Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

dynamic (Security)

 

Syntax

Hierarchy Level

Release Information

Statement modified in Junos OS Release 8.5. Support for the inet6 option added in Junos OS Release 11.1.

Description

Specify the identifier for the remote gateway with a dynamic IPv4 or IPv6 address. Use this statement to set up a VPN with a gateway that has an unspecified IPv4 or IPv6 address.

Options

connections-limitConfigure the number of concurrent connections that the group profile supports. When the maximum number of connections is reached, no more dynamic virtual private network (VPN) endpoints dialup users attempting to access an IPsec VPN are allowed to begin Internet Key Exchange (IKE) negotiations. This configuration applies to SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, and SRX4600 devices and vSRX instances, and to SRX5400, SRX5600, and SRX5800 devices configured for AutoVPN.
distinguished-nameSpecify a distinguished name as the identifier for the remote gateway with a dynamic IP address.
hostnameName by which a network-attached device is known on a network. A fully qualified domain name (FQDN), or partial FQDN that can be matched to a peer’s X.509 PKI certificate. A partial FQDN is matched to the right-most part of the alternate subject field in the peer device’s certificate. For example, the partial FQDN example.net can match devices with host1.example.net or host2.example.net in the alternate subject field of their certificates. Note that the partial FQDN example.net does not match host1.example.network.com or host2.net.com because example.net is not the right-most value in the alternate subject field. For AutoVPN, a partial FQDN combined with ike-user-type group-ike-id can be used to identify a specific remote user or peer when there are multiple peers that share a common domain name.
ike-user-typeConfigure the type of IKE user for a remote access connection.

Values:

  • group-ike-id—E-mail address or fully qualified domain name (FQDN) shared by a group of remote access users so that each user does not need to configure a separate IKE profile. When group IKE IDs are configured, the IKE ID of each user is a concatenation of a user-specific part and a part that is common to all group IKE ID users. For example, the user Bob might use ”Bob.example.net“ as his full IKE ID, where ”.example.net“ is common to all users. The full IKE ID is used to uniquely identify each user connection. Group IKE IDs require the generation of a unique preshared key based on the username supplied during VPN connection, which can be viewed with the show security ike pre-shared-key command.

  • shared-ike-id—E-mail address shared by a large number of remote access users so that each user does not need to configure a separate IKE profile. When a shared IKE ID is configured, all users share a single IKE ID and a single IKE preshared key. Each user is authenticated through the mandatory XAuth phase, where the credentials of individual users are verified either with an external RADIUS server or with a local access database. XAuth is required for shared IKE IDs.

inetUse an IPV4 address to identify the dynamic peer.
inet6Use an IPV6 address to identify the dynamic peer.
reject-duplicate-connectionReject new connection from duplicate IKE-id.
user-at-hostnameUse an e-mail address.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Related Documentation