IPSEC VPN between SRX and Cisco

IPSEC VPN between SRX and Cisco

 

 


 

Cisco Configuration

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco3725
!
boot-start-marker
boot-end-marker
!
enable password 7 030455DDD03241D1C5A
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 lifetime 28800
crypto isakmp key juniper123 address 192.168.0.1
!
!
crypto ipsec transform-set vpn-with-junos esp-3des esp-md5-hmac 
!
crypto map junos-map 1 ipsec-isakmp 
 set peer 192.168.0.1
 set transform-set vpn-with-junos 
 match address 101
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.222.2 255.255.255.0
 duplex auto
 speed auto
 crypto map junos-map
!
interface FastEthernet0/1
 ip address 192.168.223.1 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 192.168.222.1
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.223.0 0.0.0.255 10.3.3.0 0.0.0.255
!
!
!
!
control-plane
!

line con 0
line aux 0
line vty 0 4
 password 7 011B04055E07035Y731F
 login
!
!
end

 

JUNOS IPSEC related config

IKE

[edit]
root@hub# show security ike
proposal cisco-prop {
    authentication-method pre-shared-keys;
    dh-group group1;
    authentication-algorithm md5;
    lifetime-seconds 28800;
}
policy cisco-pol {
    mode main;
    proposals cisco-prop;
    pre-shared-key ascii-text "$9$IB6hyKX7V4aUM8aUjH5TRhSrM8xNdsgo"; ## SECRET-DATA
}
gateway gw-cisco {
    ike-policy cisco-pol;
    address 192.168.222.2;
    external-interface vlan.10;
}

IPSEC

[edit]
root@hub# show security ipsec
proposal cisco-prop {
    protocol esp;
    authentication-algorithm hmac-md5-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy cisco-pol {
    proposals cisco-prop;
}
vpn vpn-cisco {
    bind-interface st0.0;
    ike {
        gateway gw-cisco;
        proxy-identity {
            local 10.3.3.0/24;
            remote 192.168.223.0/24;
            service any;
        }
        ipsec-policy cisco-pol;
    }
    establish-tunnels immediately;
}

ROUTING TABLE

root@hub# show routing-options
static {
    route 192.168.222.0/24 next-hop 192.168.0.101;
    route 192.168.223.0/24 next-hop st0.0;
}

Troubleshooting outputs

[edit]
root@hub# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
528164  UP     aa10d2af78cf71e3  c90e04cbcd0385b9  Main           192.168.222.2
root@hub# run show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway
  <131075 ESP:3des/md5  a9fd9418 2106/  3686400 -  root 500   192.168.222.2
  >131075 ESP:3des/md5  c90f79c  2106/  3686400 -  root 500   192.168.222.2

And finally the proof that ipsec tunnel works

root@hub# run ping 192.168.223.1 source 10.3.3.1
PING 192.168.223.1 (192.168.223.1): 56 data bytes
64 bytes from 192.168.223.1: icmp_seq=0 ttl=255 time=12.787 ms
64 bytes from 192.168.223.1: icmp_seq=1 ttl=255 time=9.699 ms
64 bytes from 192.168.223.1: icmp_seq=2 ttl=255 time=9.372 ms

 

Actually I have tried to setup a multipoint tunnel interface on SRX side however I could never make it. If I use multipoint interface, I have to use NHTB like;

root@hub# top show interfaces st0.0
multipoint;
family inet {
    next-hop-tunnel 223.255.255.2 ipsec-vpn vpn-cisco;
    address 192.168.100.5/24;
}

Here 223.255.255.2 is a dummy IP however I couldn’t find anyway to properly insert a static route which points to this ipsec tunnel. As explained at http://kb.juniper.net/InfoCenter/index?page=content&id=KB11787, there is a command on ScreenOS which allows you to do this. This is a challenge point for me. Let’s see If I will be able to make it…

 

This entry was posted in Juniper and tagged , , , , , , . Bookmark the permalink.

One Response to IPSEC VPN between SRX and Cisco

  1. PeteLong says:

    Here’s some more information that might be helpful

    Cisco ASA to Juniper SRX Site to Site VPN

    Pete
    PeteNetLive

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s