Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sat Aug 19, 2017 2:44 am


Author Message
mandrei99
Post  Post subject: Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed  |  Posted: Fri Jan 09, 2015 11:41 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245

Offline
 

Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed

Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed

Juniper SRX acting as an SRX hub complains when a dynamic IP address spoke is configured using preshared-key authentication and main mode (as per KB http://kb.juniper.net/InfoCenter/index?page=content&id=KB5622).

Why is that ? Looking at ipsec ike phase 1 main mode, the standard states there are 6 messages (3 pairs):
Pair 1 of main mode (messages 1 and 2 - unencrypted): First isakmp header defines next-payload: Security Associations
Pair 2 of main mode (messages 3 and 4 - unencrypted): First isakmp header defines next-payload: key Exchange

In summary, up until this point both peers (static IP HUB and dynamic IP address site) have exchanged, in clear text, phase 1 proposals (security associations for phase 1) and, based on phase 1 authentication method key exchange data, nonce (encrypted with others endpoint's public certificate).
At this point, depending on the auhenticaton method (preshared key or digital signatures) both ipsec vpn tunnel endpoints will compute a master secret key (or shared secret key) using following components depending on the phase 1 authentication method:
PSK authentication: preshared key and key exchange data
Digital signatures: DH secret g^ab and key exchange data

Pair 3 of main mode (messages 5 and 6 - encrypted): preshared key based hash or digital signatures / certificates - UNDER ENCRYPTED FORM.

Assuming that the fixed IP address ipsec vpn HUB has multiple preshared keys configured and phase 1 main mode + preshared key authentication is desired, in order to compute the master secret key before encrypting the third pair of main mode messages, the HUB needs to find the corresponding preshared key for the dynamic IP peer based on the ike ID (because the preshared key is a component of the mathematical function that computes the master secret key). But the IKE ID is not exchanged in main mode until the 3rd pair (messages 5 and 6) after they are encrypted using SA parameters and the master secret key.
So the only solution for the HUB to find the corresponding preshared key for the dynamic IP site is to match it against the IP address of the dynamic peer. This will fail for obvious reasons when the other end has a dynamic IP.

Ok. So how do we use preshared keys with dynamic IP ipsec vpn peers ? Using the phase 1 aggressive mode. This is a fact and a standard, not this post's conclusion.

Here is the relevant information:
Code:
admin@static-hub# commit
[edit security ike gateway gw-dynamic-ip-spoke ike-policy]
  'ike-policy dyn-vpn'
    Main mode for dynamic peer with Preshared key based authentication is not allowed
error: commit failed: (statements constraint check failed)

[edit]
admin@static-hub# show security ike gateway gw-dynamic-ip-spoke
##
## Warning: Main mode for dynamic peer with Preshared key based authentication is not allowed
##
ike-policy dyn-vpn;
dynamic {
    hostname dynamic-ip-spoke.vpn.domain.com;
    connections-limit 5;
}
local-identity inet ;
external-interface ge-0/0/3;

[edit]
admin@static-hub# show security ike policy dyn-vpn                         
mode main;
proposal-set standard;
pre-shared-key ascii-text "secret key"; ## SECRET-DATA





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices

debuser

2

6563

Thu Jun 27, 2013 10:40 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX Hub-and-Spoke IPSEC VPN \w HUB behind NAT.

mandrei99

0

1231

Tue Oct 29, 2013 11:25 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX MTU / MSS / Fragmentation problems with Ipsec vpn tunnel

debuser

2

16254

Mon Jul 08, 2013 5:54 am

Tears View the latest post

There are no new unread posts for this topic. PKI: How to import OpenSSL private key and public certificate in Juniper SRX

mandrei99

0

25654

Fri Dec 12, 2014 10:07 am

mandrei99 View the latest post

There are no new unread posts for this topic. error: Failed to encode the certificate request in PKCS-10 format - Juniper SRX PKI error

mandrei99

0

1011

Fri Dec 12, 2014 10:32 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity"

mandrei99

0

1925

Thu Oct 31, 2013 5:00 am

mandrei99 View the latest post

There are no new unread posts for this topic. error: error load certid<test> when attempting to import signed certificate in Juniper SRX Firewall

mandrei99

0

1994

Fri Dec 12, 2014 10:21 am

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT.

mandrei99

0

1972

Tue Oct 29, 2013 9:22 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO