[c-nsp] Help with an IPSec scenario

Tom Storey tom at snnap.net
Fri Mar 13 13:06:06 EDT 2015


Hi Nick,

Yeah, I dont believe Juniper support NHRP, thats a Cisco thing.

I just tried replacing my Tunnel config with a Virtual-Template
config, I now get an IPSec SA, and a Virtual-Access interface is
created and seems to be receiving packets if I run a ping from the
Juniper...!

How to get an IP from my ptp subnet on to it to permit routing back in
the other direction is the next question...

I may yet have to surrender and do something similar to what youve
done. A little less elegant, but it will work at the least.

Thanks!

On 13 March 2015 at 16:48, Nick Cutting <ncutting at edgetg.co.uk> wrote:
> Further to this, I don't think it is possible without a hardcoded destination on the VTI tunnel interface.  The reason it works with dynamic spoke public addresses with DMVPN is the dynamic spoke does a NHRP registration, and the tunnel endpoint is built using this information.
>
> There is no such process with static VTI.
>
> Phase1 is fine, then Phase2 fails with debug messages that don't necessary explain why this won't work.
>
> I don't think Junos supports NHRP, but I could be wrong.
>
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Cutting
> Sent: 13 March 2015 16:25
> To: Tom Storey; cisco-nsp; juniper-nsp at puck.nether.net
> Subject: Re: [c-nsp] Help with an IPSec scenario
>
> I tried to get this to work for weeks, in the end, I used dyn-dns on the Juniper side, and ran an EMM script on the cisco router (2911 - 15.3) that looked up the dyn-dys juniper name, then rewrote the tunnel destination, every 5 minutes.
>
> I can't see your config, as it is blocked at my work - I was using 0.0.0.0/0 as the proxy id on the juniper side, and a "normal" static VTI tunnel on the Juniper side.
>
> This works, as it is my home setup back to the office.
>
> I did not try DVTI, And I'm not sure if it uses NHRP in the same way as DMVPN would (with no gre) - which wouldn't probably work with a juniper routed tunnel anyway.
>
>
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tom Storey
> Sent: 13 March 2015 15:35
> To: cisco-nsp; juniper-nsp at puck.nether.net
> Subject: [c-nsp] Help with an IPSec scenario
>
> Hi everyone,
>
> Trying to establish an IPSec tunnel (route based) between a Juniper SRX and a Cisco IOS router.
>
> The topology is two routers with DSL services, the SRX is on a dynamic IP, the Cisco on a static. No NAT is involved in the path between the two routers.
>
> Heres the configs Im working on: http://pastebin.com/gUEFVTau
>
> Basically what Im getting is this...
>
> In main mode, phase 1 is OK, and I get probably 99% of the way in phase 2, but it doesnt quite complete, with errors like "proxy identities not supported".
>
> I can fix this by configuring Tunnel0's destination as the IP of the SRX /at the time/ and can then ping across the tunnel. But this obviously isnt a long term solution because if the IP of the SRX changes (and it does, frequently, because the DSL is notoriously
> unstable) then the VPN stops working.
>
> So I try to go aggressive mode, but this is even worse, with phase 1 not completing with errors like "IKE packet from x.x.x.x was not encrypted and it should've been", and never really making it past AG_INIT_EXCH.
>
> This is a debug of aggressive mode: http://pastebin.com/RUAaXDyE
>
> Based on my supplied configs, can anyone help me come up with a solution that allows the SRX to initiate a connection from any random IP, and the Cisco accepts it but I dont have to configure the IP of the SRX on the Cisco in order for it to work? I feel like Im tantalisingly close, but after several hours at it so far and copious amounts of googling, I just cant see the solution...
>
> Thanks.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list