Setting the IKE Peer Identity
To set the IKE peer identity values, use the
ike peer-identity
command. You can set the
profile to accept logins from users that present one of the following:
•
An asn1DN as an IKE identity type (an ASN.1-encoded distinguished name) and the
user-provided IKE identity contains the substring configured for the profile.
•
A userFQDN or FQDN as an IKE identity type and the domain name portion of the IKE
identity matches the domain name setting for this profile. An empty string (default)
means that IKE identity types of userFQDN and FQDN are not allowed for logins on
this profile.
The IKE identity type of userFQDN also carries a domain name. Users presenting this
identity must also pass any restrictions set for the peer domain name for this profile
before they are able to log in.
•
An IP address as an IKE identity type and the IP address resides within the specified
network. The default of 0.0.0.0/0 allows any peer IP address to this profile.
•
A userFQDN as an IKE identity type and the username portion of the IKE identity matches
the username setting for this profile. An empty string (default) means that an IKE
identity type of userFQDN is not allowed for logins on this profile.
NOTE:
You can also use the wildcard (*) for the username and domain name or as the
first or last character in the username or domain name string.
ike peer-identity distinguished-name
ike peer-identity domain-name
ike peer-identity ip address
ike peer-identity username
•
Use to set the IKE peer identity used for IKE security association (SA) negotiations.
•
Example
host1(config-ipsec-tunnel-profile)#
ike peer-identity domain-name domain2
•
Use the
no
version to remove the specified IKE peer identity.
•
See ike peer-identity distinguished-name.
•
See ike peer-identity domain-name.
•
See ike peer-identity ip address.
•
See ike peer-identity username.
Appending a Domain Suffix to a Username
The VPN to which a user is to be terminated is sometimes known from the IKE identities
attached to the user. However, to assist in connecting users to the correct AAA domain
for authentication, you can use the
domain-suffix
command to append a domain suffix
175
Copyright © 2010, Juniper Networks, Inc.
Chapter 6: Configuring Dynamic IPSec Subscribers
Summary of Contents for JUNOSE 11.2.X IP SERVICES
Page 6: ...Copyright 2010 Juniper Networks Inc vi...
Page 8: ...Copyright 2010 Juniper Networks Inc viii JunosE 11 2 x IP Services Configuration Guide...
Page 18: ...Copyright 2010 Juniper Networks Inc xviii JunosE 11 2 x IP Services Configuration Guide...
Page 22: ...Copyright 2010 Juniper Networks Inc xxii JunosE 11 2 x IP Services Configuration Guide...
Page 28: ...Copyright 2010 Juniper Networks Inc 2 JunosE 11 2 x IP Services Configuration Guide...
Page 116: ...Copyright 2010 Juniper Networks Inc 90 JunosE 11 2 x IP Services Configuration Guide...
Page 144: ...Copyright 2010 Juniper Networks Inc 118 JunosE 11 2 x IP Services Configuration Guide...
Page 230: ...Copyright 2010 Juniper Networks Inc 204 JunosE 11 2 x IP Services Configuration Guide...
Page 262: ...Copyright 2010 Juniper Networks Inc 236 JunosE 11 2 x IP Services Configuration Guide...
Page 294: ...Copyright 2010 Juniper Networks Inc 268 JunosE 11 2 x IP Services Configuration Guide...
Page 328: ...Copyright 2010 Juniper Networks Inc 302 JunosE 11 2 x IP Services Configuration Guide...
Page 345: ...PART 2 Index Index on page 321 319 Copyright 2010 Juniper Networks Inc...
Page 346: ...Copyright 2010 Juniper Networks Inc 320 JunosE 11 2 x IP Services Configuration Guide...
Page 356: ...Copyright 2010 Juniper Networks Inc 330 JunosE 11 2 x IP Services Configuration Guide...