IPSEC VPN between SRX and Cisco

In this post, I would like to share my site-to-site ipsec vpn configuration between srx100 (junos 11.1R4.4) and cisco3725 (ios 12.4) (on dynamips)


Cisco Configuration

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco3725
!
boot-start-marker
boot-end-marker
!
enable password 7 030455DDD03241D1C5A
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 lifetime 28800
crypto isakmp key juniper123 address 192.168.0.1
!
!
crypto ipsec transform-set vpn-with-junos esp-3des esp-md5-hmac 
!
crypto map junos-map 1 ipsec-isakmp 
 set peer 192.168.0.1
 set transform-set vpn-with-junos 
 match address 101
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.222.2 255.255.255.0
 duplex auto
 speed auto
 crypto map junos-map
!
interface FastEthernet0/1
 ip address 192.168.223.1 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 192.168.222.1
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.223.0 0.0.0.255 10.3.3.0 0.0.0.255
!
!
!
!
control-plane
!

line con 0
line aux 0
line vty 0 4
 password 7 011B04055E07035Y731F
 login
!
!
end

JUNOS IPSEC related config

[edit]
root@hub# show security ike
proposal cisco-prop {
    authentication-method pre-shared-keys;
    dh-group group1;
    authentication-algorithm md5;
    lifetime-seconds 28800;
}
policy cisco-pol {
    mode main;
    proposals cisco-prop;
    pre-shared-key ascii-text "$9$IB6hyKX7V4aUM8aUjH5TRhSrM8xNdsgo"; ## SECRET-DATA
}
gateway gw-cisco {
    ike-policy cisco-pol;
    address 192.168.222.2;
    external-interface vlan.10;
}

[edit]
root@hub# show security ipsec
proposal cisco-prop {
    protocol esp;
    authentication-algorithm hmac-md5-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy cisco-pol {
    proposals cisco-prop;
}
vpn vpn-cisco {
    bind-interface st0.0;
    ike {
        gateway gw-cisco;
        proxy-identity {
            local 10.3.3.0/24;
            remote 192.168.223.0/24;
            service any;
        }
        ipsec-policy cisco-pol;
    }
    establish-tunnels immediately;
}
root@hub# show routing-options
static {
    route 192.168.222.0/24 next-hop 192.168.0.101;
    route 192.168.223.0/24 next-hop 192.168.100.244;
}

Troubleshooting outputs

[edit]
root@hub# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
528164  UP     aa10d2af78cf71e3  c90e04cbcd0385b9  Main           192.168.222.2
root@hub# run show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway
  <131075 ESP:3des/md5  a9fd9418 2106/  3686400 -  root 500   192.168.222.2
  >131075 ESP:3des/md5  c90f79c  2106/  3686400 -  root 500   192.168.222.2

And finally the proof that ipsec tunnel works

root@hub# run ping 192.168.223.1 source 10.3.3.1
PING 192.168.223.1 (192.168.223.1): 56 data bytes
64 bytes from 192.168.223.1: icmp_seq=0 ttl=255 time=12.787 ms
64 bytes from 192.168.223.1: icmp_seq=1 ttl=255 time=9.699 ms
64 bytes from 192.168.223.1: icmp_seq=2 ttl=255 time=9.372 ms

Actually I have tried to setup a multipoint tunnel interface on SRX side however I could never make it. If I use multipoint interface, I have to use NHTB like;

root@hub# top show interfaces st0.0
multipoint;
family inet {
    next-hop-tunnel 192.168.100.244 ipsec-vpn vpn-cisco;
    address 192.168.100.5/24;
}

PS: 192.168.100.244 is a dummy IP and it doesn’t have to be assigned to any interface

PS: Why can st0.0 interface be down? If you have multipoint vpn tunnels, for st0.0 interface to be up at least one of the tunnels must be UP (i.e IPSEC SA must be established)

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


6 thoughts on “IPSEC VPN between SRX and Cisco”

  1. Hello,

    I’m just looking through this document about Juniper SRX to Cisco IPSec tunnel. Good document by the way : )

    I have the tunnel established with interface st0.0 up/up, but when I add the static route on the Juniper for the remote Cisco subnet, it does not appear in the Juniper routing table so I dont think the Juniper is sending out encrypted packets as I do not see them arriving on the Cisco.

    Am I missing something stupid here?

    Thanks for your time

    Stephen

  2. Hi Stephen,
    I think you are talking about what I said at the end of my post. I don’t recall what exactly I did during my testing but I had also trouble doing this that routes weren’t showing up. I will check this point during my studies on jncie-sec and update this post hopefully for future reference.

    Genco.

  3. Stephen,
    While I was doing some labs I have seen that you shouldn’t be leaving st0.0 without any IP assigned. If there is no IP, route doesn’t appear in the table. Also in multipoint configuration I have seen several cases that route isn’t being installed but each had different causes.

  4. Could you let me know which version of Junos are you using?
    I am using the Olive 12.1R1.9 and 10.1R1.8 but there some commands missing.
    For instance i cannot find #set security ike gateway command. The “gateway” option is not there.

    Thanks

Leave a Reply to rtoodtooCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading