Example: Configuring AutoVPN with Pre-Shared Key
This example shows how to configure different IKE preshared key used by the VPN gateway to authenticate the remote peer. Similarly, to configure same IKE preshared key used by the VPN gateway to authenticate the remote peer.
Refer other examples in this topic for end-to-end configuration of AutoVPN.
Requirements
This example uses the following hardware and software components:
- MX240, MX480, and MX960 with MX-SPC3 and Junos OS Release 21.1R1 that support AutoVPN
- or SRX5000 line with SPC3 and Junos OS Release 21.2R1 that support AutoVPN
- or vSRX Virtual Firewall running iked
process (with
the
junos-ikepackage) and Junos OS Release 21.2R1 that support AutoVPN
Configure different IKE preshared key
To configure different IKE preshared key that the VPN gateway uses to authenticate the remote peer, perform these tasks.
- Configure the seeded preshared for IKE policy in the device with AutoVPN
hub.
[edit] user@host# set security ike policy IKE_POL seeded-pre-shared-key ascii-text ascii-text
or
user@host# set security ike policy IKE_POL seeded-pre-shared-key hexadecimal hexadecimal
For example:
user@host# set security ike policy IKE_POL seeded-pre-shared-key ascii-text ThisIsMySecretPreSharedkey
or
user@host# set security ike policy IKE_POL seeded-pre-shared-key hexadecimal 5468697349734d79536563726563745072655368617265646b6579
- Configure the generated PSK ("79e4ea39f5c06834a3c4c031e37c6de24d46798a" in step
2) in the ike policy on the remote peer device.
[edit] user@peer# set security ike policy IKE_POL pre-shared-key ascii-text generated-psk
For example:
user@peer# set security ike policy IKE_POL pre-shared-key ascii-text 79e4ea39f5c06834a3c4c031e37c6de24d46798a
- (Optional) To bypass the IKE ID validation and allow all IKE ID types, configure
general-ikeidconfiguration statement under the [edit security ike gateway gateway_name dynamic] hierarchy level in the gateway.[edit] user@host# set security ike gateway HUB_GW dynamic general-ikeid
Result
From the configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
[edit]
user@host> show security
ike {
proposal IKE_PROP {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 750;
}
policy IKE_POL {
proposals IKE_PROP;
seeded-pre-shared-key ascii-text "$9$zoDln9pIEyWLN0BLNdboaFn/C0BRhSeM8"; ##SECRET-DATA
}
gateway HUB_GW {
ike-policy IKE_POL;
dynamic {
general-ikeid;
ike-user-type group-ike-id;
}
local-identity hostname hub.juniper.net;
external-interface lo0.0;
local-address 11.0.0.1;
version v2-only;
}
}
Configure same IKE preshared key
To configure same IKE preshared key that the VPN gateway uses to authenticate the remote peer, perform these tasks.
- Configure the common
pre-shared-keyfor ike policy in the device with AutoVPN hub.[edit] user@host# set security ike policy IKE_POL pre-shared-key ascii-text ascii text
For example:
user@host# # set security ike policy IKE_POL pre-shared-key ascii-text ThisIsMySecretPreSharedkey
- Configure the common
pre-shared-keyon the ike policy for remote peer device.[edit] user@peer# set security ike policy IKE_POL pre-shared-key ascii-text ascii text
For example:
user@peer# set security ike policy IKE_POL pre-shared-key ascii-text ThisIsMySecretPreSharedkey
- (Optional) To bypass the IKE ID validation and allow all IKE ID types, configure
general-ikeidconfiguration statement under the [edit security ike gateway gateway_name dynamic] hierarchy level in the gateway.[edit] user@host# set security ike gateway HUB_GW dynamic general-ikeid
Result
From the configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
[edit]
user@host> show security
ike {
proposal IKE_PROP {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 750;
}
policy IKE_POL {
proposals IKE_PROP;
pre-shared-key ascii-text "$9$wo2oGk.569pDi9p0BSys24"; ## SECRET-DATA
}
gateway HUB_GW {
ike-policy IKE_POL;
dynamic {
general-ikeid;
ike-user-type group-ike-id;
}
local-identity user-at-hostname user1@juniper.net;
external-interface lo0;
local-address 11.0.0.1;
version v2-only;
}
}