SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

The use of general-ikeid

Jump to Best Answer
  • 1.  The use of general-ikeid

    Posted 07-22-2020 05:42

    Hello,

     

    I have been setting up advpn as part of a deployment using ecdsa-signatures-256. Root CA and Local Certificate are successfully loaded onto the box.

     

    Using the documentation: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-auto-discovery-vpns.html

     

    I was trying to use the following to bring up the tunnel, referencing the OU inside the local certs.

    Hub:

    set security ike gateway PARTNER_GW local-identity distinguished-name
    set security ike gateway PARTNER_GW remote-identity distinguished-name container OU=Sales
     
    Spoke:
    set security ike gateway PARTNER_GW local-identity distinguished-name
    set security ike gateway PARTNER_GW remote-identity distinguished-name container OU=Sales
     
    However I had no luck, I then removed the remote-identity configuration on the spoke and added 
    set security ike gateway PARTNER_GW general-ikeid
     
    The tunnel then came up, what are the risks/drawbacks of using this, will this affect the ADVPN setup as I add more spokes? Basically I am just trying to understand what general-ikeid does in some level of detail.
     
    Thanks.

    #SRX
    #advpn


  • 2.  RE: The use of general-ikeid

    Posted 07-22-2020 05:47

    Hello Elliott,

     

    The answer which you are looking for is explained in this KB article - https://kb.juniper.net/InfoCenter/index?page=content&id=KB27302



  • 3.  RE: The use of general-ikeid

    Posted 07-27-2020 04:59

    Just to clarify, does general-ikeid will bypass IKE-ID validation with received ID Payload?

    It will not bypass certificate authentication completely?

     

     



  • 4.  RE: The use of general-ikeid
    Best Answer

    Posted 07-27-2020 07:57

    Hi Elliott,

     

    You are right. When general-ikeid is used it will only bypass the IKE-ID validation with received ID Payload and certificate authentication won't be bypassed.