[j-nsp] Junos route based vpn with Cisco

Wilkes, Nathan nwilkes at virtela.net
Wed Oct 27 18:06:36 EDT 2010 

What you want to do is use VTI on the Cisco side.  Search for Cisco VTI (Virtual Tunnel Interface) or "tunnel protection" for more info & config examples.

With tunnel protect, you can create a routable virtual tunnel that uses 0.0.0.0/0.0.0.0/0 as the proxy ID and it interoperates just fine with Juniper route-based VPNs (M, SRX, SSG, even older NetScreens) -- assuming you match on the P1 & P2 proposals.

We do it all the time as it lets us:
(1) run a routing protocol over the tunnel without the GRE overhead
(2) create more granular firewall policies for intra-VPN traffic
(3) simpler configuration
(4) easier troubleshooting
(5) better manage mixed environments

--
Nathan

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Tom Devries
Sent: Wednesday, October 27, 2010 11:42 AM
To: Morten Isaksen
Cc: Juniper-Nsp
Subject: Re: [j-nsp] Junos route based vpn with Cisco

Indeed, the only issue I see with policy based vpn's is the number of vpn policies required for the amount of networks that have to be encrypted.  As someone pointed out on another list, the C device should support null proxy ids if you first deny all other networks and then specify "any any" as interesting.


-----Original Message-----
From: misaksen at gmail.com [mailto:misaksen at gmail.com] On Behalf Of Morten Isaksen
Sent: October-27-10 1:30 PM
To: Tom Devries
Cc: Juniper-Nsp
Subject: Re: [j-nsp] Junos route based vpn with Cisco

I had the same issue. I changed to policy based VPN and it worked out of the box.

2010/10/27 Tom Devries <Tom.Devries at rci.rogers.com>:
> Thought I would provide some feedback I received from Juniper 
> regarding this question for the archives.  If using a route based vpn, 
> the proxy ID's in the SA creation will be all 0's by default:
>
> Local: 0.0.0.0
> Remote: 0.0.0.0
> Service 0
>
> so as long as it is unspecified in the config.  However if you encrypt 
> more than one source network (i.e. multiple networks behind the SRX) 
> and put multiple networks in your proxy-id config (in say, local 
> network) then that part of the SA will show as 0.0.0.0.  I haven't 
> been able to find a Cisco interop configuration that will be able to 
> create SAs and establish phase II when receiving a 0.0.0.0/0.0.0.0/0 
> proxy id from a peer (if you have one please post it).  However one 
> other way to do it would be to use GRE tunnels.
>
> So long story short, in the below configuration, proxy id's will all 
> be 0's unless I specify a proxy-id in the config, and in that case I 
> can only encrypt one network/service, as configuring more will set the 
> outgoing proxy id element to be 0's.
>
>
> Thanks,
> Tom
>
> -----Original Message-----
> From: Tom Devries
> Sent: October-22-10 4:05 PM
> To: Juniper-Nsp
> Subject: Junos route based vpn with Cisco
>
>
>
> Hi all,
>
> Question regarding JunOS (SRX) route based VPN with Cisco remote end.
> In such a route-based configuration, how are the SA's generated with 
> the Cisco?  On the Cisco side you match an ACL as interesting traffic 
> and the SA's are created based on that.  On JunOS route-based vpn, is 
> it the policy that creates the SA or does the policy simply enforce 
> the FW rules on the tunnel?  If that is the case, can I have many such 
> rules and specify ports for each rule?  In the below configuration I 
> would like to specify application ports for each rule (rather than the 
> current "any"), but I am unsure how the remote Cisco would respond 
> depending on how the Juniper creates the SA (note unnumbered ST interface used)...
>
> I used the following tool to generate this config:
>
> https://www.juniper.net/customers/support/configtools/vpnconfig.html#
>
>
>
>
> ###Configure interface IP and route for tunnel traffic
>
> set interfaces st0.0 family inet
> set routing-options static route 2.16.68.0/24 next-hop st0.0 set 
> routing-options static route 2.16.69.0/24 next-hop st0.0
>
> ## Configure security zones, assign interfaces to the zones & 
> host-inbound services for each zone
>
> set security zones security-zone vpn interfaces st0.0 set security 
> zones security-zone Vpn host-inbound-traffic system-services bgp
>
> ## Configure address book entries for each zone
>
> set security zones security-zone Silver address-book address
> net-cfgr_10-25-56-64--26 10.25.56.64/26 set security zones 
> security-zone Silver address-book address
> net-cfgr_10-25-7-96--27 10.25.7.96/27
> set security zones security-zone Silver address-book address
> net-cfgr_10-25-194-96--27 10.25.194.96/27
>
> ## Configure IKE policy for main mode
>
> set security ike policy ike-policy-cfgr mode main set security ike 
> policy ike-policy-cfgr pre-shared-key ascii-text "yaright"
>
> ## Configure IKE gateway with peer IP address, IKE policy and outgoing 
> interface
>
> set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr set 
> security ike gateway ike-gate-cfgr address 1.1.1.1 set security ike 
> gateway ike-gate-cfgr external-interface ge-0/0/12.0
>
> ## Configure IKE authentication, encryption, DH group, and Lifetime
>
> set security ike proposal ike-proposal-cfgr authentication-method 
> pre-shared-keys set security ike policy ike-policy-cfgr proposals 
> ike-proposal-cfgr set security ike proposal ike-proposal-cfgr 
> encryption-algorithm 3des-cbc set security ike proposal 
> ike-proposal-cfgr authentication-algorithm
> sha1
> set security ike proposal ike-proposal-cfgr dh-group group2 set 
> security ike proposal ike-proposal-cfgr lifetime-seconds
>
> ## Configure IPsec policy
>
> set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr set 
> security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr 
> set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
>
>
> ## Configure IPsec authentication and encryption
>
> set security ipsec proposal ipsec-proposal-cfgr protocol esp set 
> security ipsec policy ipsec-policy-cfgr proposals ipsec-proposal-cfgr 
> set security ipsec policy ipsec-policy-cfgr perfect-forward-secrecy 
> keys
> group2
> set security ipsec proposal ipsec-proposal-cfgr encryption-algorithm 
> 3des-cbc set security ipsec proposal ipsec-proposal-cfgr 
> authentication-algorithm
> hmac-sha1-96
>
> ## Configure security policies for tunnel traffic in outbound 
> direction
>
> set security policies from-zone Silver to-zone Vpn policy 
> Silver-Vpn-cfgr match source-address net-cfgr_10-25-56-64--26 set 
> security policies from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr 
> match source-address net-cfgr_10-25-7-96--27 set security policies 
> from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr match 
> source-address net-cfgr_10-25-194-96--27 set security policies 
> from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr match application 
> any set security policies from-zone Silver to-zone Vpn policy 
> Silver-Vpn-cfgr then permit
>
> ## Configure security policies for tunnel traffic in inbound direction
>
> set security policies from-zone Vpn to-zone Silver policy 
> Vpn-Silver-cfgr match source-address net-cfgr_2-16-68-0--24 set 
> security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr 
> match source-address net-cfgr_2-16-69-0--24 set security policies 
> from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match 
> destination-address net-cfgr_10-25-56-64--26 set security policies 
> from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match 
> destination-address net-cfgr_10-25-7-96--27 set security policies 
> from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match 
> destination-address net-cfgr_10-25-194-96--27 set security policies 
> from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match application 
> any set security policies from-zone Vpn to-zone Silver policy 
> Vpn-Silver-cfgr then permit
>
> Thanks,
> Tom
>
>
> This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy.
>
> Ce courriel (ainsi que ses pièces jointes) est confidentiel, exclusif, et peut faire l'objet de droit d'auteur et de privilège juridique; aucun droit connexe n'est exclu. Si vous n'êtes pas le destinataire visé ou son représentant, toute étude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut être illégale. Tous les messages peuvent être surveillés, selon les lois et règlements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas sécurisés et vous êtes réputés avoir accepté tous les risques qui y sont liés si vous choisissez de communiquer avec nous par ce moyen. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et supprimer ce courriel (ainsi que toutes ses pièces jointes) de tout ordinateur ou support de données sans en imprimer une copie.
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



--
Morten Isaksen

More information about the juniper-nsp mailing list