[c-nsp] [j-nsp] Cisco to Juniper, route based IPSec VPN

Tom Storey tom at snnap.net
Fri Nov 21 15:54:58 EST 2014


Thanks Jon,

Your config pointed something out to me and I have managed to get it
working. I knew it was something simple and noobie, and it was :-)

I had defined PFS and DH group 5 in my Juniper IPSec policy stanza, but
there was nothing matching on the Cisco side I guess.

FWIW here are my two configs in case anyone needs something similar in the
future:

Cisco behind NAT
================

crypto isakmp policy 1
 encr aes 256
 hash sha384
 authentication pre-share
 group 5
!
crypto isakmp peer address 1.2.3.4
 set aggressive-mode password SuperSecretPassword
 set aggressive-mode client-endpoint fqdn router.router
!
crypto ipsec transform-set ESP_AES256 esp-aes 256 esp-sha256-hmac
!
crypto ipsec profile c2j-1
 set transform-set ESP_AES256
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.254
 tunnel source FastEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 1.2.3.4
 tunnel protection ipsec profile c2j-1
!

Juniper SRX
===========

interfaces {
    st0 {
        unit 0 {
            family inet {
                address 10.0.0.1/31;
            }
        }
    }
}
security {
    ike {
        proposal ike-proposal-c2j-1 {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha-384;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 28800;
        }
        policy ike-policy-c2j-1 {
            mode aggressive;
            proposals ike-proposal-c2j-1;
            pre-shared-key ascii-text "SuperSecretPassword"; ## SECRET-DATA
        }
        gateway ike-gateway-c2j-1 {
            ike-policy ike-policy-c2j-1;
            dynamic hostname router.router;
            external-interface at-1/0/0.0;
        }
    }
    ipsec {
        proposal ipsec-proposal-c2j-1 {
            protocol esp;
            authentication-algorithm hmac-sha-256-128;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 3600;
        }
        policy ipsec-policy-c2j-1 {
            proposals ipsec-proposal-c2j-1;
        }
        vpn ipsec-vpn-c2j-1 {
            bind-interface st0.0;
            ike {
                gateway ike-gateway-c2j-1;
                proxy-identity {
                    local 0.0.0.0/0;
                    remote 0.0.0.0/0;
                }
                ipsec-policy ipsec-policy-c2j-1;
            }
            establish-tunnels immediately;
        }
    }
}

Now to get IPv6 working over the tunnel. Managed to get IPv6 and IPv4
working side by side on a tunnel between two Junipers, but no such luck so
far Cisco<>Juniper.

Thanks!

On 21 November 2014 18:10, Paulhamus, Jon <jpaulhamus at iu17.org> wrote:

> Here is a working config from an SRX connecting to a Cisco 2911 behind NAT
> - GRE over IPSec.  Some things removed - snipped out. IP's changed etc.
>
>
>
> -------------------------------------------
>
> set interfaces ge-0/0/0 description ***INSIDE***
> set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.254/24
> set interfaces ge-0/0/0 description ***TUNNEL***
> set interfaces gr-0/0/0 unit 0 tunnel source 10.250.1.2
> set interfaces gr-0/0/0 unit 0 tunnel destination 10.250.1.1
> set interfaces gr-0/0/0 unit 0 family inet address 192.168.25.2/30
> set interfaces fe-0/0/7 description ***OUTSIDE***
> set interfaces fe-0/0/7 unit 0 family inet address 1.2.3.4/30
> set interfaces lo0 unit 0 family inet address 127.0.0.1/32
> set interfaces lo0 unit 0 family inet address 10.250.1.2/32
> set interfaces st0 unit 0 family inet
> set routing-options static route 10.250.1.1/32 next-hop st0.0
> set routing-options static route 10.250.1.1/32 no-readvertise
> set protocols ospf area 0.0.0.1 interface gr-0/0/0.0 interface-type p2p
> set protocols ospf area 0.0.0.1 interface ge-0/0/0.0
> set security ike proposal IKE-PROPOSAL authentication-method
> pre-shared-keys
> set security ike proposal IKE-PROPOSAL dh-group group2
> set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
> set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc
> set security ike proposal IKE-PROPOSAL lifetime-seconds 86400
> set security ike policy IKE-POLICY proposals IKE-PROPOSAL
> set security ike policy IKE-POLICY pre-shared-key ascii-text "PRESHAREDKEY"
> set security ike gateway GATEWAY ike-policy IKE-POLICY
> set security ike gateway GATEWAY address 5.6.7.8
> set security ike gateway GATEWAY external-interface fe-0/0/7.0
> set security ike gateway GATEWAY general-ikeid
> set security ipsec proposal IPSEC-PROPOSAL protocol esp
> set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm
> hmac-md5-96
> set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc
> set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 3600
> set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
> set security ipsec vpn COMPANY bind-interface st0.0
> set security ipsec vpn COMPANY ike gateway GATEWAY
> set security ipsec vpn COMPANY ike proxy-identity local 10.250.1.2/32
> set security ipsec vpn COMPANY ike proxy-identity remote 10.250.1.1/32
> set security ipsec vpn COMPANY ike ipsec-policy IPSEC-POLICY
> set security ipsec vpn COMPANY establish-tunnels immediately
> set security policies from-zone INSIDE to-zone INSIDE policy
> default-permit match source-address any
> set security policies from-zone INSIDE to-zone INSIDE policy
> default-permit match destination-address any
> set security policies from-zone INSIDE to-zone INSIDE policy
> default-permit match application any
> set security policies from-zone INSIDE to-zone INSIDE policy
> default-permit then permit
> set security policies from-zone INSIDE to-zone OUTSIDE policy
> default-permit match source-address any
> set security policies from-zone INSIDE to-zone OUTSIDE policy
> default-permit match destination-address any
> set security policies from-zone INSIDE to-zone OUTSIDE policy
> default-permit match application any
> set security policies from-zone INSIDE to-zone OUTSIDE policy
> default-permit then permit
> set security zones security-zone OUTSIDE interfaces fe-0/0/7.0
> host-inbound-traffic system-services dhcp
> set security zones security-zone OUTSIDE interfaces fe-0/0/7.0
> host-inbound-traffic system-services ping
> set security zones security-zone OUTSIDE interfaces fe-0/0/7.0
> host-inbound-traffic system-services ike
> set security zones security-zone OUTSIDE interfaces fe-0/0/7.0
> host-inbound-traffic system-services ssh
> set security zones security-zone INSIDE host-inbound-traffic
> system-services all
> set security zones security-zone INSIDE host-inbound-traffic protocols all
> set security zones security-zone INSIDE interfaces ge-0/0/0.0
> set security zones security-zone INSIDE interfaces lo0.0
> set security zones security-zone INSIDE interfaces st0.0
> set security zones security-zone INSIDE interfaces gr-0/0/0.0
>
>
>
> -------------------------------------------------
>
>
>
>
>
>
>
> -----Original Message-----
> From: Tom Storey [mailto:tom at snnap.net]
> Sent: Friday, November 21, 2014 9:00 AM
> To: cisco-nsp; juniper-nsp at puck.nether.net
> Subject: [j-nsp] Cisco to Juniper, route based IPSec VPN
>
> Hi everyone.
>
> Im trying to set up a route based VPN between a Cisco IOS router (1841)
> and a Juniper SRX, where the Cisco is sitting behind NAT and the Juniper is
> out on the public Internet.
>
> My tunnel interfaces arent coming up at either end, but I feel like Im
> teetering on the edge of success.
>
> Phase 1 seems to be ok (up in agressive mode), but phase 2 is a little
> dubious. "debug crypto ipsec" on the Cisco isnt really giving up much in
> the way of error messages. The Juniper reports "SA not initialised" and the
> Cisco seems to be sending SA requests...
>
> I feel like Im making a really noobie mistake but I cant figure out what.
> Ive trawled the Internet for sample configs and from what I can see my
> only difference is the specifics for my particular setup (IPs, leys,
> proposals/transforms.)
>
> Does anyone have a sample config I can review, or would you be willing to
> review my current configs?
>
> Thanks in advance.
> Tom
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the cisco-nsp mailing list