Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed
Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowedJuniper SRX acting as an SRX hub complains when a dynamic IP address spoke is configured using preshared-key authentication and main mode (as per KB
http://kb.juniper.net/InfoCenter/index?page=content&id=KB5622).
Why is that ? Looking at ipsec ike phase 1 main mode, the standard states there are 6 messages (3 pairs):
Pair 1 of main mode (messages 1 and 2 - unencrypted): First isakmp header defines next-payload: Security Associations
Pair 2 of main mode (messages 3 and 4 - unencrypted): First isakmp header defines next-payload: key Exchange
In summary, up until this point both peers (static IP HUB and dynamic IP address site) have exchanged, in clear text, phase 1 proposals (security associations for phase 1) and, based on phase 1 authentication method key exchange data, nonce (encrypted with others endpoint's public certificate).
At this point, depending on the auhenticaton method (preshared key or digital signatures) both ipsec vpn tunnel endpoints will compute a master secret key (or shared secret key) using following components depending on the phase 1 authentication method:
PSK authentication: preshared key and key exchange data
Digital signatures: DH secret g^ab and key exchange data
Pair 3 of main mode (messages 5 and 6 - encrypted): preshared key based hash or digital signatures / certificates - UNDER ENCRYPTED FORM.
Assuming that the fixed IP address ipsec vpn HUB has multiple preshared keys configured and phase 1 main mode + preshared key authentication is desired, in order to compute the master secret key before encrypting the third pair of main mode messages, the HUB needs to find the corresponding preshared key for the dynamic IP peer based on the ike ID (because the preshared key is a component of the mathematical function that computes the master secret key). But the IKE ID is not exchanged in main mode until the 3rd pair (messages 5 and 6) after they are encrypted using SA parameters and the master secret key.
So the only solution for the HUB to find the corresponding preshared key for the dynamic IP site is to match it against the IP address of the dynamic peer. This will fail for obvious reasons when the other end has a dynamic IP.
Ok. So how do we use preshared keys with dynamic IP ipsec vpn peers ? Using the phase 1 aggressive mode. This is a fact and a standard, not this post's conclusion.
Here is the relevant information:
Code:
admin@static-hub# commit
[edit security ike gateway gw-dynamic-ip-spoke ike-policy]
'ike-policy dyn-vpn'
Main mode for dynamic peer with Preshared key based authentication is not allowed
error: commit failed: (statements constraint check failed)
[edit]
admin@static-hub# show security ike gateway gw-dynamic-ip-spoke
##
## Warning: Main mode for dynamic peer with Preshared key based authentication is not allowed
##
ike-policy dyn-vpn;
dynamic {
hostname dynamic-ip-spoke.vpn.domain.com;
connections-limit 5;
}
local-identity inet ;
external-interface ge-0/0/3;
[edit]
admin@static-hub# show security ike policy dyn-vpn
mode main;
proposal-set standard;
pre-shared-key ascii-text "secret key"; ## SECRET-DATA