IKEv2 configuration payload support with RADIUS

Configuration payload is an Internet Key Exchange (IKE) version 2 feature used to propagate provisioning information from an IKE responder to the IKE initiator. IKEv2 configuration payload is supported with route-based VPNs only. The following attribute types, defined in RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2), can be returned to the IKE initiator by the IKE responder: 

• INTERNAL_IP4_ADDRESS 
• INTERNAL_IP4_NETMASK 
• INTERNAL_IP4_DNS 

For the IKE responder to provide the initiator with provisioning information, it must acquire the information from a specified source such as a RADIUS server. Provisioning information can also be returned from a DHCP server through a RADIUS server. On the RADIUS server, the user information should not include an authentication password. As in previous Junos OS releases for the SRX Series, the RADIUS server profile is bound to the IKE gateway using the xauth access-profile profile-name configuration at the [edit security ike gateway gateway-name] hierarchy level. This feature is supported only for point-to-multipoint secure tunnel (st0) interfaces. For point-to-multipoint interfaces, the interfaces must be numbered and the addresses in the configuration payload INTERNAL_IP4_ADDRESS attribute type must be within the subnetwork range of the associated point-to-multipoint interface.