Juniper – VPN to Cisco only works through the VPN to one subnet at a time

Juniper Networks – [SRX] VPN to Cisco only works through the VPN to one subnet at a time

This reason for this is that in a policy-based VPN, you will need a separate subnet for each pair of Security Associations.  In this scenario, only one pair of Security Associations was created.  To resolve this, you will need to create a separate Phase 2 for each destination subnet.

root@FW# show security ike 
proposal pre-g2-3des-sha {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 86400;
}
proposal pre-g2-des-sha {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
}
policy ike-cisco-policy {
    mode main;
    proposals pre-g2-3des-sha;
    pre-shared-key ascii-text "$9$DdHmT6/tBRSApBESy8Ldbs24ZQz6"; ## SECRET-DATA
}
gateway ike-srx3400-gw {
    ike-policy ike-cisco-policy;
    address 172.22.145.62;
    dead-peer-detection {
        interval 10;
        threshold 1;
    }
    external-interface ge-0/0/1.0;
}

root@FW# show security ipsec 
proposal g2-esp-3des-sha {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 86400;
}
policy ipsec-cisco-policy {
    perfect-forward-secrecy {
        keys group2;
    }
}
vpn vpn-ns25 {
    bind-interface st0.0;
    ike {
        gateway ike-srx3400-gw;
        proxy-identity {
            local 11.11.11.0/24;
            remote 192.168.1.0/24;
            service any;
        }
        ipsec-policy ipsec-cisco-policy;
    }
    establish-tunnels immediately;
}
vpn vpn2 {
    bind-interface st0.1;
    ike {
        gateway ike-srx3400-gw;
        proxy-identity {
            local 11.11.11.0/24;
            remote 192.168.10.0/24;
            service any;
        }
        ipsec-policy ipsec-cisco-policy;
    }
    establish-tunnels immediately;
}

root@FW# show interfaces 

}
st0 {
    unit 0 {
        family inet;
    }
    unit 1 {
        family inet;
    }    
}
This entry was posted in Juniper. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s