[j-nsp] Cisco to Juniper, route based IPSec VPN

Paulhamus, Jon jpaulhamus at IU17.ORG
Fri Nov 21 13:10:22 EST 2014 

Here is a working config from an SRX connecting to a Cisco 2911 behind NAT - GRE over IPSec.  Some things removed - snipped out. IP's changed etc.



-------------------------------------------

set interfaces ge-0/0/0 description ***INSIDE***
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.254/24
set interfaces ge-0/0/0 description ***TUNNEL***
set interfaces gr-0/0/0 unit 0 tunnel source 10.250.1.2
set interfaces gr-0/0/0 unit 0 tunnel destination 10.250.1.1
set interfaces gr-0/0/0 unit 0 family inet address 192.168.25.2/30
set interfaces fe-0/0/7 description ***OUTSIDE***
set interfaces fe-0/0/7 unit 0 family inet address 1.2.3.4/30
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set interfaces lo0 unit 0 family inet address 10.250.1.2/32
set interfaces st0 unit 0 family inet
set routing-options static route 10.250.1.1/32 next-hop st0.0
set routing-options static route 10.250.1.1/32 no-readvertise
set protocols ospf area 0.0.0.1 interface gr-0/0/0.0 interface-type p2p
set protocols ospf area 0.0.0.1 interface ge-0/0/0.0
set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL dh-group group2
set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc
set security ike proposal IKE-PROPOSAL lifetime-seconds 86400
set security ike policy IKE-POLICY proposals IKE-PROPOSAL
set security ike policy IKE-POLICY pre-shared-key ascii-text "PRESHAREDKEY"
set security ike gateway GATEWAY ike-policy IKE-POLICY
set security ike gateway GATEWAY address 5.6.7.8
set security ike gateway GATEWAY external-interface fe-0/0/7.0
set security ike gateway GATEWAY general-ikeid
set security ipsec proposal IPSEC-PROPOSAL protocol esp
set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-md5-96
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc
set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 3600
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
set security ipsec vpn COMPANY bind-interface st0.0
set security ipsec vpn COMPANY ike gateway GATEWAY
set security ipsec vpn COMPANY ike proxy-identity local 10.250.1.2/32
set security ipsec vpn COMPANY ike proxy-identity remote 10.250.1.1/32
set security ipsec vpn COMPANY ike ipsec-policy IPSEC-POLICY
set security ipsec vpn COMPANY establish-tunnels immediately
set security policies from-zone INSIDE to-zone INSIDE policy default-permit match source-address any
set security policies from-zone INSIDE to-zone INSIDE policy default-permit match destination-address any
set security policies from-zone INSIDE to-zone INSIDE policy default-permit match application any
set security policies from-zone INSIDE to-zone INSIDE policy default-permit then permit
set security policies from-zone INSIDE to-zone OUTSIDE policy default-permit match source-address any
set security policies from-zone INSIDE to-zone OUTSIDE policy default-permit match destination-address any
set security policies from-zone INSIDE to-zone OUTSIDE policy default-permit match application any
set security policies from-zone INSIDE to-zone OUTSIDE policy default-permit then permit
set security zones security-zone OUTSIDE interfaces fe-0/0/7.0 host-inbound-traffic system-services dhcp
set security zones security-zone OUTSIDE interfaces fe-0/0/7.0 host-inbound-traffic system-services ping
set security zones security-zone OUTSIDE interfaces fe-0/0/7.0 host-inbound-traffic system-services ike
set security zones security-zone OUTSIDE interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh
set security zones security-zone INSIDE host-inbound-traffic system-services all
set security zones security-zone INSIDE host-inbound-traffic protocols all
set security zones security-zone INSIDE interfaces ge-0/0/0.0
set security zones security-zone INSIDE interfaces lo0.0
set security zones security-zone INSIDE interfaces st0.0
set security zones security-zone INSIDE interfaces gr-0/0/0.0



-------------------------------------------------







-----Original Message-----
From: Tom Storey [mailto:tom at snnap.net] 
Sent: Friday, November 21, 2014 9:00 AM
To: cisco-nsp; juniper-nsp at puck.nether.net
Subject: [j-nsp] Cisco to Juniper, route based IPSec VPN

Hi everyone.

Im trying to set up a route based VPN between a Cisco IOS router (1841) and a Juniper SRX, where the Cisco is sitting behind NAT and the Juniper is out on the public Internet.

My tunnel interfaces arent coming up at either end, but I feel like Im teetering on the edge of success.

Phase 1 seems to be ok (up in agressive mode), but phase 2 is a little dubious. "debug crypto ipsec" on the Cisco isnt really giving up much in the way of error messages. The Juniper reports "SA not initialised" and the Cisco seems to be sending SA requests...

I feel like Im making a really noobie mistake but I cant figure out what.
Ive trawled the Internet for sample configs and from what I can see my only difference is the specifics for my particular setup (IPs, leys,
proposals/transforms.)

Does anyone have a sample config I can review, or would you be willing to review my current configs?

Thanks in advance.
Tom
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list