Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

dynamic (Security)

Syntax

Hierarchy Level

Description

Specify the identifier for the remote gateway with a dynamic IPv4 or IPv6 address. Use this statement to set up a VPN with a gateway that has an unspecified IPv4 or IPv6 address.

Options

connections-limit

Configure the number of concurrent connections that the group profile supports. When the maximum number of connections is reached, no more dynamic virtual private network (VPN) endpoints dialup users attempting to access an IPsec VPN are allowed to begin Internet Key Exchange (IKE) negotiations. This configuration applies to SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, and SRX4600 devices and vSRX instances, and to SRX5400, SRX5600, and SRX5800 devices configured for AutoVPN.

distinguished-name

Specify a distinguished name as the identifier for the remote gateway with a dynamic IP address.

general-ikeid

Disables IKE ID validation. If this option is enabled, the new iked process skips the IKE ID validation. After skipping the IKE ID validation, the new iked process still continues the authentication as per the IKE standard. general-ikeid is an optional configuration statement.

hostname

Name by which a network-attached device is known on a network. A fully qualified domain name (FQDN), or partial FQDN that can be matched to a peer’s X.509 PKI certificate. A partial FQDN is matched to the right-most part of the alternate subject field in the peer device’s certificate. For example, the partial FQDN example.net can match devices with host1.example.net or host2.example.net in the alternate subject field of their certificates. Note that the partial FQDN example.net does not match host1.example.network.com or host2.net.com because example.net is not the right-most value in the alternate subject field. For AutoVPN, a partial FQDN combined with ike-user-type group-ike-id can be used to identify a specific remote user or peer when there are multiple peers that share a common domain name.

ike-user-type

Configure the type of IKE user for a remote access connection.

  • Values:

    • group-ike-id—E-mail address or fully qualified domain name (FQDN) shared by a group of remote access users so that each user does not need to configure a separate IKE profile. When group IKE IDs are configured, the IKE ID of each user is a concatenation of a user-specific part and a part that is common to all group IKE ID users. For example, the user Bob might use ”Bob.example.net“ as his full IKE ID, where ”.example.net“ is common to all users. The full IKE ID is used to uniquely identify each user connection. Group IKE IDs require the generation of a unique preshared key based on the username supplied during VPN connection, which can be viewed with the show security ike pre-shared-key command.

    • shared-ike-id—E-mail address shared by a large number of remote access users so that each user does not need to configure a separate IKE profile. When a shared IKE ID is configured, all users share a single IKE ID and a single IKE preshared key. Each user is authenticated through the mandatory XAuth phase, where the credentials of individual users are verified either with an external RADIUS server or with a local access database. XAuth is required for shared IKE IDs.

inet

Use an IPV4 address to identify the dynamic peer.

inet6

Use an IPV6 address to identify the dynamic peer.

reject-duplicate-connection

Reject new connection from duplicate IKE-id.

user-at-hostname

Use an e-mail address.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 8.5. Support for the inet6 option added in Junos OS Release 11.1.

general-ikeid option under [edit security ike gateway gateway-name dynamic] hierarchy is introduced in Junos OS Release 21.1R1.