JNCIE-SEC: IPSEC VPN between SRX and Cisco

In JNCIE-SEC exam, one of the IPSEC topics is “Interoperability with 3rd party devices”.
In one of my previous post I had already written about this but this time, I will do
policy based VPN on SRX side.

IPsec VPNs

ipsec_cisco_srx

I will setup an IPSEC VPN between J41 SRX device Cisco1 cisco device. Just ignore the st0.0
interface on SRX as it is used in my other setups, also I won’t include some basic config e.g
zone address book, ike host-inbound enabling etc to make the post more clear.

What I want to achieve is
that I would like to ping from SRX J41 (network 212.45.63.0)
towards 10.222.222.0/24 and 10.223.223.0/24 behind Cisco device. Lets configure the devices;

SRX IKE Config

[edit security ike]
root@J41-Amsterdam# show 
proposal cisco-prop {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm md5;
    lifetime-seconds 28800;
}
policy cisco-pol {
    mode main;
    proposals cisco-prop;
    pre-shared-key ascii-text "$9$kqfz3nCpu1zFcyKvLX"; ## SECRET-DATA
}
gateway gw-cisco {
    ike-policy cisco-pol;
    address 10.221.221.2;
    external-interface ge-0/0/0.64;
}                              

SRX IPSEC Config


[edit security ipsec]
root@J41-Amsterdam# show 
proposal cisco-prop {
    protocol esp;
    authentication-algorithm hmac-md5-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy cisco-pol {
    proposals cisco-prop;
}
vpn vpn-cisco {
    ike {
        gateway gw-cisco;
        ipsec-policy cisco-pol;
    }
}

SRX Security Policy Config
We create two pair policy here for 212.45.63.0/24<--->10.222.222.0/24 traffic.

from-zone internal to-zone external-a {
    policy int-to-cisco1 {
        match {
            source-address net_212.45.63.0;
            destination-address net_10.222.222;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn vpn-cisco;
                    pair-policy cisco1-to-int;
                }
            }
        }
    }
}

from-zone external-a to-zone internal {
    policy cisco1-to-int {
        match {
            source-address net_10.222.222;
            destination-address net_212.45.63.0;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn vpn-cisco;
                    pair-policy int-to-cisco1;
                }
            }
        }
    }
}


Cisco Side Config

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key lab123 address 212.45.64.2
!
crypto ipsec transform-set vpn-with-srx esp-3des esp-md5-hmac 
!
crypto map srx-map 1 ipsec-isakmp 
 set peer 212.45.64.2
 set transform-set vpn-with-srx 
 match address 101
!
interface FastEthernet0/0
 ip address 10.221.221.2 255.255.255.0
 duplex auto
 speed auto
 crypto map srx-map
!
interface FastEthernet0/1
 ip address 10.223.223.1 255.255.255.0 secondary
 ip address 10.222.222.1 255.255.255.0
 duplex auto
 speed auto
!
access-list 101 permit ip 10.222.222.0 0.0.0.255 212.45.63.0 0.0.0.255

Now generate some traffic from 212.45.63.2 to 10.222.222.1

root@ubuntu2-vm:~# ping 10.222.222.1
PING 10.222.222.1 (10.222.222.1) 56(84) bytes of data.
64 bytes from 10.222.222.1: icmp_req=2 ttl=254 time=17.6 ms
64 bytes from 10.222.222.1: icmp_req=3 ttl=254 time=13.4 ms

Yes it works!

Check tunnel on SRX side

root@J41-Amsterdam> show security ike sa    
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
447058  UP     ee83ae84b883a638  20f81115099d42b3  Main           192.168.179.2   
447059  UP     61e6f26fb6c5074d  03934a7ea5402cee  Main           10.221.221.2    
447055  UP     8d415d2250765bd0  7ed025a889833c10  Main           192.168.178.2   

root@J41-Amsterdam> show security ipsec sa 
  Total active tunnels: 4
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <2    ESP:3des/sha1   69c01ec5 704/  unlim   -   root 500   192.168.178.2   
  >2    ESP:3des/sha1   6d2f82ed 704/  unlim   -   root 500   192.168.178.2   
  <4    ESP:3des/md5    5221c4f4 3564/  4607999 -  root 500   10.221.221.2    
  >4    ESP:3des/md5    6946e067 3564/  4607999 -  root 500   10.221.221.2    
  <131073 ESP:3des/sha1 4360b8a5 3515/ unlim   -   root 500   192.168.179.2   
  >131073 ESP:3des/sha1 989bda9d 3515/ unlim   -   root 500   192.168.179.2   
  <131074 ESP:3des/sha1 9c6149db 3529/ unlim   -   root 500   192.168.179.2   
  >131074 ESP:3des/sha1 cf7fe42e 3529/ unlim   -   root 500   192.168.179.2   

root@J41-Amsterdam> show security ipsec sa index 4 
  ID: 4 Virtual-system: root, VPN Name: vpn-cisco
  Local Gateway: 212.45.64.2, Remote Gateway: 10.221.221.2
  Local Identity: ipv4_subnet(any:0,[0..7]=212.45.63.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=10.222.222.0/24)
  Version: IKEv1
    DF-bit: clear
    Policy-name: int-to-cisco1
  Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 600829 
  Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 5221c4f4, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3468 seconds
    Lifesize Remaining:  4607999 kilobytes
    Soft lifetime: Expires in 2860 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 6946e067, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3468 seconds
    Lifesize Remaining:  4607999 kilobytes
    Soft lifetime: Expires in 2860 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

We can see that

  • IKE is established towards 10.221.221.2
  • an IPSEC sa with index number 4 is also established
  • Local and Remote Identities are determined according to the security policies configured

Check IPSEC on Cisco side

cisco1#show crypto isakmp sa
dst             src             state          conn-id slot status
10.221.221.2    212.45.64.2     QM_IDLE              1    0 ACTIVE


cisco1#show crypto ipsec sa 

interface: FastEthernet0/0
    Crypto map tag: srx-map, local addr 10.221.221.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.222.222.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (212.45.63.0/255.255.255.0/0/0)
   current_peer 212.45.64.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
    #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.221.221.2, remote crypto endpt.: 212.45.64.2
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x5221C4F4(1377944820)

     inbound esp sas:
      spi: 0x6946E067(1766252647)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: srx-map
        sa timing: remaining key lifetime (k/sec): (4382517/3223)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x5221C4F4(1377944820)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: srx-map
        sa timing: remaining key lifetime (k/sec): (4382517/3223)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

We can see the local and remote identities are taken form access-list 101

Now I will just duplicate my work. I also want to reach 10.223.223.0/24 network
behind this cisco device. I will do the same: First SRX side;

Now we have to policies in both directions

from-zone internal to-zone external-a {
    policy int-to-cisco1 {
        match {
            source-address net_212.45.63.0;
            destination-address net_10.222.222;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn vpn-cisco;
                    pair-policy cisco1-to-int;
                }
            }
        }
    }
    policy net63-to-net223 {
        match {
            source-address net_212.45.63.0;
            destination-address net_10.223.223;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn vpn-cisco;
                    pair-policy net223-to-net63;
                }
            }
        }                               
    }                                   
}   

from-zone external-a to-zone internal {
    policy cisco1-to-int {
        match {
            source-address net_10.222.222;
            destination-address net_212.45.63.0;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn vpn-cisco;
                    pair-policy int-to-cisco1;
                }
            }
        }
    }
    policy net223-to-net63 {
        match {
            source-address net_10.223.223;
            destination-address net_212.45.63.0;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn vpn-cisco;
                    pair-policy net63-to-net223;
                }
            }
        }
    }
}                             

Second Cisco side configuration:
(We are adding another access-list entry on 101)

access-list 101 permit ip 10.223.223.0 0.0.0.255 212.45.63.0 0.0.0.255

Check SRX again after the second network addition;

root@J41-Amsterdam> show security ike sa       
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
447058  UP     ee83ae84b883a638  20f81115099d42b3  Main           192.168.179.2   
447059  UP     61e6f26fb6c5074d  03934a7ea5402cee  Main           10.221.221.2    
447055  UP     8d415d2250765bd0  7ed025a889833c10  Main           192.168.178.2   

root@J41-Amsterdam> show security ipsec sa    
  Total active tunnels: 5
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <2    ESP:3des/sha1   8da92165 1988/ unlim   -   root 500   192.168.178.2   
  >2    ESP:3des/sha1   b49ddaeb 1988/ unlim   -   root 500   192.168.178.2   
  <4    ESP:3des/md5    5221c4f4 1888/  4607999 -  root 500   10.221.221.2    
  >4    ESP:3des/md5    6946e067 1888/  4607999 -  root 500   10.221.221.2    
  <6    ESP:3des/md5    8022e935 3560/  4607999 -  root 500   10.221.221.2    
  >6    ESP:3des/md5    d33570d1 3560/  4607999 -  root 500   10.221.221.2    
  <131073 ESP:3des/sha1 4360b8a5 1839/ unlim   -   root 500   192.168.179.2   
  >131073 ESP:3des/sha1 989bda9d 1839/ unlim   -   root 500   192.168.179.2   
  <131074 ESP:3des/sha1 9c6149db 1853/ unlim   -   root 500   192.168.179.2   
  >131074 ESP:3des/sha1 cf7fe42e 1853/ unlim   -   root 500   192.168.179.2   

As we can see we have an extra IPSEC sa established for the second policy.
This is possibly not a recommended method if you have many IPSEC tunnels.
You wouldn’t want to keep one tunnel per policy I suppose.

If you check cisco side, you will also see the opposite local/remote identities;

cisco1#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: srx-map, local addr 10.221.221.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.222.222.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (212.45.63.0/255.255.255.0/0/0)
   current_peer 212.45.64.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.221.221.2, remote crypto endpt.: 212.45.64.2
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x5221C4F4(1377944820)

     inbound esp sas:
      spi: 0x6946E067(1766252647)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: srx-map
        sa timing: remaining key lifetime (k/sec): (4382517/1758)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x5221C4F4(1377944820)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: srx-map
        sa timing: remaining key lifetime (k/sec): (4382517/1758)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.223.223.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (212.45.63.0/255.255.255.0/0/0)
   current_peer 212.45.64.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.221.221.2, remote crypto endpt.: 212.45.64.2
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x8022E935(2149771573)

     inbound esp sas:
      spi: 0xD33570D1(3543494865)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: SW:3, crypto map: srx-map
        sa timing: remaining key lifetime (k/sec): (4546634/3430)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8022E935(2149771573)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: SW:4, crypto map: srx-map
        sa timing: remaining key lifetime (k/sec): (4546634/3428)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Now we have established a policy based IPSEC VPN between SRX and a 3rd party device in this post
and used some show commands to check the status of these connections.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN, currently living in the Netherlands and works as a Network Support Engineer. // JNCIE-SEC #223 / RHCE / PCNSE


One thought on “JNCIE-SEC: IPSEC VPN between SRX and Cisco”

  1. hello rtodto,i have question for log.this message sent my mobile phone,Probably not clear enough.

    kmd[1341]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: sh-sydney Gateway: gw-sydney, Local: *.*.80.62/500, Remote: *.*.173.202/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.