Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation
keyboard_arrow_up
close
keyboard_arrow_left
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Example: Configuring AutoVPN with Pre-Shared Key

date_range 06-Dec-23

This example shows how to configure different IKE preshared key used by the VPN gateway to authenticate the remote peer. Similarly, to configure same IKE preshared key used by the VPN gateway to authenticate the remote peer.

Refer other examples in this topic for end-to-end configuration of AutoVPN.

Requirements

This example uses the following hardware and software components:

  • MX240, MX480, and MX960 with MX-SPC3 and Junos OS Release 21.1R1 that support AutoVPN
  • or SRX5000 line with SPC3 and Junos OS Release 21.2R1 that support AutoVPN
  • or vSRX Virtual Firewall running iked process (with the junos-ike package) and Junos OS Release 21.2R1 that support AutoVPN

Configure different IKE preshared key

To configure different IKE preshared key that the VPN gateway uses to authenticate the remote peer, perform these tasks.

  1. Configure the seeded preshared for IKE policy in the device with AutoVPN hub.
    content_copy zoom_out_map
     [edit]
    user@host# set security ike policy IKE_POL seeded-pre-shared-key ascii-text ascii-text
    

    or

    content_copy zoom_out_map
    user@host# set security ike policy IKE_POL seeded-pre-shared-key hexadecimal hexadecimal
    

    For example:

    content_copy zoom_out_map
    user@host# set security ike policy IKE_POL seeded-pre-shared-key ascii-text ThisIsMySecretPreSharedkey
    

    or

    content_copy zoom_out_map
    user@host# set security ike policy IKE_POL seeded-pre-shared-key hexadecimal 5468697349734d79536563726563745072655368617265646b6579
    
  2. Display the pre-shared key for remote peer using gateway name and user-id.
    content_copy zoom_out_map
     [edit]
    user@host> show security ike pre-shared-key gateway gateway-name user-id user-id
    

    For example:

    content_copy zoom_out_map
    user@host> show security ike pre-shared-key gateway-name HUB_GW user-id user1@juniper.net
    
    Pre-shared key: 79e4ea39f5c06834a3c4c031e37c6de24d46798a
  3. Configure the generated PSK ("79e4ea39f5c06834a3c4c031e37c6de24d46798a" in step 2) in the ike policy on the remote peer device.
    content_copy zoom_out_map
     [edit]
    user@peer# set security ike policy IKE_POL pre-shared-key ascii-text generated-psk
    

    For example:

    content_copy zoom_out_map
    user@peer# set security ike policy IKE_POL pre-shared-key ascii-text 79e4ea39f5c06834a3c4c031e37c6de24d46798a
    
  4. (Optional) To bypass the IKE ID validation and allow all IKE ID types, configure general-ikeid configuration statement under the [edit security ike gateway gateway_name dynamic] hierarchy level in the gateway.
    content_copy zoom_out_map
     [edit]
    user@host# set security ike gateway HUB_GW dynamic general-ikeid
    

Result

From the configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

content_copy zoom_out_map
[edit]
user@host> show security
    ike {
        proposal IKE_PROP {
            authentication-method pre-shared-keys;
            dh-group group14;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 750;
        }
        policy IKE_POL {
          proposals IKE_PROP;
          seeded-pre-shared-key ascii-text "$9$zoDln9pIEyWLN0BLNdboaFn/C0BRhSeM8"; ##SECRET-DATA
        }
        gateway HUB_GW {
            ike-policy IKE_POL;
            dynamic {
                general-ikeid;
                ike-user-type group-ike-id;
            }
            local-identity hostname hub.juniper.net;
            external-interface lo0.0;
            local-address 11.0.0.1;
            version v2-only;
        }
    }

Configure same IKE preshared key

To configure same IKE preshared key that the VPN gateway uses to authenticate the remote peer, perform these tasks.

  1. Configure the common pre-shared-key for ike policy in the device with AutoVPN hub.
    content_copy zoom_out_map
     [edit]
    user@host# set security ike policy IKE_POL pre-shared-key ascii-text ascii text
    

    For example:

    content_copy zoom_out_map
    user@host# # set security ike policy IKE_POL pre-shared-key ascii-text ThisIsMySecretPreSharedkey
    
  2. Configure the common pre-shared-key on the ike policy for remote peer device.
    content_copy zoom_out_map
     [edit]
    user@peer# set security ike policy IKE_POL pre-shared-key ascii-text ascii text
    

    For example:

    content_copy zoom_out_map
    user@peer# set security ike policy IKE_POL pre-shared-key ascii-text ThisIsMySecretPreSharedkey
    
  3. (Optional) To bypass the IKE ID validation and allow all IKE ID types, configure general-ikeid configuration statement under the [edit security ike gateway gateway_name dynamic] hierarchy level in the gateway.
    content_copy zoom_out_map
    [edit]
    user@host# set security ike gateway HUB_GW dynamic general-ikeid
    

Result

From the configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

content_copy zoom_out_map
[edit]
user@host> show security 
    ike {
        proposal IKE_PROP {
            authentication-method pre-shared-keys;
            dh-group group14;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 750;
        }
        policy IKE_POL {
            proposals IKE_PROP;
            pre-shared-key ascii-text "$9$wo2oGk.569pDi9p0BSys24"; ## SECRET-DATA
        }
        gateway HUB_GW {
            ike-policy IKE_POL;
            dynamic {
                general-ikeid;
                ike-user-type group-ike-id;
            }
            local-identity user-at-hostname user1@juniper.net;
            external-interface lo0;
            local-address 11.0.0.1;
            version v2-only;
        }
    }
footer-navigation