- play_arrow Carrier Grade NAT (CGNAT)
- play_arrow Deterministic NAT Overview and Configuration
- play_arrow Dynamic Address-Only Source NAT Overview and Configuration
- play_arrow Network Address Port Translation Overview and Configuration
- play_arrow NAT46
- play_arrow Stateful NAT64 Overview and Configuration
- play_arrow IPv4 Connectivity Across IPv6-Only Network Using 464XLAT Overview and Configuration
- play_arrow IPv6 NAT Protocol Translation (NAT PT)
- play_arrow Stateless Source Network Prefix Translation for IPv6 Overview and Configuration
- play_arrow Transitioning to IPv6 Using Softwires
- play_arrow Transitioning to IPv6 Using DS-Lite Softwires
- play_arrow Reducing Traffic and Bandwidth Requirements Using Port Control Protocol
- play_arrow Transitioning to IPv6 Using Mapping of Address and Port with Encapsulation (MAP-E)
- play_arrow Monitoring and Troubleshooting Softwires
- play_arrow Port Forwarding Overview and Configuration
- play_arrow Port Translation Features Overview and Configuration
- play_arrow Static Source NAT Overview and Configuration
- play_arrow Static Destination NAT Overview and Configuration
- play_arrow Twice NAPT Overview and Configuration
- play_arrow Twice NAT Overview and Configuration
- play_arrow Class of Service Overview and Configuration
-
- play_arrow Stateful Firewall Services
- play_arrow Stateful Firewall Services Overview and Configuration
-
- play_arrow Intrusion Detection Services
- play_arrow IDS Screens for Network Attack Protection Overview and Configuration
-
- play_arrow Traffic Load Balancing
- play_arrow Traffic Load Balancing Overview and Configuration
-
- play_arrow DNS Request Filtering
- play_arrow DNS Request Filtering Overview and Configuration
-
- play_arrow URL Filtering
- play_arrow URL Filtering
-
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
-
- play_arrow Aggregated Multiservices Interfaces
- play_arrow Enabling Load Balancing and High Availability Using Multiservices Interfaces
-
- play_arrow Inter-Chassis Services PIC High Availability
- play_arrow Inter-Chassis Services PIC High Availability Overview and Configuration
- Next Gen Services Inter-chassis High Availability Overview for NAT, Stateful Firewall, and IDS Flows
- Inter-Chassis Stateful Synchronization for Long Lived NAT, Stateful Firewall, and IDS Flows for Next Gen Services
- Inter-Chassis Services Redundancy Overview for Next Gen Services
- Configuring Inter-Chassis Services Redundancy for Next Gen Services
-
- play_arrow Application Layer Gateways
- play_arrow Enabling Traffic to Pass Securely Using Application Layer Gateways
-
- play_arrow NAT, Stateful Firewall, and IDS Flows
- play_arrow Inline NAT Services Overview and Configuration
-
- play_arrow Configuration Statements
Example: Configuring AutoVPN with Pre-Shared Key
This example shows how to configure different IKE preshared key used by the VPN gateway to authenticate the remote peer. Similarly, to configure same IKE preshared key used by the VPN gateway to authenticate the remote peer.
Refer other examples in this topic for end-to-end configuration of AutoVPN.
Requirements
This example uses the following hardware and software components:
- MX240, MX480, and MX960 with MX-SPC3 and Junos OS Release 21.1R1 that support AutoVPN
- or SRX5000 line with SPC3 and Junos OS Release 21.2R1 that support AutoVPN
- or vSRX Virtual Firewall running iked
process (with
the
junos-ike
package) and Junos OS Release 21.2R1 that support AutoVPN
Configure different IKE preshared key
To configure different IKE preshared key that the VPN gateway uses to authenticate the remote peer, perform these tasks.
- Configure the seeded preshared for IKE policy in the device with AutoVPN
hub.content_copy zoom_out_map
[edit] user@host# set security ike policy IKE_POL seeded-pre-shared-key ascii-text ascii-text
or
content_copy zoom_out_mapuser@host# set security ike policy IKE_POL seeded-pre-shared-key hexadecimal hexadecimal
For example:
content_copy zoom_out_mapuser@host# set security ike policy IKE_POL seeded-pre-shared-key ascii-text ThisIsMySecretPreSharedkey
or
content_copy zoom_out_mapuser@host# set security ike policy IKE_POL seeded-pre-shared-key hexadecimal 5468697349734d79536563726563745072655368617265646b6579
- Configure the generated PSK ("79e4ea39f5c06834a3c4c031e37c6de24d46798a" in step
2) in the ike policy on the remote peer device. content_copy zoom_out_map
[edit] user@peer# set security ike policy IKE_POL pre-shared-key ascii-text generated-psk
For example:
content_copy zoom_out_mapuser@peer# set security ike policy IKE_POL pre-shared-key ascii-text 79e4ea39f5c06834a3c4c031e37c6de24d46798a
- (Optional) To bypass the IKE ID validation and allow all IKE ID types, configure
general-ikeid
configuration statement under the [edit security ike gateway gateway_name dynamic] hierarchy level in the gateway.content_copy zoom_out_map[edit] user@host# set security ike gateway HUB_GW dynamic general-ikeid
Result
From the configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
[edit] user@host> show security ike { proposal IKE_PROP { authentication-method pre-shared-keys; dh-group group14; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; lifetime-seconds 750; } policy IKE_POL { proposals IKE_PROP; seeded-pre-shared-key ascii-text "$9$zoDln9pIEyWLN0BLNdboaFn/C0BRhSeM8"; ##SECRET-DATA } gateway HUB_GW { ike-policy IKE_POL; dynamic { general-ikeid; ike-user-type group-ike-id; } local-identity hostname hub.juniper.net; external-interface lo0.0; local-address 11.0.0.1; version v2-only; } }
Configure same IKE preshared key
To configure same IKE preshared key that the VPN gateway uses to authenticate the remote peer, perform these tasks.
- Configure the common
pre-shared-key
for ike policy in the device with AutoVPN hub.content_copy zoom_out_map[edit] user@host# set security ike policy IKE_POL pre-shared-key ascii-text ascii text
For example:
content_copy zoom_out_mapuser@host# # set security ike policy IKE_POL pre-shared-key ascii-text ThisIsMySecretPreSharedkey
- Configure the common
pre-shared-key
on the ike policy for remote peer device.content_copy zoom_out_map[edit] user@peer# set security ike policy IKE_POL pre-shared-key ascii-text ascii text
For example:
content_copy zoom_out_mapuser@peer# set security ike policy IKE_POL pre-shared-key ascii-text ThisIsMySecretPreSharedkey
- (Optional) To bypass the IKE ID validation and allow all IKE ID types, configure
general-ikeid
configuration statement under the [edit security ike gateway gateway_name dynamic] hierarchy level in the gateway.content_copy zoom_out_map[edit] user@host# set security ike gateway HUB_GW dynamic general-ikeid
Result
From the configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
[edit] user@host> show security ike { proposal IKE_PROP { authentication-method pre-shared-keys; dh-group group14; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; lifetime-seconds 750; } policy IKE_POL { proposals IKE_PROP; pre-shared-key ascii-text "$9$wo2oGk.569pDi9p0BSys24"; ## SECRET-DATA } gateway HUB_GW { ike-policy IKE_POL; dynamic { general-ikeid; ike-user-type group-ike-id; } local-identity user-at-hostname user1@juniper.net; external-interface lo0; local-address 11.0.0.1; version v2-only; } }