local & remote identity are used to pecify the IKE-ID as FQDN, UFQDN, DN, IP address .
my question: why under edit security IKE gateway there is : Dynamic option & Remote identity option
i see that both of them do the same function: specify the remote IKE-ID as FQDN or UFQDN or IP or DN
These articles explain:https://www.juniper.net/documentation/en_US/junos/topics/concept/security-vpn-ike-identity-understanding.htmlhttps://www.juniper.net/documentation/en_US/junos/topics/concept/ipsec-vpn-dynamic-endpoint-understanding.html
i have the articles but i still find remote identity and dynamic is confusing because both of them do the same function.
Understood. The key is that they are used for producing the similar result, namely for IDentifying the remote peer but in different scenarios. I have capitalized some keywords just for emphasis.This use case is Remote IKE IDs for=====>>> "Site-to-Site VPNs"In this scenario, IKE identity DOES NOT HAVE to be CONFIGUREDIn certain network setups, the IKE ID RECEIVED from the peer (which can be an IPv4 or IPv6 address, fully qualified domain name [FQDN], distinguished name, or e-mail address) DOES NOT MATCH the IKE gateway CONFIGURED on the SRX Series device. This can lead to a Phase 1 validation failure.By default, the the IKE identity that SRX USE is the IP ADDRESS CONFIGURED for the IKE gateway.
This use case is Remote IKE IDs for =====>>> "Dynamic endpoint VPNs" a.k.a Remote Access UsersOn the dynamic endpoint, an IKE identity MUST BE CONFIGURED for the device to identify itself to its peer. No IP address is configured since it would not be known and could change at anytime, seeing as the client is using DHCP so you basically tell the SRX do not expect an IP as the peer IKE ID, but expect something else.By default, the SRX Series device expects the IKE identity to be one of the following:DN, FQDN, UFQDN - Flexibility to support shared IKE ID or individual IKE ID for Remote access clients.
If you read over the information say a couple more times, in the first link under these two Sub-headings, it will become very clear. As you will observer, it is what is expected from the peer, based on the type of VPN and what configuration can be used to override that expectation.Here is a local analogy. Your Drivers license and passport are means of identifying you. When the Police pulls you over for whatever reason, the expected ID is State Drivers License which alows you to drive legally (travelling). If say you are a foreigner and just arrived with your countrys' DL, then to override that expectation you have to provide your passport or I-94 form (speaking from experience:)). On the other hand when entering a foreign country you are expected to provide the Passport for ID when you are travelling to a foreign country. Don't know what the override would be in this case:)https://www.juniper.net/documentation/en_US/junos/topics/concept/security-vpn-ike-identity-understanding.htmlRemote IKE IDs and Site-to-Site VPNsRemote IKE IDs and Dynamic Endpoint VPNs
I having problem to configure the FQDN - it pop up and said that
1) Unable to parse gateway address 02) configuration check-out failed.
i try to set the FQDN but fail.. i did try in the CLI editor .. no good!