Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


dynamic (Security)


Hierarchy Level


Specify the identifier for the remote gateway with a dynamic IPv4 or IPv6 address. Use this statement to set up a VPN with a gateway that has an unspecified IPv4 or IPv6 address.



Configure the number of concurrent connections that the group profile supports. When the maximum number of connections is reached, no more dynamic virtual private network (VPN) endpoints dialup users attempting to access an IPsec VPN are allowed to begin Internet Key Exchange (IKE) negotiations. This configuration applies to SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, and SRX4600 devices and vSRX instances, and to SRX5400, SRX5600, and SRX5800 devices configured for AutoVPN.


Specify a distinguished name as the identifier for the remote gateway with a dynamic IP address.


Disables IKE ID validation. If this option is enabled, the new iked process skips the IKE ID validation. After skipping the IKE ID validation, the new iked process still continues the authentication as per the IKE standard. general-ikeid is an optional configuration statement.


Name by which a network-attached device is known on a network. A fully qualified domain name (FQDN), or partial FQDN that can be matched to a peer’s X.509 PKI certificate. A partial FQDN is matched to the right-most part of the alternate subject field in the peer device’s certificate. For example, the partial FQDN can match devices with or in the alternate subject field of their certificates. Note that the partial FQDN does not match or because is not the right-most value in the alternate subject field. For AutoVPN, a partial FQDN combined with ike-user-type group-ike-id can be used to identify a specific remote user or peer when there are multiple peers that share a common domain name.


Configure the type of IKE user for a remote access connection.

  • Values:

    • group-ike-id—E-mail address or fully qualified domain name (FQDN) shared by a group of remote access users so that each user does not need to configure a separate IKE profile. When group IKE IDs are configured, the IKE ID of each user is a concatenation of a user-specific part and a part that is common to all group IKE ID users. For example, the user Bob might use ”“ as his full IKE ID, where ”“ is common to all users. The full IKE ID is used to uniquely identify each user connection. Group IKE IDs require the generation of a unique preshared key based on the username supplied during VPN connection, which can be viewed with the show security ike pre-shared-key command.

    • shared-ike-id—E-mail address shared by a large number of remote access users so that each user does not need to configure a separate IKE profile. When a shared IKE ID is configured, all users share a single IKE ID and a single IKE preshared key. Each user is authenticated through the mandatory XAuth phase, where the credentials of individual users are verified either with an external RADIUS server or with a local access database. XAuth is required for shared IKE IDs.


Use an IPV4 address to identify the dynamic peer.


Use an IPV6 address to identify the dynamic peer.


Reject new connection from duplicate IKE-id.


Use an e-mail address.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 8.5. Support for the inet6 option added in Junos OS Release 11.1.

general-ikeid option under [edit security ike gateway gateway-name dynamic] hierarchy is introduced in Junos OS Release 21.1R1.