[j-nsp] Junos route based vpn with Cisco

Wed Oct 27 13:30:23 EDT 2010

I had the same issue. I changed to policy based VPN and it worked out
of the box.

2010/10/27 Tom Devries <Tom.Devries at rci.rogers.com>:
> Thought I would provide some feedback I received from Juniper regarding
> this question for the archives.  If using a route based vpn, the proxy
> ID's in the SA creation will be all 0's by default:
>
> Local: 0.0.0.0
> Remote: 0.0.0.0
> Service 0
>
> so as long as it is unspecified in the config.  However if you encrypt
> more than one source network (i.e. multiple networks behind the SRX) and
> put multiple networks in your proxy-id config (in say, local network)
> then that part of the SA will show as 0.0.0.0.  I haven't been able to
> find a Cisco interop configuration that will be able to create SAs and
> establish phase II when receiving a 0.0.0.0/0.0.0.0/0 proxy id from a
> peer (if you have one please post it).  However one other way to do it
> would be to use GRE tunnels.
>
> So long story short, in the below configuration, proxy id's will all be
> 0's unless I specify a proxy-id in the config, and in that case I can
> only encrypt one network/service, as configuring more will set the
> outgoing proxy id element to be 0's.
>
>
> Thanks,
> Tom
>
> -----Original Message-----
> From: Tom Devries
> Sent: October-22-10 4:05 PM
> To: Juniper-Nsp
> Subject: Junos route based vpn with Cisco
>
>
>
> Hi all,
>
> Question regarding JunOS (SRX) route based VPN with Cisco remote end.
> In such a route-based configuration, how are the SA's generated with the
> Cisco?  On the Cisco side you match an ACL as interesting traffic and
> the SA's are created based on that.  On JunOS route-based vpn, is it the
> policy that creates the SA or does the policy simply enforce the FW
> rules on the tunnel?  If that is the case, can I have many such rules
> and specify ports for each rule?  In the below configuration I would
> like to specify application ports for each rule (rather than the current
> "any"), but I am unsure how the remote Cisco would respond depending on
> how the Juniper creates the SA (note unnumbered ST interface used)...
>
> I used the following tool to generate this config:
>
> https://www.juniper.net/customers/support/configtools/vpnconfig.html#
>
>
>
>
> ###Configure interface IP and route for tunnel traffic
>
> set interfaces st0.0 family inet
> set routing-options static route 2.16.68.0/24 next-hop st0.0
> set routing-options static route 2.16.69.0/24 next-hop st0.0
>
> ## Configure security zones, assign interfaces to the zones &
> host-inbound services for each zone
>
> set security zones security-zone vpn interfaces st0.0
> set security zones security-zone Vpn host-inbound-traffic
> system-services bgp
>
> ## Configure address book entries for each zone
>
> set security zones security-zone Silver address-book address
> net-cfgr_10-25-56-64--26 10.25.56.64/26
> set security zones security-zone Silver address-book address
> net-cfgr_10-25-7-96--27 10.25.7.96/27
> set security zones security-zone Silver address-book address
> net-cfgr_10-25-194-96--27 10.25.194.96/27
>
> ## Configure IKE policy for main mode
>
> set security ike policy ike-policy-cfgr mode main
> set security ike policy ike-policy-cfgr pre-shared-key ascii-text
> "yaright"
>
> ## Configure IKE gateway with peer IP address, IKE policy and outgoing
> interface
>
> set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
> set security ike gateway ike-gate-cfgr address 1.1.1.1
> set security ike gateway ike-gate-cfgr external-interface ge-0/0/12.0
>
> ## Configure IKE authentication, encryption, DH group, and Lifetime
>
> set security ike proposal ike-proposal-cfgr authentication-method
> pre-shared-keys
> set security ike policy ike-policy-cfgr proposals ike-proposal-cfgr
> set security ike proposal ike-proposal-cfgr encryption-algorithm
> 3des-cbc
> set security ike proposal ike-proposal-cfgr authentication-algorithm
> sha1
> set security ike proposal ike-proposal-cfgr dh-group group2
> set security ike proposal ike-proposal-cfgr lifetime-seconds
>
> ## Configure IPsec policy
>
> set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
> set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
> set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
>
>
> ## Configure IPsec authentication and encryption
>
> set security ipsec proposal ipsec-proposal-cfgr protocol esp
> set security ipsec policy ipsec-policy-cfgr proposals
> ipsec-proposal-cfgr
> set security ipsec policy ipsec-policy-cfgr perfect-forward-secrecy keys
> group2
> set security ipsec proposal ipsec-proposal-cfgr encryption-algorithm
> 3des-cbc
> set security ipsec proposal ipsec-proposal-cfgr authentication-algorithm
> hmac-sha1-96
>
> ## Configure security policies for tunnel traffic in outbound direction
>
> set security policies from-zone Silver to-zone Vpn policy
> Silver-Vpn-cfgr match source-address net-cfgr_10-25-56-64--26
> set security policies from-zone Silver to-zone Vpn policy
> Silver-Vpn-cfgr match source-address net-cfgr_10-25-7-96--27
> set security policies from-zone Silver to-zone Vpn policy
> Silver-Vpn-cfgr match source-address net-cfgr_10-25-194-96--27
> set security policies from-zone Silver to-zone Vpn policy
> Silver-Vpn-cfgr match application any
> set security policies from-zone Silver to-zone Vpn policy
> Silver-Vpn-cfgr then permit
>
> ## Configure security policies for tunnel traffic in inbound direction
>
> set security policies from-zone Vpn to-zone Silver policy
> Vpn-Silver-cfgr match source-address net-cfgr_2-16-68-0--24
> set security policies from-zone Vpn to-zone Silver policy
> Vpn-Silver-cfgr match source-address net-cfgr_2-16-69-0--24
> set security policies from-zone Vpn to-zone Silver policy
> Vpn-Silver-cfgr match destination-address net-cfgr_10-25-56-64--26
> set security policies from-zone Vpn to-zone Silver policy
> Vpn-Silver-cfgr match destination-address net-cfgr_10-25-7-96--27
> set security policies from-zone Vpn to-zone Silver policy
> Vpn-Silver-cfgr match destination-address net-cfgr_10-25-194-96--27
> set security policies from-zone Vpn to-zone Silver policy
> Vpn-Silver-cfgr match application any
> set security policies from-zone Vpn to-zone Silver policy
> Vpn-Silver-cfgr then permit
>
> Thanks,
> Tom
>
>
> This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy.
>
> Ce courriel (ainsi que ses pièces jointes) est confidentiel, exclusif, et peut faire l’objet de droit d’auteur et de privilège juridique; aucun droit connexe n’est exclu. Si vous n’êtes pas le destinataire visé ou son représentant, toute étude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut être illégale. Tous les messages peuvent être surveillés, selon les lois et règlements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas sécurisés et vous êtes réputés avoir accepté tous les risques qui y sont liés si vous choisissez de communiquer avec nous par ce moyen. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et supprimer ce courriel (ainsi que toutes ses pièces jointes) de tout ordinateur ou support de données sans en imprimer une copie.
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

-- 
Morten Isaksen