Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6 Release Note page 114

Hide thumbs Also See for JUNOS OS 10.4 - RELEASE NOTES REV 6:

Release note (209 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

page of 216

/ 216
Contents
Table of Contents
Bookmarks

Table of Contents

JUNOS OS 10.4 Release Notes

114

After successful authentication, AUTHD sends the following network parameters to

IKE or XAuth:

IP address

Domain Name System (DNS)

Windows Internet Naming Service (WINS)

The IP address can be drawn from a locally configured IP address pool. AUTHD requires

IKE or XAuth to release the IP address when it is no longer in use.

IKE provides a mechanism for establishing IP Security (IPsec) tunnels.

[Junos OS CLI User Guide, Junos OS Security Configuration Guide]

Support group Internet Key Exchange (IKE) IDs for dynamic VPN configuration —This

feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

The existing design of the dynamic virtual private network (VPN) uses unique Internet

Key Exchange (IKE) ID for each user connection. For each user, VPN needs to be

configured with an individual IKE gateway, an IPsec VPN, and a security policy using

the IPsec VPN. This is cumbersome when there are a large number of users. The design

is modified to allow a number of users to share a set of IKE or IPsec VPN (or policy

configuration) using shared-ike-id or group-ike-id. This reduces the number of times

the VPN needs to be configured.

The shared-ike-id and group-ike-id allow you to configure VPN once for multiple users.

All users connecting through a shared-ike-id configuration use the same IKE ID and

preshared key. The user credentials are verified in the extended authentication (XAuth)

phase of AUTHD. The credential of a user is configured either in Radius or in the access

database of AUTHD.

When using group-ike-id or shared-ike-id for user connection management and

licensing, the users on the client PC must use the same user credentials for both

WebAuth and XAuth login (that is, the two client login windows) to prevent undesirable

behavior and incorrect CLI output on the server.

NOTE: We recommend that you use group-ike-id whenever possible.

For group-ike-id, a part of the configuration for a user IKE ID is common to the group.

The IKE ID is the concatenation of an individual part and the common part of IKE ID.

For example, a user can use a group-ike-id configuration with a common part

".juniper.net" and the individual part "X". The IKE ID can be "X.juniper.net". Httpd-gk

generates the individual part of the IKE ID.

The group-ike-id does not require extended authentication (XAuth). However, for

dynamic VPN, XAuth is needed to retrieve the network attributes such as IP address

for the client. Therefore, if XAuth is not configured for group-ike-id and the administrator

uses the IKE gateway in a dynamic VPN client, a warning message appears.

This feature introduces new commands for ike sa and dynamic-vpn and new options

in the IKE Gateway Add/Edit page of J-Web.

Table of Contents

Related Products for Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6

This manual is also suitable for:

Junos os 10.4

Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6 Release Note page 114

Related Manuals for Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6

Related Products for Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6

This manual is also suitable for:

Table of Contents