vSRX
Highlighted
vSRX

Pre-shared key + EAP on IKEv2 is it possible and how? Help needed.

‎05-13-2019 03:04 AM

Hi gurus, 

 

First - I want to remark that I am newbie with Juniper.

But I have task that I should execute - For testing purposes I should create configurations on vSRX that represent Dual-up to LAN configurations - A router vSRX that has 2 ports. The first port is connected ot real address. The second port is connected to internal network. Individul clients connect via real address (firts port) and after authentication they receive own IP address. From that IP address there is establishing of IPSec tunnel to internal network (sencond port).

So here are the configuration:

IKEv1

1. Pre-shared key + XAuth (local)

2. RSA + Xauth (Radius server)

 

IKEv2

3. Pre-shared-key + EAP

4. RSA + EAP (Radius server)

 

After many tries, I managed to create 1,2, and 4. But I am not able to create configuration from point 3 - Pre-shared-key + EAP  (local or Radius).

 

When I set IKE version to be 2 "v2_only", I got:

##
## Warning: When dynamic ike-user-type is configured, IKEv2 with authentication-method pre-shared-key is not allowed
##

And when I remove from gateway "ike-user-type" I got:

##
## Warning: DEP is not allowed with AAA access profile.
##

But with removal fo "AAA" from gateway I do not know how to set authentication of user and what IP to be assigned to it.

 

I saw that Dialup tunnels are not supported with IKEv2 on Juniper. So that raises question - Is that configuration is even possible - PSK + XAuth with IKEv2 on Juniper?