JNCIE-SEC: IPSEC VPN between SRX and Cisco
In JNCIE-SEC exam, one of the IPSEC topics is “Interoperability with 3rd party devices”.
In one of my previous post I had already written about this but this time, I will do
policy based VPN on SRX side.
IPsec VPNs
- Implementation of IPsec VPNs
- Multipoint tunnels
- Policy and route-based VPNs
- Traceoptions
- Dual and backup tunnels
- On-demand tunnels
- DRP over a tunnel
- Dynamic VPNs
- Certificate-based VPNs
- PKI
- Interoperability with 3rd party devices
I will setup an IPSEC VPN between J41 SRX device Cisco1 cisco device. Just ignore the st0.0
interface on SRX as it is used in my other setups, also I won’t include some basic config e.g
zone address book, ike host-inbound enabling etc to make the post more clear.
What I want to achieve is that I would like to ping from SRX J41 (network 212.45.63.0)
towards 10.222.222.0/24 and 10.223.223.0/24 behind Cisco device. Lets configure the devices;
SRX IKE Config
[edit security ike]
root@J41-Amsterdam# show
proposal cisco-prop {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
lifetime-seconds 28800;
}
policy cisco-pol {
mode main;
proposals cisco-prop;
pre-shared-key ascii-text "$9$kqfz3nCpu1zFcyKvLX"; ## SECRET-DATA
}
gateway gw-cisco {
ike-policy cisco-pol;
address 10.221.221.2;
external-interface ge-0/0/0.64;
}
SRX IPSEC Config
[edit security ipsec]
root@J41-Amsterdam# show
proposal cisco-prop {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy cisco-pol {
proposals cisco-prop;
}
vpn vpn-cisco {
ike {
gateway gw-cisco;
ipsec-policy cisco-pol;
}
}
SRX Security Policy Config
We create two pair policy here for 212.45.63.0/24<--->10.222.222.0/24 traffic.
from-zone internal to-zone external-a {
policy int-to-cisco1 {
match {
source-address net_212.45.63.0;
destination-address net_10.222.222;
application any;
}
then {
permit {
tunnel {
ipsec-vpn vpn-cisco;
pair-policy cisco1-to-int;
}
}
}
}
}
from-zone external-a to-zone internal {
policy cisco1-to-int {
match {
source-address net_10.222.222;
destination-address net_212.45.63.0;
application any;
}
then {
permit {
tunnel {
ipsec-vpn vpn-cisco;
pair-policy int-to-cisco1;
}
}
}
}
}
Cisco Side Config
crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 crypto isakmp key lab123 address 212.45.64.2 ! crypto ipsec transform-set vpn-with-srx esp-3des esp-md5-hmac ! crypto map srx-map 1 ipsec-isakmp set peer 212.45.64.2 set transform-set vpn-with-srx match address 101 ! interface FastEthernet0/0 ip address 10.221.221.2 255.255.255.0 duplex auto speed auto crypto map srx-map ! interface FastEthernet0/1 ip address 10.223.223.1 255.255.255.0 secondary ip address 10.222.222.1 255.255.255.0 duplex auto speed auto ! access-list 101 permit ip 10.222.222.0 0.0.0.255 212.45.63.0 0.0.0.255
Now generate some traffic from 212.45.63.2 to 10.222.222.1
root@ubuntu2-vm:~# ping 10.222.222.1 PING 10.222.222.1 (10.222.222.1) 56(84) bytes of data. 64 bytes from 10.222.222.1: icmp_req=2 ttl=254 time=17.6 ms 64 bytes from 10.222.222.1: icmp_req=3 ttl=254 time=13.4 ms
Yes it works!
Check tunnel on SRX side
root@J41-Amsterdam> show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
447058 UP ee83ae84b883a638 20f81115099d42b3 Main 192.168.179.2
447059 UP 61e6f26fb6c5074d 03934a7ea5402cee Main 10.221.221.2
447055 UP 8d415d2250765bd0 7ed025a889833c10 Main 192.168.178.2
root@J41-Amsterdam> show security ipsec sa
Total active tunnels: 4
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<2 ESP:3des/sha1 69c01ec5 704/ unlim - root 500 192.168.178.2
>2 ESP:3des/sha1 6d2f82ed 704/ unlim - root 500 192.168.178.2
<4 ESP:3des/md5 5221c4f4 3564/ 4607999 - root 500 10.221.221.2
>4 ESP:3des/md5 6946e067 3564/ 4607999 - root 500 10.221.221.2
<131073 ESP:3des/sha1 4360b8a5 3515/ unlim - root 500 192.168.179.2
>131073 ESP:3des/sha1 989bda9d 3515/ unlim - root 500 192.168.179.2
<131074 ESP:3des/sha1 9c6149db 3529/ unlim - root 500 192.168.179.2
>131074 ESP:3des/sha1 cf7fe42e 3529/ unlim - root 500 192.168.179.2
root@J41-Amsterdam> show security ipsec sa index 4
ID: 4 Virtual-system: root, VPN Name: vpn-cisco
Local Gateway: 212.45.64.2, Remote Gateway: 10.221.221.2
Local Identity: ipv4_subnet(any:0,[0..7]=212.45.63.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=10.222.222.0/24)
Version: IKEv1
DF-bit: clear
Policy-name: int-to-cisco1
Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 600829
Tunnel Down Reason: SA not initiated
Direction: inbound, SPI: 5221c4f4, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3468 seconds
Lifesize Remaining: 4607999 kilobytes
Soft lifetime: Expires in 2860 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 6946e067, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3468 seconds
Lifesize Remaining: 4607999 kilobytes
Soft lifetime: Expires in 2860 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
We can see that
- IKE is established towards 10.221.221.2
- an IPSEC sa with index number 4 is also established
- Local and Remote Identities are determined according to the security policies configured
Check IPSEC on Cisco side
cisco1#show crypto isakmp sa
dst src state conn-id slot status
10.221.221.2 212.45.64.2 QM_IDLE 1 0 ACTIVE
cisco1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: srx-map, local addr 10.221.221.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.222.222.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (212.45.63.0/255.255.255.0/0/0)
current_peer 212.45.64.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.221.221.2, remote crypto endpt.: 212.45.64.2
path mtu 1500, ip mtu 1500
current outbound spi: 0x5221C4F4(1377944820)
inbound esp sas:
spi: 0x6946E067(1766252647)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: srx-map
sa timing: remaining key lifetime (k/sec): (4382517/3223)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5221C4F4(1377944820)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: srx-map
sa timing: remaining key lifetime (k/sec): (4382517/3223)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
We can see the local and remote identities are taken form access-list 101
Now I will just duplicate my work. I also want to reach 10.223.223.0/24 network
behind this cisco device. I will do the same: First SRX side;
Now we have to policies in both directions
from-zone internal to-zone external-a {
policy int-to-cisco1 {
match {
source-address net_212.45.63.0;
destination-address net_10.222.222;
application any;
}
then {
permit {
tunnel {
ipsec-vpn vpn-cisco;
pair-policy cisco1-to-int;
}
}
}
}
policy net63-to-net223 {
match {
source-address net_212.45.63.0;
destination-address net_10.223.223;
application any;
}
then {
permit {
tunnel {
ipsec-vpn vpn-cisco;
pair-policy net223-to-net63;
}
}
}
}
}
from-zone external-a to-zone internal {
policy cisco1-to-int {
match {
source-address net_10.222.222;
destination-address net_212.45.63.0;
application any;
}
then {
permit {
tunnel {
ipsec-vpn vpn-cisco;
pair-policy int-to-cisco1;
}
}
}
}
policy net223-to-net63 {
match {
source-address net_10.223.223;
destination-address net_212.45.63.0;
application any;
}
then {
permit {
tunnel {
ipsec-vpn vpn-cisco;
pair-policy net63-to-net223;
}
}
}
}
}
Second Cisco side configuration:
(We are adding another access-list entry on 101)
access-list 101 permit ip 10.223.223.0 0.0.0.255 212.45.63.0 0.0.0.255
Check SRX again after the second network addition;
root@J41-Amsterdam> show security ike sa Index State Initiator cookie Responder cookie Mode Remote Address 447058 UP ee83ae84b883a638 20f81115099d42b3 Main 192.168.179.2 447059 UP 61e6f26fb6c5074d 03934a7ea5402cee Main 10.221.221.2 447055 UP 8d415d2250765bd0 7ed025a889833c10 Main 192.168.178.2 root@J41-Amsterdam> show security ipsec sa Total active tunnels: 5 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <2 ESP:3des/sha1 8da92165 1988/ unlim - root 500 192.168.178.2 >2 ESP:3des/sha1 b49ddaeb 1988/ unlim - root 500 192.168.178.2 <4 ESP:3des/md5 5221c4f4 1888/ 4607999 - root 500 10.221.221.2 >4 ESP:3des/md5 6946e067 1888/ 4607999 - root 500 10.221.221.2 <6 ESP:3des/md5 8022e935 3560/ 4607999 - root 500 10.221.221.2 >6 ESP:3des/md5 d33570d1 3560/ 4607999 - root 500 10.221.221.2 <131073 ESP:3des/sha1 4360b8a5 1839/ unlim - root 500 192.168.179.2 >131073 ESP:3des/sha1 989bda9d 1839/ unlim - root 500 192.168.179.2 <131074 ESP:3des/sha1 9c6149db 1853/ unlim - root 500 192.168.179.2 >131074 ESP:3des/sha1 cf7fe42e 1853/ unlim - root 500 192.168.179.2
As we can see we have an extra IPSEC sa established for the second policy.
This is possibly not a recommended method if you have many IPSEC tunnels.
You wouldn’t want to keep one tunnel per policy I suppose.
If you check cisco side, you will also see the opposite local/remote identities;
cisco1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: srx-map, local addr 10.221.221.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.222.222.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (212.45.63.0/255.255.255.0/0/0)
current_peer 212.45.64.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.221.221.2, remote crypto endpt.: 212.45.64.2
path mtu 1500, ip mtu 1500
current outbound spi: 0x5221C4F4(1377944820)
inbound esp sas:
spi: 0x6946E067(1766252647)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: srx-map
sa timing: remaining key lifetime (k/sec): (4382517/1758)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5221C4F4(1377944820)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: srx-map
sa timing: remaining key lifetime (k/sec): (4382517/1758)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.223.223.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (212.45.63.0/255.255.255.0/0/0)
current_peer 212.45.64.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.221.221.2, remote crypto endpt.: 212.45.64.2
path mtu 1500, ip mtu 1500
current outbound spi: 0x8022E935(2149771573)
inbound esp sas:
spi: 0xD33570D1(3543494865)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: srx-map
sa timing: remaining key lifetime (k/sec): (4546634/3430)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8022E935(2149771573)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: srx-map
sa timing: remaining key lifetime (k/sec): (4546634/3428)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Now we have established a policy based IPSEC VPN between SRX and a 3rd party device in this post
and used some show commands to check the status of these connections.
hello rtodto,i have question for log.this message sent my mobile phone,Probably not clear enough.
kmd[1341]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: sh-sydney Gateway: gw-sydney, Local: *.*.80.62/500, Remote: *.*.173.202/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0