Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How To: Create Multiple Dial Up VPN using same IKE ID (ScreenOS 6.0 and later)



Article ID: KB14883 KB Last Updated: 11 Mar 2020Version: 4.0
How To: Create Multiple Dial Up (Policy-Based) VPN using same IKE ID
  • Shared IKE ID
  • Deploy large number of remote clients

Note:  This policy-based VPN example applies to ScreenOS 6.x. 


"Shared IKE ID".  This ScreenOS feature allows you to deploy and manage a large-scale distribution of VPN Clients, with minimal configuration on both the Firewall and the VPN client.  Administrators can deploy a single IKE tunnel ID for the VPN Clients and require each user to Authenticate with an individual ID. This saves administration work by:

  1. Providing IPSec protection with a common VPN tunnel configuration and
  2. Should an employee leave the company, the administrator is no longer required to re-deploy a new group user-id.

Example:  Assume two users, Mike and Joe, are trying to access a server on the trusted side of the Juniper Firewall. The Administrator wants to deploy a single VPN Dial-up User configuration and have each user authenticated individually.



  VPN Client NetScreen FW
Shared IKE User   Remote_Sales
Shared IKE ID
User Group   R_S
XAuth User 1/ Password Joe/password1  
XAuth User 2 / Password Mike/password2  
Phase 1 Proposals Preshared Secret;Extended Authentication
Triple DES; SHA; Diffie-Hellman Group 2
Phase 2 Proposals Triple DES; SHA-1 nopfs-esp-3des-sha


The basic steps in deploying this configuration is as follows:

ScreenOS Firewall Side:

  1. Define an IKE ID User (Without xauth authentication)
  2. Assign the IKE ID User from step 1 to a new Dial Up User Group
  3. Define separate XAuth Users (with no IKE ID configuration)
  4. Define IKE Phase 1 Gateway, and DO NOT SELECT "Use as Seed"
  5. Define IKE Phase 2 VPN as usual
  6. Define Dial Up VPN policy as usual

VPN Client Side:

  1. Enter Remote Party Identity and Address, and Secure Gateway Tunnel as normal
  2. Under My Identity, select ID type email address, and enter the IKE ID from step 2 on the NetScreen Side procedure
  3. Click Pre-Shared Key, and enter the preshared key defined from step 4 on the NetScreen Side procedure
  4. Configure Phase 1 for Xauth and Phase 2 to match the configuration on the NetScreen side

Configuration of ScreenOS Firewall Side:

  1. Create Local Users.  Select: Objects > Users > Local
    1. Create User: Remote_Sales.  Click New and enter the following:
      • Username: Remote_Sales
      • Enable IKE User (Do not select XAuth User)
      • Number of Multiple Logins with Same ID: 250 (Choose whatever number of simultaneous users you want logging in under this IKE ID. 
      • Click Simple Identity
      • IKE ID Type:  AUTO
      • IKE Identity:    (Note: IKE ID must be an e-mail address)
    2. Click OK
    3. Create User: Joe.  Click New and enter the following:
      • Username: Joe
      • Click XAuth User (Do not select IKE User)
      • User Password: password4joe
      • Confirm Password: password4joe
    4. Click OK
    5. Create User: Mike.  Click New and enter the following:
      • Username: Mike
      • Click XAuth User (Do not select IKE User)
      • User Password: password4mike
      • Confirm Password: password4mike
    6. Click OK
  2. Create a Local Group.  Select: Objects > Users > Local Groups
    1. Click New
    2. Enter Group Name: R_S
    3. Under Available Members, select Remote_Sales, and click << directional button
    4. Click OK
  3. Add the Gateway.  Select VPNs > AutoKey Advanced > Gateway
    Note:  If you do not have an Authentication Server configured for XAuth, refer to the Example: RADIUS Auth Server on p.33 of the ScreenOS Concepts & Examples Guide - Vol 9 - Authentication Servers.
    1. Click New
    2. Enter Gateway Name: Sales
    3. Click Dialup User Group, and select R_S from the Group pulldown menu
    4. Click Advanced
    5. Preshared Key: sharedikeid (Do not enable "Use as Seed"; parameter to be used when configuring Group IKE ID with Global Pro/Express)
    6. Outgoing Interface: ethernet0/0 (Choose whatever interface is your outgoing interface to the Internet)
    7. Click Security Level: Select Custom, and select Phase 1 Proposal pre-g2-3des-sha
    8. Click Mode (Initiator): Aggressive
    9. Click Enable NAT-Traversal
    10. Click Return
    11. Click OK
  4. Set the XAuth settings: Select  VPNs > AutoKey Advanced > XAuth Settings
    1. Default Authentication Server:  From pull-down, select your XAuth Server.
    2. Click Apply
  5. Create the AutoKey IKE.  Select VPNs > AutoKey IKE
    1. Click New
    2. Enter VPN Name: Sales VPN
    3. Select Remote Gateway: Click Predefined, and select Sales from the pulldown menu
    4. Click Advanced and Click Return
    5. Select Security Level: Select Custom, and select Phase 2 Proposal nopfs-esp-3des-sha
    6. Click OK
  6. Configure the Policies.  Select Policy > Policies
    1. Select From Untrust to Trust zone, and click New
    2. Enter Source Address:Click Address Book, and select Dial-Up VPN
    3. Enter Destination Address: Click New Address, and enter
    4. Set Service: ANY
    5. Set Action: Tunnel
    6. Set Tunnel VPN: Sales_VPN
    7. Click OK
set user "Remote_Sales" type ike
set user "Remote_Sales" ike-id "" share-limit 25
set user "Remote_Sales" enable

set user-group "R_S" location local
set user-group "R_S" user "Remote_Sales"

set user "Joe" password "password4joe"
set user "Joe" type xauth
set user "Joe" enable
set user "Mike" password "password4mike"
set user "Mike" type xauth
set user "Mike" enable

set ike gateway "Sales" dialup "R_S" aggressive outgoing-interface ethernet0/0 preshare "sharedikeid" proposal "pre-g2-3des-sha"
set ike gateway "Sales" nat-traversal
set ike gateway "Sales" nat-traversal keepalive-frequency 5
set xauth default auth server "Local"
set vpn "Sales VPN" gateway "Sales" no-replay tunnel proposal "nopfs-esp-3des-sha"
unset vpn "Sales VPN" monitor

set address "Trust" ""
set policy from "Untrust" to "Trust" "Dial-Up VPN" "" "ANY" tunnel vpn "Sales VPN"

For information on configuring VPN clients, refer to:


How this works:

During Phase 1 negotiations, the Firewall device first authenticates the VPN client by matching the VPN Tunnel IKE ID and preshared key sent from the client with that configured on the Firewall device. If there is a match, then the Firewall device will use XAuth to authenticate the individual user. A login prompt is sent from the Firewall to the user at the remote site. This occurs between Phase 1 and Phase 2 IKE negotiations. If the remote user successfully logs on with the correct user name and password, Phase 2 negotiations begin.

Now, an administrator can export this same SPD file to all remote users.  Every user will import the same spd file into the VPN Client.  When trying to build a tunnel, they will be required to enter their own XAuth Username and Password.  In this example, when Joe hooks up to the VPN, he will be prompted for a login.  He will enter Joe/password1.  When Mike wants to hook up to the VPN, he will be prompted for a login, and he will enter Mike/password2.

Modification History:
2017-12-07: Article reviewed for accuracy. Added ScreenOS tag in the title. . Article is correct and complete.
2020-03-11: removed references to NS Remote (as its EOS)
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search