SRX

Expand all | Collapse all

The use of general-ikeid

Jump to Best Answer
  • 1.  The use of general-ikeid

    Posted 07-22-2020 05:42

    Hello,

     

    I have been setting up advpn as part of a deployment using ecdsa-signatures-256. Root CA and Local Certificate are successfully loaded onto the box.

     

    Using the documentation: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-auto-discovery-vpns.html

     

    I was trying to use the following to bring up the tunnel, referencing the OU inside the local certs.

    Hub:

    set security ike gateway PARTNER_GW local-identity distinguished-name
    set security ike gateway PARTNER_GW remote-identity distinguished-name container OU=Sales
     
    Spoke:
    set security ike gateway PARTNER_GW local-identity distinguished-name
    set security ike gateway PARTNER_GW remote-identity distinguished-name container OU=Sales
     
    However I had no luck, I then removed the remote-identity configuration on the spoke and added 
    set security ike gateway PARTNER_GW general-ikeid
     
    The tunnel then came up, what are the risks/drawbacks of using this, will this affect the ADVPN setup as I add more spokes? Basically I am just trying to understand what general-ikeid does in some level of detail.
     
    Thanks.

    #SRX
    #advpn


  • 2.  RE: The use of general-ikeid

    Posted 07-22-2020 05:47

    Hello Elliott,

     

    The answer which you are looking for is explained in this KB article - https://kb.juniper.net/InfoCenter/index?page=content&id=KB27302



  • 3.  RE: The use of general-ikeid

    Posted 07-27-2020 04:59

    Just to clarify, does general-ikeid will bypass IKE-ID validation with received ID Payload?

    It will not bypass certificate authentication completely?

     

     



  • 4.  RE: The use of general-ikeid
    Best Answer

    Posted 07-27-2020 07:57

    Hi Elliott,

     

    You are right. When general-ikeid is used it will only bypass the IKE-ID validation with received ID Payload and certificate authentication won't be bypassed.