[j-nsp] Junos route based vpn with Cisco

Fri Oct 22 16:04:34 EDT 2010

Hi all,

Question regarding JunOS (SRX) route based VPN with Cisco remote end.
In such a route-based configuration, how are the SA's generated with the
Cisco?  On the Cisco side you match an ACL as interesting traffic and
the SA's are created based on that.  On JunOS route-based vpn, is it the
policy that creates the SA or does the policy simply enforce the FW
rules on the tunnel?  If that is the case, can I have many such rules
and specify ports for each rule?  In the below configuration I would
like to specify application ports for each rule (rather than the current
"any"), but I am unsure how the remote Cisco would respond depending on
how the Juniper creates the SA (note unnumbered ST interface used)...

I used the following tool to generate this config:

https://www.juniper.net/customers/support/configtools/vpnconfig.html#

###Configure interface IP and route for tunnel traffic

set interfaces st0.0 family inet 
set routing-options static route 2.16.68.0/24 next-hop st0.0
set routing-options static route 2.16.69.0/24 next-hop st0.0

## Configure security zones, assign interfaces to the zones &
host-inbound services for each zone

set security zones security-zone vpn interfaces st0.0
set security zones security-zone Vpn host-inbound-traffic
system-services bgp

## Configure address book entries for each zone

set security zones security-zone Silver address-book address
net-cfgr_10-25-56-64--26 10.25.56.64/26
set security zones security-zone Silver address-book address
net-cfgr_10-25-7-96--27 10.25.7.96/27
set security zones security-zone Silver address-book address
net-cfgr_10-25-194-96--27 10.25.194.96/27

## Configure IKE policy for main mode

set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr pre-shared-key ascii-text
"yaright"

## Configure IKE gateway with peer IP address, IKE policy and outgoing
interface

set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address 1.1.1.1
set security ike gateway ike-gate-cfgr external-interface ge-0/0/12.0

## Configure IKE authentication, encryption, DH group, and Lifetime

set security ike proposal ike-proposal-cfgr authentication-method
pre-shared-keys
set security ike policy ike-policy-cfgr proposals ike-proposal-cfgr
set security ike proposal ike-proposal-cfgr encryption-algorithm
3des-cbc
set security ike proposal ike-proposal-cfgr authentication-algorithm
sha1
set security ike proposal ike-proposal-cfgr dh-group group2
set security ike proposal ike-proposal-cfgr lifetime-seconds 

## Configure IPsec policy

set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0

## Configure IPsec authentication and encryption

set security ipsec proposal ipsec-proposal-cfgr protocol esp
set security ipsec policy ipsec-policy-cfgr proposals
ipsec-proposal-cfgr
set security ipsec policy ipsec-policy-cfgr perfect-forward-secrecy keys
group2
set security ipsec proposal ipsec-proposal-cfgr encryption-algorithm
3des-cbc
set security ipsec proposal ipsec-proposal-cfgr authentication-algorithm
hmac-sha1-96

## Configure security policies for tunnel traffic in outbound direction

set security policies from-zone Silver to-zone Vpn policy
Silver-Vpn-cfgr match source-address net-cfgr_10-25-56-64--26
set security policies from-zone Silver to-zone Vpn policy
Silver-Vpn-cfgr match source-address net-cfgr_10-25-7-96--27
set security policies from-zone Silver to-zone Vpn policy
Silver-Vpn-cfgr match source-address net-cfgr_10-25-194-96--27
set security policies from-zone Silver to-zone Vpn policy
Silver-Vpn-cfgr match application any
set security policies from-zone Silver to-zone Vpn policy
Silver-Vpn-cfgr then permit

## Configure security policies for tunnel traffic in inbound direction

set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr match source-address net-cfgr_2-16-68-0--24
set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr match source-address net-cfgr_2-16-69-0--24
set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr match destination-address net-cfgr_10-25-56-64--26
set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr match destination-address net-cfgr_10-25-7-96--27
set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr match destination-address net-cfgr_10-25-194-96--27
set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr match application any
set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr then permit

Thanks,
Tom
-------------- next part --------------

This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy.

Ce courriel (ainsi que ses pi?ces jointes) est confidentiel, exclusif, et peut faire l?objet de droit d?auteur et de privil?ge juridique; aucun droit connexe n?est exclu. Si vous n??tes pas le destinataire vis? ou son repr?sentant, toute ?tude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut ?tre ill?gale. Tous les messages peuvent ?tre surveill?s, selon les lois et r?glements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas s?curis?s et vous ?tes r?put?s avoir accept? tous les risques qui y sont li?s si vous choisissez de communiquer avec nous par ce moyen. Si vous avez re?u ce message par erreur, veuillez nous en aviser imm?diatement et supprimer ce courriel (ainsi que toutes ses pi?ces jointes) de tout ordinateur ou support de donn?es sans en imprimer une copie. 