Any help that you might be able to provide would be greatly appreciated.
We are trying to Lan to Lan vpn between our SRX and a Cisco appliance. Here's the relevant information.
X.X.X.100 is out external IP on the Juniper and is ge-0/0/0
X.X.X.126 is what I gave st0.1
10.10.2.0/24 is our internal subnet
Y.Y.Y.Y is their external IP on their Cisco
192.168.0.0/24 is their internal subnet
show security ike security-associations
Index Remote Address State Initiator cookie Responder cookie Mode
5105 Y.Y.Y.Y UP XXXXXXXXX XXXXXXXXX Main
show security ipsec security-associations
Lists our other active VPN but does not show this one.
I don't have the Cisco config, but he said he pretty much matched everything I list below on his end including the Litetimes. I'm thinking that the lifetimes don't need to match, but I don't know what they should be.
And the relevant Juniper end config. Please let me know if you need any more information and I'll do what I can.
st0 {
unit 1 {
family inet {
address X.X.X.126/27;
}
}
}
vlan {
unit 0 {
family inet {
address 10.10.2.1/24;
}
}
}
}
routing-options {
static {
route 192.168.0.0/24 next-hop st0.1;
}
}
security {
ike {
proposal ike-prop-cisco {
description cisco;
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy ike-policy-cisco {
mode main;
description cisco;
proposals ike-prop-cisco;
pre-shared-key ascii-text "KEY";
}
gateway ike-gate-cisco {
ike-policy ike-policy-cisco;
address Y.Y.Y.Y;
dead-peer-detection {
interval 10;
threshold 5;
}
external-interface ge-0/0/0;
}
}
ipsec {
vpn-monitor-options {
interval 15;
threshold 15;
}
proposal ipsec-prop-cisco {
description cisco;
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
lifetime-kilobytes 1048576;
}
policy ipsec-policy-cisco {
description cisco;
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-prop-cisco;
}
vpn ipsec-vpn-cisco {
bind-interface st0.1;
ike {
gateway ike-gate-cisco;
proxy-identity {
local X.X.X.126/32; (Cisco guy thinks this needs to be X.X.X.100/32)
remote Y.Y.Y.Y/32;
}
ipsec-policy ipsec-policy-cisco;
}
establish-tunnels immediately;
}
}
zones {
security-zone trust {
address-book {
address net-cisco_10-10-2-0--24 10.10.2.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone vpn {
interfaces {
st0.1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy vpn-policy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy trust-vpn-cisco {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone vpn {
policy vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-trust-cisco {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
