Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ

It is currently Thu Mar 30, 2023 7:57 pm

ROOT ‹ Network Security & Routing & Switching ‹ VPN / Dynamic VPN / Ipsec ‹ Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity"

Post a reply

1 post • Page 1 of 1

Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity"

« Previous topic | Next topic »

Author

Message

mandrei99

Post subject: Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity" | Posted: Thu Oct 31, 2013 5:00 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 250

Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity"

The Juniper SRX firwewall is performs an IKE Phase 1 identity validation based on the "remote-identity" set for the specific ike gateway.

If upgrading from 10.4 where by default a default identity is used or if the remote host isn't sending one and the SRX, under Junos 11.4, fails to bring up IKE phase 1 due to id validation failure, it can be changed to accept generic ike ID, bypassing IKE ID validation in the received payload:

Code:

# set security ike gateway <IKE-gateway-name> general-ikeid

References:
[SRX] How to bypass remote-identity check for IKE Phase 1 negotiation. http://kb.juniper.net/InfoCenter/index?page=content&id=KB27302

			Tweet
Follow @IvordeCom

You might also be interested in:
Juniper SRX Hub-and-Spoke IPSEC VPN \w HUB behind NAT.. Juniper SRX MTU / MSS / Fragmentation problems with Ipsec vpn tunnel. OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices. Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT.. Linux site to site GRE over IPSEC VPN tunnels using racoon & kame ipsec-tools. Site2Site Ipsec/Dialup/ike v2. Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs. PKI: How to import OpenSSL private key and public certificate in Juniper SRX. Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed. error: Failed to encode the certificate request in PKCS-10 format - Juniper SRX PKI error.

Top

Post a reply

1 post • Page 1 of 1

Topics		Author	Replies	Views	Last post
Topics related to - "Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity""
	Juniper SRX Hub-and-Spoke IPSEC VPN \w HUB behind NAT.	mandrei99	0	3066	Tue Oct 29, 2013 11:25 am mandrei99
	Juniper SRX MTU / MSS / Fragmentation problems with Ipsec vpn tunnel	debuser	2	27433	Mon Jul 08, 2013 5:54 am Tears
	OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices	debuser	2	11635	Thu Jun 27, 2013 10:40 am mandrei99
	Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT.	mandrei99	0	5052	Tue Oct 29, 2013 9:22 am mandrei99
	Linux site to site GRE over IPSEC VPN tunnels using racoon & kame ipsec-tools	mandrei99	0	15765	Tue Jan 13, 2015 6:26 am mandrei99
	Site2Site Ipsec/Dialup/ike v2	balzac123	0	2512	Wed Sep 16, 2015 9:07 am balzac123
	Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs	mandrei99	0	5532	Wed Apr 10, 2013 5:42 am mandrei99
	PKI: How to import OpenSSL private key and public certificate in Juniper SRX	mandrei99	0	42416	Fri Dec 12, 2014 10:07 am mandrei99
	Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed	mandrei99	0	3903	Fri Jan 09, 2015 11:41 am mandrei99
	error: Failed to encode the certificate request in PKCS-10 format - Juniper SRX PKI error	mandrei99	0	2999	Fri Dec 12, 2014 10:32 am mandrei99

Who is online

Users browsing this forum: No registered users and 0 guests

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:

Channel list

ROOT ‹ Network Security & Routing & Switching ‹ VPN / Dynamic VPN / Ipsec

Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]