SRX Services Gateway
Reply
zvr
Regular Visitor
zvr
Posts: 7
Registered: ‎08-31-2009
0

Allow (CiscoVPN) IPsec through

I've just received notice that some users in out "internal" network want to use a CiscoVPN solution to connect from their PCs to a remote server. As far as I can tell, this is based on IPsec.

 

The default policy from internal to external is "permit" (for source-address any; destination-address any; application any:smileywink:. Does this cover protocols like ESP (50) and AH (51), or does it only mean TCP ?

 

If the latter (since it does not seem to work), how do I allow IPsec to pass through?

Many thanks in advance,
Distinguished Expert
aarseniev
Posts: 1,741
Registered: ‎08-21-2009
0

Re: Allow (CiscoVPN) IPsec through

[ Edited ]

Hello,

AFAIAA, Cisco VPN client can also work over TCP/10000, UDP/10000 or UDP/4500 depending on version. May be a good idea to try and reconfigure  VPN clients for these users since you mentioned only "some users" have trouble.

I'd hazard a guess that your users in "internal" network are also NAPT-ed when going to "external", or are they?

If yes, then I think that NAT-ing ESP/proto 50 could only be done statically at the moment.

Rgds

Alex

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Contributor
jodros
Posts: 38
Registered: ‎11-23-2009
0

Re: Allow (CiscoVPN) IPsec through

[ Edited ]

During Phase 1 negotiation, you will need UDP 500 (ISAKMP).  Phase 2 (the encrypted data) can be passed on numerous ports, ranging from ESP to TCP/10000 to Custom UDP ports.  We run our Cisco VPN environment with IPSec over a custom UDP port.  We also run NAT-T (UDP 4500).  I do not know if Juniper's "application any" looks at the IP header for protocol, such as TCP (protocol 6), UDP (protocol 17), ESP (protocol 50) or if it looks at the TCP/UDP header for port.  I know with Cisco, an ACL is based on the layer 3 protocol.  Example, permit ip any any.  That would allow all TCP or UDP ports from any host to any host.  It would not allow ESP, ICMP or GRE.  To allow those protocols, the statement would have to read, permit esp any any, or permit icmp any any.  I hope this helps.

____________
CCNP - GCFW
zvr
Regular Visitor
zvr
Posts: 7
Registered: ‎08-31-2009
0

Re: Allow (CiscoVPN) IPsec through

Thanks for your reply!

 

Oh, yes, I forgot to mention this very important fact that the "internal" network is NAT-ted, and as a matter of fact NAPT: all internal addresses of 10.x.x.x get mapped to a (small) range of public IP addresses (and ports).

 

I didn't mention that "only some users" have trouble; "only some users" want to use this connection method and they all have trouble :-)

 

Any reference to NAT-ing ESP and/or AH ?

Contributor
jodros
Posts: 38
Registered: ‎11-23-2009
0

Re: Allow (CiscoVPN) IPsec through

This question would have to be answered by someone more knowledged in JUNOS than I.  The real question comes back to the "match application any" statement.  What exactly does the "any" include. 

____________
CCNP - GCFW
Contributor
jodros
Posts: 38
Registered: ‎11-23-2009

Re: Allow (CiscoVPN) IPsec through

I think I found what you need.  You might have to create a custom application with protocol option.  Try this and see if it works.

 

applications {
    application ESP protocol esp;
    application ISAKMP {
        protocol udp;
        destination-port 500;
    }
    application NAT-T {
        protocol udp;
        destination-port 4500;
    }
    application-set Cisco_VPN {
        application ESP;
        application NAT-T;
        application ISAKMP;
    }
}

from-zone trust to-zone untrust {
    policy permit_Cisco_VPN {
        match {
            source-address any;
            destination-address any;
            application Cisco_VPN;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
            count;
        }
    }
}

 

You can add more custom applications to the application-set Cisco_VPN and then just reference the application-set Cisco_VPN in your policy.  I would ask the Cisco VPN administrator what the client ports/protocols that they have configured and add them all to the Cisco_VPN application-set.  Source NAT should only be looking at source and destination IP addressing, so I do not thnk you will need to add any application specific information to the source NAT rules.

 

Hope this helps.

____________
CCNP - GCFW
Distinguished Expert
aarseniev
Posts: 1,741
Registered: ‎08-21-2009
0

Re: Allow (CiscoVPN) IPsec through

Hello there,

ScreenOS supports this from 6.3 onwards

http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_rn_r1.pdf page 9

Also

http://kb.juniper.net/index?page=content&id=KB13422

I have no idea when ESP NAT with IP overload is going to be supported in SRX.

Also, Cisco IOS supports this only with "predictive SPI"

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsecnat.html#wp1054728

Rgds

Alex

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Trusted Contributor
evt
Posts: 175
Registered: ‎02-10-2008
0

Re: Allow (CiscoVPN) IPsec through

I know your post is from like 4 years ago, but the config snippet resolved the problem I was having, so thanks!

Regular Visitor
OWLBARON
Posts: 8
Registered: ‎09-08-2011
0

Re: Allow (CiscoVPN) IPsec through

i also met this prob. Cisco VPN uses fragment packet, if you configure ip frag screen options, device will drop frag ip packet. So user could not connect Cisco VPN.

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.