKE ID, but expect something else.
By default, the SRX Series device expects the IKE identity to be one of the followingSmiley Very HappyN, FQDN, UFQDN - 
Flexibility to support shared IKE ID or individual IKE ID for Remote access clients.

If you read over the information say a couple more times, in the first link under these two Sub-headings, it will become very clear. As you will observer, it is what is expected from the peer, based on the type of VPN and what configuration can be used to override that expectation.
Here is a local analogy. Your Drivers license and passport are means of identifying you. When the Police pulls you over for whatever reason, the expected ID is State Drivers License which alows you to drive legally (travelling). If say you are a foreigner and just arrived with your countrys' DL, then to override that expectation you have to provide your passport or I-94 form (speaking from experienceSmiley Happy). On the other hand when entering a foreign country you are expected to provide the Passport for ID when you are travelling to a foreign country. Don't know what the override would be in this caseSmiley Happy
https://www.juniper.net/documentation/en_US/junos/topics/concept/security-vpn-ike-identity-understan...
Remote IKE IDs and Site-to-Site VPNs
Remote IKE IDs and Dynamic Endpoint VPNs

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
SRX Services Gateway

Re: VPN local & remote identity

2 weeks ago

I having problem to configure the FQDN - it pop up and said that

SRX 300

Error(s):
'address'

1) Unable to parse gateway address 0
2) configuration check-out failed.

 

i try to set the FQDN but fail.. i did try in the CLI editor .. no good!

 

Any advise

Attachments

SRX Services Gateway

Re: VPN local & remote identity

2 weeks ago
 
You are talking about using FQDNs for "gateway address" and this post was refering to the use of FQDN for IKE-IDs. Please open a new thread and we will gladly help you.
 
Please mark this comment as the Solution if applicable