SRX Services Gateway
Reply
Contributor
DanF
Posts: 15
Registered: ‎02-17-2011
0

SRX 240 to Cisco VPN Help

Any help that you might be able to provide would be greatly appreciated.

We are trying to Lan to Lan vpn between our SRX and a Cisco appliance.  Here's the relevant information.

 

X.X.X.100 is out external IP on the Juniper and is ge-0/0/0
X.X.X.126 is what I gave st0.1
10.10.2.0/24 is our internal subnet
Y.Y.Y.Y is their external IP on their Cisco
192.168.0.0/24 is their internal subnet

show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
5105    Y.Y.Y.Y         UP     XXXXXXXXX         XXXXXXXXX       Main


show security ipsec security-associations
Lists our other active VPN but does not show this one.  

 

I don't have the Cisco config, but he said he pretty much matched everything I list below on his end including the Litetimes.  I'm thinking that the lifetimes don't need to match, but I don't know what they should be.

 

And the relevant Juniper end config.  Please let me know if you need any more information and I'll do what I can.

 

 

    st0 {
        unit 1 {
            family inet {
                address X.X.X.126/27;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 10.10.2.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 192.168.0.0/24 next-hop st0.1;
    }
}
security {
    ike {
        proposal ike-prop-cisco {
            description cisco;
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy ike-policy-cisco {
            mode main;
            description cisco;
            proposals ike-prop-cisco;
            pre-shared-key ascii-text "KEY";
        }
        gateway ike-gate-cisco {
            ike-policy ike-policy-cisco;
            address Y.Y.Y.Y;
            dead-peer-detection {
                interval 10;
                threshold 5;
            }
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        vpn-monitor-options {
            interval 15;
            threshold 15;
        }
        proposal ipsec-prop-cisco {
            description cisco;
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
            lifetime-kilobytes 1048576;
        }
        policy ipsec-policy-cisco {
            description cisco;
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-prop-cisco;
        }
        vpn ipsec-vpn-cisco {
            bind-interface st0.1;
            ike {
                gateway ike-gate-cisco;
                proxy-identity {
                    local X.X.X.126/32;  (Cisco guy thinks this needs to be X.X.X.100/32)
                    remote Y.Y.Y.Y/32;
                }
                ipsec-policy ipsec-policy-cisco;
            }
            establish-tunnels immediately;
        }
    }
    zones {
        security-zone trust {
            address-book {
                address net-cisco_10-10-2-0--24 10.10.2.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone vpn {
            interfaces {
                st0.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone vpn {
            policy vpn-policy {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy trust-vpn-cisco {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone vpn {
            policy vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy vpn-trust-cisco {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

Trusted Contributor
Digs
Posts: 57
Registered: ‎08-25-2010
0

Re: SRX 240 to Cisco VPN Help

I would say that your proxy id's should be the internal addresses and not the external

 

If you can get the kmd logs then this should highlight where the issue may lie

Contributor
DanF
Posts: 15
Registered: ‎02-17-2011
0

Re: SRX 240 to Cisco VPN Help

[ Edited ]

So if the proxy ids are the internal subs then does that mean the static route should be his external?  Like so:

routing-options {
    static {
        route Y.Y.Y.Y/32 next-hop st0.1;

 

And I'm pretty new to Junipers, so forgive my ignorance.  Show do I get the kmd logs to filter?  We have another VPN that is cluttering the log so it's hard to read. 

Trusted Contributor
Digs
Posts: 57
Registered: ‎08-25-2010
0

Re: SRX 240 to Cisco VPN Help

The route is fine, to view the logs

 

show log kmd | match y.y.y.y

Contributor
DanF
Posts: 15
Registered: ‎02-17-2011
0

Re: SRX 240 to Cisco VPN Help

When I run show log kmd | match y.y.y.y it comes up blank. 

Trusted Contributor
Digs
Posts: 57
Registered: ‎08-25-2010
0

Re: SRX 240 to Cisco VPN Help

Ok, try your external intefaces ie X.X.X.100 AND X.X.X.126

 

show log kmd | match X.X.X.100

show log kmd | match X.X.X.126

Contributor
DanF
Posts: 15
Registered: ‎02-17-2011
0

Re: SRX 240 to Cisco VPN Help

Both of those are blank as well... ?

Trusted Contributor
Digs
Posts: 57
Registered: ‎08-25-2010
0

Re: SRX 240 to Cisco VPN Help

Ok silly question of the day

 

You are putting in the actual external ip address and not X.X.X.100 in the match statement?

Contributor
DanF
Posts: 15
Registered: ‎02-17-2011
0

Re: SRX 240 to Cisco VPN Help

Haha,  Give me a LITTLE credit.  Yes I put in the external IP.  I've got another log that I created from a different forum post.  I'm cleaning it up now.  It's all jumbled.  Will post when it's clean.

Trusted Contributor
Digs
Posts: 57
Registered: ‎08-25-2010
0

Re: SRX 240 to Cisco VPN Help

lol, I only asked as you should have got some results from the search, as I get this from mine

 

Dec  9 08:42:32 [IKED 4] Phase-1 [initiator] done for local=ipv4(udp:500,[0..3]=A.A.A.A) remote=ipv4(udp:0,[0..3]=B.B.B.B)
Dec  9 08:42:32 [IKED 4] Phase-1 negotiation succeeded for p1_local=ipv4(udp:500,[0..3]=A.A.A.A) p1_remote=ipv4(udp:500,[0..3]=B.B.B.B)
Dec  9 08:42:32 [IKED 4] Phase-2 sa_cfg lookup with local_id=ipv4_subnet(any:0,[0..7]=10.192.0.0/13), remote_id=ipv4_subnet(any:0,[0..7]=172.31.14.0/24)
Dec  9 08:42:32 [IKED 4] Negotiating IPsec SA with Phase-2 IDS: local_id=ipv4_subnet(any:0,[0..7]=10.192.0.0/13) remote_id=ipv4_subnet(any:0,[0..7]=172.31.14.0/24)

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.