[j-nsp] Junos route based vpn with Cisco
Tom Devries
Tom.Devries at rci.rogers.com
Wed Oct 27 11:26:43 EDT 2010
Thought I would provide some feedback I received from Juniper regarding
this question for the archives. If using a route based vpn, the proxy
ID's in the SA creation will be all 0's by default:
Local: 0.0.0.0
Remote: 0.0.0.0
Service 0
so as long as it is unspecified in the config. However if you encrypt
more than one source network (i.e. multiple networks behind the SRX) and
put multiple networks in your proxy-id config (in say, local network)
then that part of the SA will show as 0.0.0.0. I haven't been able to
find a Cisco interop configuration that will be able to create SAs and
establish phase II when receiving a 0.0.0.0/0.0.0.0/0 proxy id from a
peer (if you have one please post it). However one other way to do it
would be to use GRE tunnels.
So long story short, in the below configuration, proxy id's will all be
0's unless I specify a proxy-id in the config, and in that case I can
only encrypt one network/service, as configuring more will set the
outgoing proxy id element to be 0's.
Thanks,
Tom
-----Original Message-----
From: Tom Devries
Sent: October-22-10 4:05 PM
To: Juniper-Nsp
Subject: Junos route based vpn with Cisco
Hi all,
Question regarding JunOS (SRX) route based VPN with Cisco remote end.
In such a route-based configuration, how are the SA's generated with the
Cisco? On the Cisco side you match an ACL as interesting traffic and
the SA's are created based on that. On JunOS route-based vpn, is it the
policy that creates the SA or does the policy simply enforce the FW
rules on the tunnel? If that is the case, can I have many such rules
and specify ports for each rule? In the below configuration I would
like to specify application ports for each rule (rather than the current
"any"), but I am unsure how the remote Cisco would respond depending on
how the Juniper creates the SA (note unnumbered ST interface used)...
I used the following tool to generate this config:
https://www.juniper.net/customers/support/configtools/vpnconfig.html#
###Configure interface IP and route for tunnel traffic
set interfaces st0.0 family inet
set routing-options static route 2.16.68.0/24 next-hop st0.0
set routing-options static route 2.16.69.0/24 next-hop st0.0
## Configure security zones, assign interfaces to the zones &
host-inbound services for each zone
set security zones security-zone vpn interfaces st0.0
set security zones security-zone Vpn host-inbound-traffic
system-services bgp
## Configure address book entries for each zone
set security zones security-zone Silver address-book address
net-cfgr_10-25-56-64--26 10.25.56.64/26
set security zones security-zone Silver address-book address
net-cfgr_10-25-7-96--27 10.25.7.96/27
set security zones security-zone Silver address-book address
net-cfgr_10-25-194-96--27 10.25.194.96/27
## Configure IKE policy for main mode
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr pre-shared-key ascii-text
"yaright"
## Configure IKE gateway with peer IP address, IKE policy and outgoing
interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address 1.1.1.1
set security ike gateway ike-gate-cfgr external-interface ge-0/0/12.0
## Configure IKE authentication, encryption, DH group, and Lifetime
set security ike proposal ike-proposal-cfgr authentication-method
pre-shared-keys
set security ike policy ike-policy-cfgr proposals ike-proposal-cfgr
set security ike proposal ike-proposal-cfgr encryption-algorithm
3des-cbc
set security ike proposal ike-proposal-cfgr authentication-algorithm
sha1
set security ike proposal ike-proposal-cfgr dh-group group2
set security ike proposal ike-proposal-cfgr lifetime-seconds
## Configure IPsec policy
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
## Configure IPsec authentication and encryption
set security ipsec proposal ipsec-proposal-cfgr protocol esp
set security ipsec policy ipsec-policy-cfgr proposals
ipsec-proposal-cfgr
set security ipsec policy ipsec-policy-cfgr perfect-forward-secrecy keys
group2
set security ipsec proposal ipsec-proposal-cfgr encryption-algorithm
3des-cbc
set security ipsec proposal ipsec-proposal-cfgr authentication-algorithm
hmac-sha1-96
## Configure security policies for tunnel traffic in outbound direction
set security policies from-zone Silver to-zone Vpn policy
Silver-Vpn-cfgr match source-address net-cfgr_10-25-56-64--26
set security policies from-zone Silver to-zone Vpn policy
Silver-Vpn-cfgr match source-address net-cfgr_10-25-7-96--27
set security policies from-zone Silver to-zone Vpn policy
Silver-Vpn-cfgr match source-address net-cfgr_10-25-194-96--27
set security policies from-zone Silver to-zone Vpn policy
Silver-Vpn-cfgr match application any
set security policies from-zone Silver to-zone Vpn policy
Silver-Vpn-cfgr then permit
## Configure security policies for tunnel traffic in inbound direction
set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr match source-address net-cfgr_2-16-68-0--24
set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr match source-address net-cfgr_2-16-69-0--24
set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr match destination-address net-cfgr_10-25-56-64--26
set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr match destination-address net-cfgr_10-25-7-96--27
set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr match destination-address net-cfgr_10-25-194-96--27
set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr match application any
set security policies from-zone Vpn to-zone Silver policy
Vpn-Silver-cfgr then permit
Thanks,
Tom
-------------- next part --------------
This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy.
Ce courriel (ainsi que ses pi?ces jointes) est confidentiel, exclusif, et peut faire l?objet de droit d?auteur et de privil?ge juridique; aucun droit connexe n?est exclu. Si vous n??tes pas le destinataire vis? ou son repr?sentant, toute ?tude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut ?tre ill?gale. Tous les messages peuvent ?tre surveill?s, selon les lois et r?glements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas s?curis?s et vous ?tes r?put?s avoir accept? tous les risques qui y sont li?s si vous choisissez de communiquer avec nous par ce moyen. Si vous avez re?u ce message par erreur, veuillez nous en aviser imm?diatement et supprimer ce courriel (ainsi que toutes ses pi?ces jointes) de tout ordinateur ou support de donn?es sans en imprimer une copie.
More information about the juniper-nsp
mailing list