Hi,
I don't have a sample configuration for VPN between Cisco and Juniper. But below configuration is basic aggresive-mode VPN (route-based) between SRXs (one of the end got dynamic IP)
For a policy-based VPN you could remove all the st0.0 references and just reference the VPN in a permit -> tunnel stanza of a policy on both ends.
Static-side:
security config
ike {
proposal pre-g2-3des-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
}
policy LA-remote {
mode aggressive;
proposals pre-g2-3des-sha;
pre-shared-key ascii-text "$9$zMNaFCuREyKWxSrxdwgUDP5Q"; ## SECRET-DATA
}
gateway LA-remote-gw {
ike-policy LA-remote;
dynamic hostname la-connecting;
external-interface fe-0/0/3.0;
}
}
ipsec {
proposal esp-3des-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy LA-remote {
perfect-forward-secrecy {
keys group2;
}
proposals esp-3des-sha;
}
vpn LA-remote-vpn {
bind-interface st0.0;
ike {
gateway LA-remote-gw;
ipsec-policy LA-remote;
}
establish-tunnels immediately;
}
}
Dynamic-side:
security config
ike {
proposal pre-g2-3des-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
}
policy LA-remote {
mode aggressive;
proposals pre-g2-3des-sha;
pre-shared-key ascii-text "$9$zMNaFCuREyKWxSrxdwgUDP5Q"; ## SECRET-DATA
}
gateway HQ {
ike-policy LA-remote;
address 10.0.1.2;
local-identity hostname la-connecting;
external-interface fe-0/0/3.0;
}
}
ipsec {
proposal esp-3des-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy LA-remote {
perfect-forward-secrecy {
keys group2;
}
proposals esp-3des-sha;
}
vpn HQ {
bind-interface st0.0;
ike {
gateway HQ;
ipsec-policy LA-remote;
}
establish-tunnels immediately;
}
}
Both sides:
interfaces, routing-options, and security->zones configs respectively
st0 {
unit 0 {
family inet;
}
}
static {
route <remote network> next-hop st0.0;
}
security-zone trust {
interfaces {
st0.0;
}
}
**Be sure to allow ike traffic (host-inbound-traffic -> system-services) on each external facing interface**
Thanks,
Suraj
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.