Authentication
The supported authentication for AutoVPN hubs and spokes is X.509 public key infrastructure (PKI) certificates. The group IKE user type configured on the hub allows strings to be specified to match the alternate subject field in spoke certificates. Partial matches for the subject fields in spoke certificates can also be specified. See Understanding Spoke Authentication in AutoVPN Deployments.
Starting in Junos OS Release 21.2R1, SRX5000 line of devices with SPC3 card and vSRX running iked process supports AutoVPN with seeded preshared key. The SRX5000 line of devices with a SPC3 card and vSRX supports AutoVPN PSK only if the junos-ike-package is installed.
We support AutoVPN with the following two options:
- Auto-VPN seeded PSK: Multiple peers connecting to same gateway having different pre-shared key.
- Auto-VPN shared PSK: Multiple peers connecting to same gateway having same pre-shared key.
Seeded PSK is different from non-seeded PSK (that is, same shared PSK). Seeded PSK uses master key to generate the shared PSK for the peer. So each peer will have different PSK connecting to the same gateway. For example: Consider a scenario where peer 1 with the IKE ID user1@juniper.net and peer 2 with IKE ID user2@juniper.net attempts to connect to gateway. In this scenario the gateway that is configured as HUB_GW containing the master key configured as ThisIsMySecretPreSharedkey will have the different PSK as follows:
Peer 1 : 79e4ea39f5c06834a3c4c031e37c6de24d46798a
Peer 2: 3db8385746f3d1e639435a882579a9f28464e5c7
This means, for different users with different user id and same master key will generate a different or unique preshared key.
You can use either seeded-pre-shared-key or pre-shared-key for Auto-VPN PSK:
- Different preshared key: If the seeded-pre-shared-key is set, different IKE preshared key is used by the VPN gateway to authenticate each remote peer. The peer preshared keys are generated using the master-key set in the IKE gateway and shared across the peers.To enable the VPN gateway to use a different IKE preshared key (PSK) for authenticating each remote peer, use the new CLI commands seeded-pre-shared-key ascii-text or seeded-pre-shared-key hexadecimal under the [edit security ike policy policy_name] hierarchy level.
This command is mutually exclusive with pre-shared-key command under the same hierarchy.
See policy.
- Shared/Same preshared key: If pre-shared-key-type is not configured, then the PSK is considered to be shared. Same IKE preshared key is used by the VPN gateway to authenticate all remote peers.To enable the VPN gateway to use the same IKE PSK for authenticating all remote peers, use the existing CLI commands pre-sharedkey ascii-text or pre-shared-key hexadecimal.
At the VPN gateway, you can bypass the IKE ID validation using the general-ikeid configuration statement under the [edit security ike gateway gateway_name dynamic] hierarchy level. If this option is configured, then during authentication of remote peer, the VPN gateway allows any remote IKE ID connection. See general-ikeid.
The SRX5000 line of devices with SPC3 card and vSRX running iked supports the following IKE modes:
See Example: Configuring AutoVPN with Pre-Shared Key.
