SRX Services Gateway
SRX Services Gateway

'dynamic' Missing dynamic hostname for IKE gateway

‎05-11-2015 10:06 AM

Hi all,


I have a working Dynamic VPN configuration. However, when I commit the configuration I receive the following warning and I'm trying to determine how to make it go away:


    Missing dynamic hostname for IKE gateway ike-gate-dynvpn for ipsec_vpn dyn-vpn
commit complete

This is the IKE gateway config in question, it appears that 'hostname' and 'user-at-hostname' are mutually exclusive, however what I am connecting with requires that I use a User-FQDN (user-at-hostname) so I have to configure that in the IKE policy. The warning above appears to me like it's not finding an option it's expecting 'hostname', but since the configuration works I feel it's extraneous.


gateway ike-gate-dynvpn { 
ike-policy ike-pol-dynvpn;
dynamic {
user-at-hostname "";
connections-limit 10;
ike-user-type shared-ike-id;
dead-peer-detection {
interval 60;
threshold 2;
nat-keepalive 5;
external-interface fe-0/0/0.0;
xauth access-profile dynvpn-user;


SRX Services Gateway
Accepted by topic author mgarrido
‎08-26-2015 01:27 AM

Re: 'dynamic' Missing dynamic hostname for IKE gateway

‎05-11-2015 10:46 AM
This is not supported for dynamic VPNs. Please refer
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: 'dynamic' Missing dynamic hostname for IKE gateway

[ Edited ]
‎05-11-2015 10:48 AM

I missed that, and that explains the message then.


Odd, I wonder why it isn't supported.




For anyone else trying to use Avaya VPN phones to the SRX, this configuration works, even if not supported, and is recommended by Avaya in this document: Application Notes for Site-to-Site VPN Tunnel using Juniper Networks SRX210 Services Gateway to support Avaya Aura® Communication Manager – Issue 1.0


I'm leaving it as-is for now since it is a working config, albeit finding out why it's not supported would be educational and of interest - if anyone knows it would be appreciated.