IPSEC VPN between SRX and Cisco
In this post, I would like to share my site-to-site ipsec vpn configuration between srx100 (junos 11.1R4.4) and cisco3725 (ios 12.4) (on dynamips)
Cisco Configuration
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Cisco3725 ! boot-start-marker boot-end-marker ! enable password 7 030455DDD03241D1C5A ! no aaa new-model ! resource policy ! memory-size iomem 5 ip cef crypto isakmp policy 1 encr 3des hash md5 authentication pre-share lifetime 28800 crypto isakmp key juniper123 address 192.168.0.1 ! ! crypto ipsec transform-set vpn-with-junos esp-3des esp-md5-hmac ! crypto map junos-map 1 ipsec-isakmp set peer 192.168.0.1 set transform-set vpn-with-junos match address 101 ! ! ! ! interface FastEthernet0/0 ip address 192.168.222.2 255.255.255.0 duplex auto speed auto crypto map junos-map ! interface FastEthernet0/1 ip address 192.168.223.1 255.255.255.0 duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 192.168.222.1 ! ! ip http server no ip http secure-server ! access-list 101 permit ip 192.168.223.0 0.0.0.255 10.3.3.0 0.0.0.255 ! ! ! ! control-plane ! line con 0 line aux 0 line vty 0 4 password 7 011B04055E07035Y731F login ! ! end
JUNOS IPSEC related config
[edit]
root@hub# show security ike
proposal cisco-prop {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm md5;
lifetime-seconds 28800;
}
policy cisco-pol {
mode main;
proposals cisco-prop;
pre-shared-key ascii-text "$9$IB6hyKX7V4aUM8aUjH5TRhSrM8xNdsgo"; ## SECRET-DATA
}
gateway gw-cisco {
ike-policy cisco-pol;
address 192.168.222.2;
external-interface vlan.10;
}
[edit]
root@hub# show security ipsec
proposal cisco-prop {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy cisco-pol {
proposals cisco-prop;
}
vpn vpn-cisco {
bind-interface st0.0;
ike {
gateway gw-cisco;
proxy-identity {
local 10.3.3.0/24;
remote 192.168.223.0/24;
service any;
}
ipsec-policy cisco-pol;
}
establish-tunnels immediately;
}
root@hub# show routing-options
static {
route 192.168.222.0/24 next-hop 192.168.0.101;
route 192.168.223.0/24 next-hop 192.168.100.244;
}
Troubleshooting outputs
[edit] root@hub# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 528164 UP aa10d2af78cf71e3 c90e04cbcd0385b9 Main 192.168.222.2
root@hub# run show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <131075 ESP:3des/md5 a9fd9418 2106/ 3686400 - root 500 192.168.222.2 >131075 ESP:3des/md5 c90f79c 2106/ 3686400 - root 500 192.168.222.2
And finally the proof that ipsec tunnel works
root@hub# run ping 192.168.223.1 source 10.3.3.1 PING 192.168.223.1 (192.168.223.1): 56 data bytes 64 bytes from 192.168.223.1: icmp_seq=0 ttl=255 time=12.787 ms 64 bytes from 192.168.223.1: icmp_seq=1 ttl=255 time=9.699 ms 64 bytes from 192.168.223.1: icmp_seq=2 ttl=255 time=9.372 ms
Actually I have tried to setup a multipoint tunnel interface on SRX side however I could never make it. If I use multipoint interface, I have to use NHTB like;
root@hub# top show interfaces st0.0
multipoint;
family inet {
next-hop-tunnel 192.168.100.244 ipsec-vpn vpn-cisco;
address 192.168.100.5/24;
}
PS: 192.168.100.244 is a dummy IP and it doesn’t have to be assigned to any interface
PS: Why can st0.0 interface be down? If you have multipoint vpn tunnels, for st0.0 interface to be up at least one of the tunnels must be UP (i.e IPSEC SA must be established)
Hello,
I’m just looking through this document about Juniper SRX to Cisco IPSec tunnel. Good document by the way : )
I have the tunnel established with interface st0.0 up/up, but when I add the static route on the Juniper for the remote Cisco subnet, it does not appear in the Juniper routing table so I dont think the Juniper is sending out encrypted packets as I do not see them arriving on the Cisco.
Am I missing something stupid here?
Thanks for your time
Stephen
Hi Stephen,
I think you are talking about what I said at the end of my post. I don’t recall what exactly I did during my testing but I had also trouble doing this that routes weren’t showing up. I will check this point during my studies on jncie-sec and update this post hopefully for future reference.
Genco.
Stephen,
While I was doing some labs I have seen that you shouldn’t be leaving st0.0 without any IP assigned. If there is no IP, route doesn’t appear in the table. Also in multipoint configuration I have seen several cases that route isn’t being installed but each had different causes.
Could you let me know which version of Junos are you using?
I am using the Olive 12.1R1.9 and 10.1R1.8 but there some commands missing.
For instance i cannot find #set security ike gateway command. The “gateway” option is not there.
Thanks
My test was on a physical SRX100. You can’t find those commands on an olive but you can install a virtual srx firewall on a Vmware ESX server if you like. You can see my other post on this http://rtoodtoo.net/2014/02/16/firefly-perimeter-cluster-setup-on-vmware-esx/