[j-nsp] Junos route based vpn with Cisco

Wed Oct 27 12:42:52 EDT 2010

The subject line specifies that you want route-based VPNs
on the Juniper side, but with all of this discussion of
proxy IDs, I should point out that using policy-based VPNs
may work much better in that respect.

On 10/27/2010 at  8:44 AM, Ivan Ivanov <ivanov.ivan at gmail.com> wrote:
> Hi Tom,
> 
> You have to use proxy-id when peering with Cisco. Unfortunately SRX
supports
> only on network like remote and one like local. You have to summarize
if it
> is possible.
> 
> Or to use any any in the access-list on Cisco.
> 
> HTH
> 
> 2010/10/27 Tom Devries <Tom.Devries at rci.rogers.com>
> 
>> Thought I would provide some feedback I received from Juniper
regarding
>> this question for the archives.  If using a route based vpn, the
proxy
>> ID's in the SA creation will be all 0's by default:
>>
>> Local: 0.0.0.0
>> Remote: 0.0.0.0
>> Service 0
>>
>> so as long as it is unspecified in the config.  However if you
encrypt
>> more than one source network (i.e. multiple networks behind the SRX)
and
>> put multiple networks in your proxy-id config (in say, local
network)
>> then that part of the SA will show as 0.0.0.0.  I haven't been able
to
>> find a Cisco interop configuration that will be able to create SAs
and
>> establish phase II when receiving a 0.0.0.0/0.0.0.0/0 proxy id from
a
>> peer (if you have one please post it).  However one other way to do
it
>> would be to use GRE tunnels.
>>
>> So long story short, in the below configuration, proxy id's will all
be
>> 0's unless I specify a proxy-id in the config, and in that case I
can
>> only encrypt one network/service, as configuring more will set the
>> outgoing proxy id element to be 0's.
>>
>>
>> Thanks,
>> Tom
>>
>> -----Original Message-----
>> From: Tom Devries
>> Sent: October-22-10 4:05 PM
>> To: Juniper-Nsp
>> Subject: Junos route based vpn with Cisco
>>
>>
>>
>> Hi all,
>>
>> Question regarding JunOS (SRX) route based VPN with Cisco remote
end.
>> In such a route-based configuration, how are the SA's generated with
the
>> Cisco?  On the Cisco side you match an ACL as interesting traffic
and
>> the SA's are created based on that.  On JunOS route-based vpn, is it
the
>> policy that creates the SA or does the policy simply enforce the FW
>> rules on the tunnel?  If that is the case, can I have many such
rules
>> and specify ports for each rule?  In the below configuration I
would
>> like to specify application ports for each rule (rather than the
current
>> "any"), but I am unsure how the remote Cisco would respond depending
on
>> how the Juniper creates the SA (note unnumbered ST interface
used)...
>>
>> I used the following tool to generate this config:
>>
>>
https://www.juniper.net/customers/support/configtools/vpnconfig.html#

>>
>>
>>
>>
>> ###Configure interface IP and route for tunnel traffic
>>
>> set interfaces st0.0 family inet
>> set routing-options static route 2.16.68.0/24 next-hop st0.0
>> set routing-options static route 2.16.69.0/24 next-hop st0.0
>>
>> ## Configure security zones, assign interfaces to the zones &
>> host-inbound services for each zone
>>
>> set security zones security-zone vpn interfaces st0.0
>> set security zones security-zone Vpn host-inbound-traffic
>> system-services bgp
>>
>> ## Configure address book entries for each zone
>>
>> set security zones security-zone Silver address-book address
>> net-cfgr_10-25-56-64--26 10.25.56.64/26
>> set security zones security-zone Silver address-book address
>> net-cfgr_10-25-7-96--27 10.25.7.96/27
>> set security zones security-zone Silver address-book address
>> net-cfgr_10-25-194-96--27 10.25.194.96/27
>>
>> ## Configure IKE policy for main mode
>>
>> set security ike policy ike-policy-cfgr mode main
>> set security ike policy ike-policy-cfgr pre-shared-key ascii-text
>> "yaright"
>>
>> ## Configure IKE gateway with peer IP address, IKE policy and
outgoing
>> interface
>>
>> set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
>> set security ike gateway ike-gate-cfgr address 1.1.1.1
>> set security ike gateway ike-gate-cfgr external-interface
ge-0/0/12.0
>>
>> ## Configure IKE authentication, encryption, DH group, and Lifetime
>>
>> set security ike proposal ike-proposal-cfgr authentication-method
>> pre-shared-keys
>> set security ike policy ike-policy-cfgr proposals ike-proposal-cfgr
>> set security ike proposal ike-proposal-cfgr encryption-algorithm
>> 3des-cbc
>> set security ike proposal ike-proposal-cfgr
authentication-algorithm
>> sha1
>> set security ike proposal ike-proposal-cfgr dh-group group2
>> set security ike proposal ike-proposal-cfgr lifetime-seconds
>>
>> ## Configure IPsec policy
>>
>> set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
>> set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy
ipsec-policy-cfgr
>> set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
>>
>>
>> ## Configure IPsec authentication and encryption
>>
>> set security ipsec proposal ipsec-proposal-cfgr protocol esp
>> set security ipsec policy ipsec-policy-cfgr proposals
>> ipsec-proposal-cfgr
>> set security ipsec policy ipsec-policy-cfgr perfect-forward-secrecy
keys
>> group2
>> set security ipsec proposal ipsec-proposal-cfgr
encryption-algorithm
>> 3des-cbc
>> set security ipsec proposal ipsec-proposal-cfgr
authentication-algorithm
>> hmac-sha1-96
>>
>> ## Configure security policies for tunnel traffic in outbound
direction
>>
>> set security policies from-zone Silver to-zone Vpn policy
>> Silver-Vpn-cfgr match source-address net-cfgr_10-25-56-64--26
>> set security policies from-zone Silver to-zone Vpn policy
>> Silver-Vpn-cfgr match source-address net-cfgr_10-25-7-96--27
>> set security policies from-zone Silver to-zone Vpn policy
>> Silver-Vpn-cfgr match source-address net-cfgr_10-25-194-96--27
>> set security policies from-zone Silver to-zone Vpn policy
>> Silver-Vpn-cfgr match application any
>> set security policies from-zone Silver to-zone Vpn policy
>> Silver-Vpn-cfgr then permit
>>
>> ## Configure security policies for tunnel traffic in inbound
direction
>>
>> set security policies from-zone Vpn to-zone Silver policy
>> Vpn-Silver-cfgr match source-address net-cfgr_2-16-68-0--24
>> set security policies from-zone Vpn to-zone Silver policy
>> Vpn-Silver-cfgr match source-address net-cfgr_2-16-69-0--24
>> set security policies from-zone Vpn to-zone Silver policy
>> Vpn-Silver-cfgr match destination-address net-cfgr_10-25-56-64--26
>> set security policies from-zone Vpn to-zone Silver policy
>> Vpn-Silver-cfgr match destination-address net-cfgr_10-25-7-96--27
>> set security policies from-zone Vpn to-zone Silver policy
>> Vpn-Silver-cfgr match destination-address net-cfgr_10-25-194-96--27
>> set security policies from-zone Vpn to-zone Silver policy
>> Vpn-Silver-cfgr match application any
>> set security policies from-zone Vpn to-zone Silver policy
>> Vpn-Silver-cfgr then permit
>>
>> Thanks,
>> Tom
>>
>>
>> This e-mail (and attachment(s)) is confidential, proprietary, may
be
>> subject to copyright and legal privilege and no related rights are
waived.
>> If you are not the intended recipient or its agent, any review,
>> dissemination, distribution or copying of this e-mail or any of its
content
>> is strictly prohibited and may be unlawful. All messages may be
monitored as
>> permitted by applicable law and regulations and our policies to
protect our
>> business. E-mails are not secure and you are deemed to have accepted
any
>> risk if you communicate with us by e-mail. If received in error,
please
>> notify us immediately and delete the e-mail (and any attachments)
from any
>> computer or any storage medium without printing a copy.
>>
>> Ce courriel (ainsi que ses pièces jointes) est confidentiel,
exclusif, et
>> peut faire l’objet de droit d’auteur et de privilège juridique;
aucun droit
>> connexe n’est exclu. Si vous n’êtes pas le destinataire visé ou
son
>> représentant, toute étude, diffusion, transmission ou copie de ce
courriel
>> en tout ou en partie, est strictement interdite et peut être
illégale. Tous
>> les messages peuvent être surveillés, selon les lois et règlements
>> applicables et les politiques de protection de notre entreprise.
Les
>> courriels ne sont pas sécurisés et vous êtes réputés avoir accepté
tous les
>> risques qui y sont liés si vous choisissez de communiquer avec nous
par ce
>> moyen. Si vous avez reçu ce message par erreur, veuillez nous en
aviser
>> immédiatement et supprimer ce courriel (ainsi que toutes ses pièces
jointes)
>> de tout ordinateur ou support de données sans en imprimer une
copie.
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/juniper-nsp 
>>
> 
> 

-- 

Crist Clark
Network Security Specialist, Information Systems
Globalstar
408 933 4387