VPNs

AutoVPN PSK support (SRX5000 line of devices with SPC3 card and vSRX running iked)—To enable the VPN gateway to use a different IKE preshared key (PSK) for authenticating each remote peer, use the new CLI commands seeded-pre-shared-key ascii-text or seeded-pre-shared-key hexadecimal under the [edit security ike policy policy_name] hierarchy level. See policy.

The SRX5000 line of devices with an SPC3 card and vSRX supports AutoVPN PSK only if the junos-ike-package is installed.

To enable the VPN gateway to use the same IKE PSK for authenticating all remote peers, use the existing CLI commands pre-shared-key ascii-text or pre-shared-key hexadecimal.

We also introduce an optional configuration to bypass the IKE ID validation. Use the general-ikeid configuration statement under the [edit security ike gateway gateway_name dynamic] hierarchy level to bypass the IKE ID validation. If you enable this option, then during authentication of the remote peer, the SRX Series device and vSRX skips the IKE ID validation, and accepts all IKE ID types (hostname, user@hostname). See general-ikeid.

[See AutoVPN on Hub-and-Spoke Devices and Example: Configuring AutoVPN with Pre-Shared Key.]

Simplified packet drop identification for IPsec VPN services (SRX1500, SRX320, SRX340, SRX345, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 21.2R1, you can trace packet drop information without committing the configuration by using the monitor security packet-drop operational command for IPsec VPN services. This command includes various filters to generate the output fields according to your requirement.

[See monitor security packet-drop.]