SRX Services Gateway
Highlighted
SRX Services Gateway

The use of general-ikeid

3 weeks ago

Hello,

 

I have been setting up advpn as part of a deployment using ecdsa-signatures-256. Root CA and Local Certificate are successfully loaded onto the box.

 

Using the documentation: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-auto-discovery-vpns.html

 

I was trying to use the following to bring up the tunnel, referencing the OU inside the local certs.

Hub:

set security ike gateway PARTNER_GW local-identity distinguished-name
set security ike gateway PARTNER_GW remote-identity distinguished-name container OU=Sales
 
Spoke:
set security ike gateway PARTNER_GW local-identity distinguished-name
set security ike gateway PARTNER_GW remote-identity distinguished-name container OU=Sales
 
However I had no luck, I then removed the remote-identity configuration on the spoke and added 
set security ike gateway PARTNER_GW general-ikeid
 
The tunnel then came up, what are the risks/drawbacks of using this, will this affect the ADVPN setup as I add more spokes? Basically I am just trying to understand what general-ikeid does in some level of detail.
 
Thanks.
3 REPLIES 3
Highlighted
SRX Services Gateway

Re: The use of general-ikeid

3 weeks ago

Hello Elliott,

 

The answer which you are looking for is explained in this KB article - https://kb.juniper.net/InfoCenter/index?page=content&id=KB27302



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: The use of general-ikeid

3 weeks ago

Just to clarify, does general-ikeid will bypass IKE-ID validation with received ID Payload?

It will not bypass certificate authentication completely?

 

 

Highlighted
SRX Services Gateway
Solution
Accepted by topic author jjelliott1821
2 weeks ago

Re: The use of general-ikeid

3 weeks ago

Hi Elliott,

 

You are right. When general-ikeid is used it will only bypass the IKE-ID validation with received ID Payload and certificate authentication won't be bypassed.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Feedback