Hi,
@hoocbb (thanks Jared) replied to my message but somehow it is not showing up here:
Hi,
I have been working on this same thing for the last week or so and have run into the same exact issues. Here is what I found through my personal digging and talking with JTAC.
*******Without knowing if you have site-to-site IPSec tunnels, this is all based on the assumption that you have these configured.********
1 - If you already have an existing IPSec VPN tunnel on the preferred external interface, you cannot combine certificate based IKE proposals and pre-shared key based proposals on the same interface.
2 - You cannot use 2 different IKE proposals, even if they are exactly the same with different names, on the same external interface.
3 - You must use the same IKE proposal that is already configured for both the site-to-site IPSec tunnel and Secure Connect when using the same external interface.
4 - It appears that you should be able to use different pre-shared keys as that is defined in the IKE policy.
I have not yet committed my configuration, but it validates when "commit check" is issued. I am simply waiting for my organization to approve using the pre-shared key method for IKE authentication where we previously preferred cert based for greater security.
------------------------------
JARED HEALER
------------------------------
My findings are similar to his. I had site-to-site VPN tunnels using IKEv2 and apparently this is not compatible with Juniper Secure Connect using IKEv1.
Original Message:
Sent: 08-06-2021 20:38
From: Unknown User
Subject: Juniper Secure Connect CLI
Hi all,
I have followed the instructions on how to configure the new Juniper VPN client: https://www.youtube.com/watch?v=uB54u-4cFGo
However, I cannot commit the config:
srx#commit check[edit security ike] 'gateway RA-JSC-GW' Dynamic Main Mode or IKEv2 gateway with same ike external interface must use same set of IKE proposalserror: configuration check-out failed
The Juniper Secure Connect config is as follows:
request security pki generate-key-pair size 4096 type rsa certificate-id Juniperrequest security pki local-certificate generate-self-signed certificate-id Juniper subject "DC=Juniper,CN=edu" domain-name edu.juniper.net ip-address 1.1.1.1set system services web-management https pki-local-certificate Juniperset security nat source rule-set RA-JSC from zone remote-JSC-VPNset security nat source rule-set RA-JSC to zone trustset security nat source rule-set RA-JSC rule RA-JSC-rule match source-address 0/0set security nat source rule-set RA-JSC rule RA-JSC-rule then source-nat interfaceset security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match source-address anyset security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match destination-address anyset security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match application anyset security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy then permitset security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match source-address anyset security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match destination-address anyset security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match application anyset security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy then permitset security zones security-zone untrust host-inbound-traffic system-services ikeset security zones security-zone untrust host-inbound-traffic system-services tcp-encapset security zones security-zone untrust host-inbound-traffic system-services httpsset security zones security-zone remote-JSC-VPN interfaces st0.0set interfaces st0.0 family inetset access address-assignment pool RA-JSC-pool family inet network 10.0.0.0/24set access address-assignment pool RA-JSC-pool family inet xauth-attributes primary-dns 8.8.8.8set access profile RA-JSC-profile client user1 firewall-user password "password"set access profile RA-JSC-profile address-assignment pool RA-JSC-pool set access firewall-authentication web-authentication default-profile RA-JSC-profileset services ssl termination profile SSL-JSC-term server-certificate Juniperset security tcp-encap profile SSL-JSC-profile ssl-profile SSL-JSC-termset security ike policy RA-JSC-IKE-Policy mode aggressiveset security ike proposal RA-JSC-IKE-Prop authentication-method pre-shared-keysset security ike proposal RA-JSC-IKE-Prop dh-group group20set security ike proposal RA-JSC-IKE-Prop authentication-algorithm sha-256set security ike proposal RA-JSC-IKE-Prop encryption-algorithm aes-256-cbcset security ike proposal RA-JSC-IKE-Prop lifetime-seconds 28800set security ike policy RA-JSC-IKE-Policy proposals RA-JSC-IKE-Propset security ike policy RA-JSC-IKE-Policy pre-shared-key ascii-text "key"set security ike gateway RA-JSC-GW ike-policy RA-JSC-IKE-Policyset security ike gateway RA-JSC-GW dynamic user-at-hostname lab@edu.juniper.netset security ike gateway RA-JSC-GW dynamic ike-user-type shared-ike-idset security ike gateway RA-JSC-GW dead-peer-detection optimizedset security ike gateway RA-JSC-GW dead-peer-detection interval 10set security ike gateway RA-JSC-GW dead-peer-detection threshold 5set security ike gateway RA-JSC-GW external-interface ge-0/0/0.0set security ike gateway RA-JSC-GW local-address 1.1.1.1set security ike gateway RA-JSC-GW aaa access-profile RA-JSC-profileset security ike gateway RA-JSC-GW version v1-onlyset security ike gateway RA-JSC-GW tcp-encap-profile SSL-JSC-profileset security ipsec proposal RA-JSC-IPsec-Pro protocol espset security ipsec proposal RA-JSC-IPsec-Pro encryption-algorithm aes-256-cbcset security ipsec proposal RA-NCP-IPsec-Pro authentication-algorithm hmac-sha-256-128set security ipsec proposal RA-JSC-IPsec-Pro lifetime-seconds 3600set security ipsec policy RA-JSC-IPsec-Policy perfect-forward-secrecy keys group20set security ipsec policy RA-JSC-IPsec-Policy proposals RA-JSC-IPsec-Proset security ipsec vpn RA-JSC-VPN bind-interface st0.0set security ipsec vpn RA-JSC-VPN df-bit clearset security ipsec vpn RA-JSC-VPN ike gateway RA-JSC-GWset security ipsec vpn RA-JSC-VPN ike ipsec-policy RA-JSC-IPsec-Policyset security ipsec vpn RA-JSC-VPN traffic-selector RA-JSC-TS-1 local-ip 192.168.1.0/24set security ipsec vpn RA-JSC-VPN traffic-selector RA-JSC-TS-1 remote-ip 0.0.0.0/0set security remote-access client-config RA-JSC-Client connection-mode manualset security remote-access client-config RA-JSC-Client dead-peer-detection interval 60set security remote-access client-config RA-JSC-Client dead-peer-detection threshold 5set security remote-access profile RA-JSC-1 ipsec-vpn RA-JSC-VPNset security remote-access profile RA-JSC-1 access-profile RA-JSC-profileset security remote-access profile RA-JSC-1 client-config RA-JSC-Clientset security remote-access default-profile RA-JSC-1
Any idea why this is happening?
Thank you in advance