[j-nsp] Cisco to Juniper, route based IPSec VPN
Tom Storey
tom at snnap.net
Fri Nov 21 15:54:58 EST 2014
Thanks Jon,
Your config pointed something out to me and I have managed to get it
working. I knew it was something simple and noobie, and it was :-)
I had defined PFS and DH group 5 in my Juniper IPSec policy stanza, but
there was nothing matching on the Cisco side I guess.
FWIW here are my two configs in case anyone needs something similar in the
future:
Cisco behind NAT
================
crypto isakmp policy 1
encr aes 256
hash sha384
authentication pre-share
group 5
!
crypto isakmp peer address 1.2.3.4
set aggressive-mode password SuperSecretPassword
set aggressive-mode client-endpoint fqdn router.router
!
crypto ipsec transform-set ESP_AES256 esp-aes 256 esp-sha256-hmac
!
crypto ipsec profile c2j-1
set transform-set ESP_AES256
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.254
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 1.2.3.4
tunnel protection ipsec profile c2j-1
!
Juniper SRX
===========
interfaces {
st0 {
unit 0 {
family inet {
address 10.0.0.1/31;
}
}
}
}
security {
ike {
proposal ike-proposal-c2j-1 {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha-384;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ike-policy-c2j-1 {
mode aggressive;
proposals ike-proposal-c2j-1;
pre-shared-key ascii-text "SuperSecretPassword"; ## SECRET-DATA
}
gateway ike-gateway-c2j-1 {
ike-policy ike-policy-c2j-1;
dynamic hostname router.router;
external-interface at-1/0/0.0;
}
}
ipsec {
proposal ipsec-proposal-c2j-1 {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy ipsec-policy-c2j-1 {
proposals ipsec-proposal-c2j-1;
}
vpn ipsec-vpn-c2j-1 {
bind-interface st0.0;
ike {
gateway ike-gateway-c2j-1;
proxy-identity {
local 0.0.0.0/0;
remote 0.0.0.0/0;
}
ipsec-policy ipsec-policy-c2j-1;
}
establish-tunnels immediately;
}
}
}
Now to get IPv6 working over the tunnel. Managed to get IPv6 and IPv4
working side by side on a tunnel between two Junipers, but no such luck so
far Cisco<>Juniper.
Thanks!
On 21 November 2014 18:10, Paulhamus, Jon <jpaulhamus at iu17.org> wrote:
> Here is a working config from an SRX connecting to a Cisco 2911 behind NAT
> - GRE over IPSec. Some things removed - snipped out. IP's changed etc.
>
>
>
> -------------------------------------------
>
> set interfaces ge-0/0/0 description ***INSIDE***
> set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.254/24
> set interfaces ge-0/0/0 description ***TUNNEL***
> set interfaces gr-0/0/0 unit 0 tunnel source 10.250.1.2
> set interfaces gr-0/0/0 unit 0 tunnel destination 10.250.1.1
> set interfaces gr-0/0/0 unit 0 family inet address 192.168.25.2/30
> set interfaces fe-0/0/7 description ***OUTSIDE***
> set interfaces fe-0/0/7 unit 0 family inet address 1.2.3.4/30
> set interfaces lo0 unit 0 family inet address 127.0.0.1/32
> set interfaces lo0 unit 0 family inet address 10.250.1.2/32
> set interfaces st0 unit 0 family inet
> set routing-options static route 10.250.1.1/32 next-hop st0.0
> set routing-options static route 10.250.1.1/32 no-readvertise
> set protocols ospf area 0.0.0.1 interface gr-0/0/0.0 interface-type p2p
> set protocols ospf area 0.0.0.1 interface ge-0/0/0.0
> set security ike proposal IKE-PROPOSAL authentication-method
> pre-shared-keys
> set security ike proposal IKE-PROPOSAL dh-group group2
> set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
> set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc
> set security ike proposal IKE-PROPOSAL lifetime-seconds 86400
> set security ike policy IKE-POLICY proposals IKE-PROPOSAL
> set security ike policy IKE-POLICY pre-shared-key ascii-text "PRESHAREDKEY"
> set security ike gateway GATEWAY ike-policy IKE-POLICY
> set security ike gateway GATEWAY address 5.6.7.8
> set security ike gateway GATEWAY external-interface fe-0/0/7.0
> set security ike gateway GATEWAY general-ikeid
> set security ipsec proposal IPSEC-PROPOSAL protocol esp
> set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm
> hmac-md5-96
> set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc
> set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 3600
> set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
> set security ipsec vpn COMPANY bind-interface st0.0
> set security ipsec vpn COMPANY ike gateway GATEWAY
> set security ipsec vpn COMPANY ike proxy-identity local 10.250.1.2/32
> set security ipsec vpn COMPANY ike proxy-identity remote 10.250.1.1/32
> set security ipsec vpn COMPANY ike ipsec-policy IPSEC-POLICY
> set security ipsec vpn COMPANY establish-tunnels immediately
> set security policies from-zone INSIDE to-zone INSIDE policy
> default-permit match source-address any
> set security policies from-zone INSIDE to-zone INSIDE policy
> default-permit match destination-address any
> set security policies from-zone INSIDE to-zone INSIDE policy
> default-permit match application any
> set security policies from-zone INSIDE to-zone INSIDE policy
> default-permit then permit
> set security policies from-zone INSIDE to-zone OUTSIDE policy
> default-permit match source-address any
> set security policies from-zone INSIDE to-zone OUTSIDE policy
> default-permit match destination-address any
> set security policies from-zone INSIDE to-zone OUTSIDE policy
> default-permit match application any
> set security policies from-zone INSIDE to-zone OUTSIDE policy
> default-permit then permit
> set security zones security-zone OUTSIDE interfaces fe-0/0/7.0
> host-inbound-traffic system-services dhcp
> set security zones security-zone OUTSIDE interfaces fe-0/0/7.0
> host-inbound-traffic system-services ping
> set security zones security-zone OUTSIDE interfaces fe-0/0/7.0
> host-inbound-traffic system-services ike
> set security zones security-zone OUTSIDE interfaces fe-0/0/7.0
> host-inbound-traffic system-services ssh
> set security zones security-zone INSIDE host-inbound-traffic
> system-services all
> set security zones security-zone INSIDE host-inbound-traffic protocols all
> set security zones security-zone INSIDE interfaces ge-0/0/0.0
> set security zones security-zone INSIDE interfaces lo0.0
> set security zones security-zone INSIDE interfaces st0.0
> set security zones security-zone INSIDE interfaces gr-0/0/0.0
>
>
>
> -------------------------------------------------
>
>
>
>
>
>
>
> -----Original Message-----
> From: Tom Storey [mailto:tom at snnap.net]
> Sent: Friday, November 21, 2014 9:00 AM
> To: cisco-nsp; juniper-nsp at puck.nether.net
> Subject: [j-nsp] Cisco to Juniper, route based IPSec VPN
>
> Hi everyone.
>
> Im trying to set up a route based VPN between a Cisco IOS router (1841)
> and a Juniper SRX, where the Cisco is sitting behind NAT and the Juniper is
> out on the public Internet.
>
> My tunnel interfaces arent coming up at either end, but I feel like Im
> teetering on the edge of success.
>
> Phase 1 seems to be ok (up in agressive mode), but phase 2 is a little
> dubious. "debug crypto ipsec" on the Cisco isnt really giving up much in
> the way of error messages. The Juniper reports "SA not initialised" and the
> Cisco seems to be sending SA requests...
>
> I feel like Im making a really noobie mistake but I cant figure out what.
> Ive trawled the Internet for sample configs and from what I can see my
> only difference is the specifics for my particular setup (IPs, leys,
> proposals/transforms.)
>
> Does anyone have a sample config I can review, or would you be willing to
> review my current configs?
>
> Thanks in advance.
> Tom
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list