SRX

Hello everyone,

While trying to setup my ipsec sesion the devices mentioned above without success, I found that there are differente ways to face the configuration for each device:

On the cisco side, I can do:

a)_Crypto-map based configuration, or

b)_ VTI based configuration.

On the juniper side, there is:

a)Route based tunnel config and,

b)_Policy based tunnel config.

I wonder wich is the better combination? The one that both devices are more compatible.

Also if someone can provide any example to follow would bee great.

Any help would be preciated,

Rgrds,

Leo.

We have a VPN between a SRX100 and ASR1004.

Aggressive mode VPN initiated by the SRX.  OSPF over the tunnel. 

33.33.33.0/30 -- tunnel subnet

22.22.22.22 -- ASR interface

11.11.11.11 -- public IP at Remote SRX location

55.55.55.55 -- SRX loopback address

192.168.1.111 -- SRX Untrust interface (NAT'ed to 11.11.11.11)

Hope it helps.

Regards,

Sam

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxx address 11.11.11.11
crypto isakmp profile Remote-SRX
   keyring default
   match identity address 55.55.55.55 255.255.255.255
   initiate mode aggressive
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile VTI
 set transform-set 3DES
!
!
interface Tunnel1
 description to Remote-SRX
 ip address 33.33.33.1 255.255.255.252
 ip mtu 1400
 ip ospf cost 40
 tunnel source 22.22.22.22
 tunnel mode ipsec ipv4
 tunnel destination 11.11.11.11
 tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/1/1
 ip address 22.22.22.22 255.255.255.0
!
ip route 11.11.11.11 255.255.255.255 22.22.22.1 name Remote-SRX
!

set interfaces fe-0/0/0 unit 0 family inet address 192.168.1.111/24
set interfaces lo0 unit 0 family inet address 55.55.55.55/32
set interfaces st0 unit 0 family inet mtu 1400
set interfaces st0 unit 0 family inet address 33.33.33.2/30

set routing-options static route 22.22.22.22/32 next-hop 192.168.1.1
set routing-options router-id 55.55.55.55
set protocols ospf area 0.0.0.0 interface st0.0 metric 40
set protocols ospf area 0.0.0.0 interface lo0.0 passive

set security ike proposal isakmp-proposal authentication-method pre-shared-keys
set security ike proposal isakmp-proposal dh-group group2
set security ike proposal isakmp-proposal authentication-algorithm sha1
set security ike proposal isakmp-proposal encryption-algorithm 3des-cbc
set security ike proposal isakmp-proposal lifetime-seconds 28800
set security ike policy isakmp-policy mode aggressive
set security ike policy isakmp-policy proposals isakmp-proposal
set security ike policy isakmp-policy pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxx"
set security ike gateway HQ-p1 ike-policy isakmp-policy
set security ike gateway HQ-p1 address 22.22.22.22
set security ike gateway HQ-p1 local-identity inet 55.55.55.55
set security ike gateway HQ-p1 external-interface fe-0/0/0

set security ipsec proposal 3DES-proposal protocol esp
set security ipsec proposal 3DES-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal 3DES-proposal encryption-algorithm 3des-cbc
set security ipsec proposal 3DES-proposal lifetime-seconds 3600
set security ipsec proposal 3DES-proposal lifetime-kilobytes 4608000
set security ipsec policy 3DES-policy proposals 3DES-proposal
set security ipsec vpn HQ-p2 bind-interface st0.0
set security ipsec vpn HQ-p2 ike gateway HQ-p1
set security ipsec vpn HQ-p2 ike ipsec-policy 3DES-policy
set security ipsec vpn HQ-p2 establish-tunnels immediately

set security zones security-zone Untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone Untrust interfaces fe-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone Trust interfaces lo0.0 host-inbound-traffic system-services all
set security zones security-zone Trust interfaces lo0.0 host-inbound-traffic protocols all
set security zones security-zone VPN-Tunnel interfaces st0.0 host-inbound-traffic system-services all
set security zones security-zone VPN-Tunnel interfaces st0.0 host-inbound-traffic protocols all

Hi samc,

                      Is this a working configuration? By the way the cisco is a dynamic? and the juniper is static ip? This is really greate and good configurations if this is really working.

Thank You

VTI on the Cisco side and route-based on the Juniper side (basically the same thing) is the most versatile configuration.

Crypto maps are archaic and shouldn't be used unless you have no choice (e.g. on an ASA)

---

@samc wrote:

We have a VPN between a SRX100 and ASR1004.

 

Aggressive mode VPN initiated by the SRX

 

---

You should use IKEv2 instead of aggressive mode IKEv1 if the IPs are static.

Thanks Spud!

I'll have to look into IKEv2...  my wish is that one day, ASR's will be replaced with SRX's  🙂

Thanks again for the suggestion.

Regards,

Sam

Hi Spud,

                        How are we going to do this?  I thought non-juniper device remote is a policy based? Do have any sample working configurations?

                      Its really a big help to us. Like in my case at main office JuniperSRX210(static ip) and cisco1841(DHCP) how am I going to do this?

Please help me.

Thank You for you effort and time

May the God Bless You alwys..

Ive been testing this lately

I can only get Junos Route-based -> Cisco VTI to come up when the the End points are explicitly defined, not when one side is using DHCP.

The phase1 works, (SRX sends IKE identity) -  but the phase 2 doesnt.  However my example uses DHCP on the SRX side.

Yours may work using IKE identity, as long as you can define a source IKE identity on the Cisco side e.g.

interface Tunnel0

tunnel source dynamic

tunnel destination (Juniper SRX)

Hello.

This is configs i pulled from our production devices... I only changed the IP's.

We're using aggressive mode, but the IP addresses of the 2 endpoints are static.  The SRX is behind an internet router that we do not manage, thus aggressive mode.

Regards,

Sam