[c-nsp] Help with an IPSec scenario

Nick Cutting ncutting at edgetg.co.uk
Fri Mar 13 15:08:31 EDT 2015


Very nice, your EMM is much better than mine !

-----Original Message-----
From: Tom Storey [mailto:tom at snnap.net] 
Sent: 13 March 2015 18:09
To: Nick Cutting
Cc: cisco-nsp; juniper-nsp at puck.nether.net
Subject: Re: [c-nsp] Help with an IPSec scenario

For anyone else that wants to do something like this, I whipped up a EEM applet:

event manager applet update_tunnel0_dest authorization bypass  event none  event timer watchdog time 60  action 1.0 set ifname "Tunnel0"
 action 1.1 set tundest "dyndns.hostname"
 action 2.0 cli command "show interface $ifname"
 action 2.1 regexp "(up|down), line protocol" $_cli_result result ifadminstatus  action 2.2 if $_regexp_result eq 1  action 2.2.0 if $ifadminstatus eq "up"
 action 2.2.0.0 regexp "line protocol is (up|down)" $_cli_result result ifoperstatus  action 2.2.0.1 if $ifoperstatus eq "down"
 action 2.2.0.1.0 syslog msg "Set new destination for $ifname"
 action 2.2.0.1.1 cli command "enable"
 action 2.2.0.1.2 cli command "configure terminal"
 action 2.2.0.1.3 cli command "interface $ifname"
 action 2.2.0.1.4 cli command "tunnel destination $tundest"
 action 2.2.0.1.5 cli command "end"
 action 2.2.0.2 end
 action 2.2.1 end
 action 2.3 end

Just re-name it to something more useful, adjust the ifname and tundest variables, and perhaps the timer interval if you want it to run more frequently than 60 seconds.

The odd thing is that I have a Cisco behind NAT firing up an IPSec tunnel to a Juniper, and that works just fine. Strange that it wouldnt work the other way around...

On 13 March 2015 at 17:06, Tom Storey <tom at snnap.net> wrote:
> Hi Nick,
>
> Yeah, I dont believe Juniper support NHRP, thats a Cisco thing.
>
> I just tried replacing my Tunnel config with a Virtual-Template 
> config, I now get an IPSec SA, and a Virtual-Access interface is 
> created and seems to be receiving packets if I run a ping from the 
> Juniper...!
>
> How to get an IP from my ptp subnet on to it to permit routing back in 
> the other direction is the next question...
>
> I may yet have to surrender and do something similar to what youve 
> done. A little less elegant, but it will work at the least.
>
> Thanks!
>
> On 13 March 2015 at 16:48, Nick Cutting <ncutting at edgetg.co.uk> wrote:
>> Further to this, I don't think it is possible without a hardcoded destination on the VTI tunnel interface.  The reason it works with dynamic spoke public addresses with DMVPN is the dynamic spoke does a NHRP registration, and the tunnel endpoint is built using this information.
>>
>> There is no such process with static VTI.
>>
>> Phase1 is fine, then Phase2 fails with debug messages that don't necessary explain why this won't work.
>>
>> I don't think Junos supports NHRP, but I could be wrong.
>>
>>
>> -----Original Message-----
>> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf 
>> Of Nick Cutting
>> Sent: 13 March 2015 16:25
>> To: Tom Storey; cisco-nsp; juniper-nsp at puck.nether.net
>> Subject: Re: [c-nsp] Help with an IPSec scenario
>>
>> I tried to get this to work for weeks, in the end, I used dyn-dns on the Juniper side, and ran an EMM script on the cisco router (2911 - 15.3) that looked up the dyn-dys juniper name, then rewrote the tunnel destination, every 5 minutes.
>>
>> I can't see your config, as it is blocked at my work - I was using 0.0.0.0/0 as the proxy id on the juniper side, and a "normal" static VTI tunnel on the Juniper side.
>>
>> This works, as it is my home setup back to the office.
>>
>> I did not try DVTI, And I'm not sure if it uses NHRP in the same way as DMVPN would (with no gre) - which wouldn't probably work with a juniper routed tunnel anyway.
>>
>>
>>
>> -----Original Message-----
>> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf 
>> Of Tom Storey
>> Sent: 13 March 2015 15:35
>> To: cisco-nsp; juniper-nsp at puck.nether.net
>> Subject: [c-nsp] Help with an IPSec scenario
>>
>> Hi everyone,
>>
>> Trying to establish an IPSec tunnel (route based) between a Juniper SRX and a Cisco IOS router.
>>
>> The topology is two routers with DSL services, the SRX is on a dynamic IP, the Cisco on a static. No NAT is involved in the path between the two routers.
>>
>> Heres the configs Im working on: http://pastebin.com/gUEFVTau
>>
>> Basically what Im getting is this...
>>
>> In main mode, phase 1 is OK, and I get probably 99% of the way in phase 2, but it doesnt quite complete, with errors like "proxy identities not supported".
>>
>> I can fix this by configuring Tunnel0's destination as the IP of the 
>> SRX /at the time/ and can then ping across the tunnel. But this 
>> obviously isnt a long term solution because if the IP of the SRX 
>> changes (and it does, frequently, because the DSL is notoriously
>> unstable) then the VPN stops working.
>>
>> So I try to go aggressive mode, but this is even worse, with phase 1 not completing with errors like "IKE packet from x.x.x.x was not encrypted and it should've been", and never really making it past AG_INIT_EXCH.
>>
>> This is a debug of aggressive mode: http://pastebin.com/RUAaXDyE
>>
>> Based on my supplied configs, can anyone help me come up with a solution that allows the SRX to initiate a connection from any random IP, and the Cisco accepts it but I dont have to configure the IP of the SRX on the Cisco in order for it to work? I feel like Im tantalisingly close, but after several hours at it so far and copious amounts of googling, I just cant see the solution...
>>
>> Thanks.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>



More information about the cisco-nsp mailing list