Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] DH group 21/responder-only options not visible even after upgrading to Junos OS 19.1R1+

2

0

Article ID: KB37133 KB Last Updated: 16 Sep 2021Version: 1.0
Summary:

This article describes the steps for adding Diffie Hellman (DH) group21 and responder-only options in SRX5K Series devices after installing the junos-ike package.

Symptoms:

Diffie Hellman group21 and responder-only options are not visible even after upgrading to Junos OS Release 19.1R1 and later.

user@host# set security ike proposal test dh-group ?  
Possible completions:
  group1               Diffie-Hellman Group 1
  group14              Diffie-Hellman Group 14
  group19              Diffie-Hellman Group 19
  group2               Diffie-Hellman Group 2
  group20              Diffie-Hellman Group 20
  group24              Diffie-Hellman Group 24
  group5               Diffie-Hellman Group 5  <<<<<<<<<<<< group21 not showing
[edit]

user@host# set security ipsec vpn test establish-tunnels ?
Possible completions:
  immediately          Establish tunnels immediately
  on-traffic           Establish tunnels on traffic <<<<<<<<< responder-only and responder-only-no-rekey not showing
Cause:

In SRX 5000 Series devices that have the SRX5K-SPC3 card, you need the junos-ike package in order to install and enable any of the IPsec VPN features, including the DH group21 and responder-only options. By default, the junos-ike package is available in all SRX 5000 Series devices. However, in SRX 5K devices that are running Junos OS Releases prior to Junos OS 20.1R2, you need to manually install the junos-ike package when the SPC3 card is plugged in to the device chassis for the first time.

On the other hand, in SRX 5K devices that are running Junos OS Releases 20.1R2, 20.2R2, 20.3R2, 20.4R1, and later with RE3, the junos-ike package comes installed by default.

Note: The DH group21 and responder-only options were introduced in Junos OS Release 19.1R1 on SRX Series devices. And only SRX 5000 Series devices with SRX5K-SPC3 will be able to make use of these two options.

Solution:

To install the junos-ike package in SRX5K devices that are running Junos OS Releases prior to Junos OS Release 20.1R2, perform the following steps:

  1. Check whether the SRX device has the junos-ike package by running the following command:

user@host> show version | grep ike    
JUNOS ike [20190321.051058_builder_junos_191_r1] <<<<<<<<< IKE package

If you do not find the IKE package installed as shown above, jump to Step 2.

  1. Run the following command to install the package:

user@host> request system software add optional://junos-ike.tgz

Output:
user@host> ... add optional://junos-ike.tgz                    
Verified junos-ike signed by PackageProductionEc_2019 method ECDSA256+SHA256
Rebuilding schema and Activating configuration...
mgd: commit complete
Restarting MGD ...

WARNING: cli has been replaced by an updated version:
CLI release 20190319.203446_builder.r1013243 built by builder on 2019-03-19 20:48:13 UTC
Restart cli using the new version ? [yes,no] (yes) yes 

Restarting cli ...
user@host>
  1. Confirm that the package has been installed properly by using the following command:

user@host> show version | grep ike    
JUNOS ike [20190321.051058_builder_junos_191_r1] <<<<<<<<< IKE package
  1. Check for the options group21 and responder-only under their respective hierarchies and enable them:

​root@jtac-srx5400-r2003# set security ike proposal test dh-group ?
Possible completions:
  group1               Diffie-Hellman Group 1
  group14              Diffie-Hellman Group 14
  group15              Diffie-Hellman Group 15
  group16              Diffie-Hellman Group 16
  group19              Diffie-Hellman Group 19
  group2               Diffie-Hellman Group 2
  group20              Diffie-Hellman Group 20
  group21              Diffie-Hellman Group 21 <<<<<<<<<<<<<<<
  group24              Diffie-Hellman Group 24
  group5               Diffie-Hellman Group 5
[edit]

root@jtac-srx5400-r2003# set security ipsec vpn test establish-tunnels ?
Possible completions:
  immediately          Establish tunnels immediately
  on-traffic           Establish tunnels on traffic
  responder-only       Establish tunnels only on receiving negotiation from peer <<<<<<<<<<<<<
  responder-only-no-rekey  Disable rekey in responder-only mode

Note: Because the junos-ike package comes installed by default in SRX5000 Series devices with RE3 that are running Junos OS Releases 20.1R2, 20.2R2, 20.3R2, 20.4R1, and later for, the iked and ikemd processes run on the Routing Engine by default instead of the IPsec key management daemon (kmd).

In order to use the KMD process to enable the IPsec VPN feature instead of the default IKE, run the request system software delete junos-ike command.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search