[c-nsp] Help with an IPSec scenario

Nick Cutting ncutting at edgetg.co.uk
Fri Mar 13 12:48:58 EDT 2015


Further to this, I don't think it is possible without a hardcoded destination on the VTI tunnel interface.  The reason it works with dynamic spoke public addresses with DMVPN is the dynamic spoke does a NHRP registration, and the tunnel endpoint is built using this information. 

There is no such process with static VTI.

Phase1 is fine, then Phase2 fails with debug messages that don't necessary explain why this won't work.  

I don't think Junos supports NHRP, but I could be wrong.


-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Cutting
Sent: 13 March 2015 16:25
To: Tom Storey; cisco-nsp; juniper-nsp at puck.nether.net
Subject: Re: [c-nsp] Help with an IPSec scenario

I tried to get this to work for weeks, in the end, I used dyn-dns on the Juniper side, and ran an EMM script on the cisco router (2911 - 15.3) that looked up the dyn-dys juniper name, then rewrote the tunnel destination, every 5 minutes.  

I can't see your config, as it is blocked at my work - I was using 0.0.0.0/0 as the proxy id on the juniper side, and a "normal" static VTI tunnel on the Juniper side.

This works, as it is my home setup back to the office.

I did not try DVTI, And I'm not sure if it uses NHRP in the same way as DMVPN would (with no gre) - which wouldn't probably work with a juniper routed tunnel anyway.



-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tom Storey
Sent: 13 March 2015 15:35
To: cisco-nsp; juniper-nsp at puck.nether.net
Subject: [c-nsp] Help with an IPSec scenario

Hi everyone,

Trying to establish an IPSec tunnel (route based) between a Juniper SRX and a Cisco IOS router.

The topology is two routers with DSL services, the SRX is on a dynamic IP, the Cisco on a static. No NAT is involved in the path between the two routers.

Heres the configs Im working on: http://pastebin.com/gUEFVTau

Basically what Im getting is this...

In main mode, phase 1 is OK, and I get probably 99% of the way in phase 2, but it doesnt quite complete, with errors like "proxy identities not supported".

I can fix this by configuring Tunnel0's destination as the IP of the SRX /at the time/ and can then ping across the tunnel. But this obviously isnt a long term solution because if the IP of the SRX changes (and it does, frequently, because the DSL is notoriously
unstable) then the VPN stops working.

So I try to go aggressive mode, but this is even worse, with phase 1 not completing with errors like "IKE packet from x.x.x.x was not encrypted and it should've been", and never really making it past AG_INIT_EXCH.

This is a debug of aggressive mode: http://pastebin.com/RUAaXDyE

Based on my supplied configs, can anyone help me come up with a solution that allows the SRX to initiate a connection from any random IP, and the Cisco accepts it but I dont have to configure the IP of the SRX on the Cisco in order for it to work? I feel like Im tantalisingly close, but after several hours at it so far and copious amounts of googling, I just cant see the solution...

Thanks.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list