SRX

Good Day Everyone,

               Can anyone have an idea if Juniper SRX210HE support this kind of set.up? I already test almost everything tweaks still does'nt work.

Please Help Me,

Thank You So Much in Advance

Hi,

This set up can work when we use aggressive mode and use  FQDN (Fully qualified domain name) as IKE-IDENTITY .

On the dynamic-IP side you need to set IKE-ID as "local-identity hostname <FQDN> "- need to use equivalent cisco command.

And on Static-Ip side you need to configure the same FQDN as "dynamic hostname <FQDN>" under [edit security ike gateway <name>]

Thanks,

Suraj 

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Hi rsuraj,

                      Yes I did what you said but the problem is, still doesn't work. Do you have sample configs at Cisco side? which is dynamic ip. Because maybe there is something to my config. And also if you have sample config for Juniper SRX210HE. it really a big help for me

Thank for your reply and effort.

Hi,

I don't have a sample configuration for VPN between Cisco and Juniper. But below configuration is basic aggresive-mode VPN (route-based) between SRXs (one of the end got dynamic IP)

For a policy-based VPN you could remove all the st0.0 references and just reference the VPN in a permit -> tunnel stanza of a policy on both ends.

Static-side:
security config
    ike {
        proposal pre-g2-3des-sha {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
        }
        policy LA-remote {
            mode aggressive;
            proposals pre-g2-3des-sha;
            pre-shared-key ascii-text "$9$zMNaFCuREyKWxSrxdwgUDP5Q"; ## SECRET-DATA
        }
        gateway LA-remote-gw {
            ike-policy LA-remote;
            dynamic hostname la-connecting;
            external-interface fe-0/0/3.0;
        }
    }
    ipsec {
        proposal esp-3des-sha {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
        }
        policy LA-remote {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals esp-3des-sha;
        }
        vpn LA-remote-vpn {
            bind-interface st0.0;
            ike {
                gateway LA-remote-gw;
                ipsec-policy LA-remote;
            }
            establish-tunnels immediately;
        }
    }

Dynamic-side:
security config
ike {
    proposal pre-g2-3des-sha {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm 3des-cbc;
    }
    policy LA-remote {
        mode aggressive;
        proposals pre-g2-3des-sha;
        pre-shared-key ascii-text "$9$zMNaFCuREyKWxSrxdwgUDP5Q"; ## SECRET-DATA
    }
    gateway HQ {
        ike-policy LA-remote;
        address 10.0.1.2;
        local-identity hostname la-connecting;
        external-interface fe-0/0/3.0;
    }
}
ipsec {
    proposal esp-3des-sha {
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm 3des-cbc;
    }
    policy LA-remote {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals esp-3des-sha;
    }
    vpn HQ {
        bind-interface st0.0;
        ike {
            gateway HQ;
            ipsec-policy LA-remote;
        }
        establish-tunnels immediately;
    }
}

Both sides:
interfaces, routing-options, and security->zones configs respectively
st0 {
    unit 0 {
        family inet;
    }
}
static {
    route <remote network> next-hop st0.0;
}
security-zone trust {
    interfaces {
        st0.0;
    }
}

**Be sure to allow ike traffic (host-inbound-traffic -> system-services) on each external facing interface**

Thanks,

Suraj

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Wow, Thank You I have a guide now.....

Please check the access list on cisco end...it should allow the ips of juniper end. 

Hi jaishan,

                 I already check my accesslist but the problem is my tunnel wont goes up.

Thank You,

hi,

               Please give me light on this problem. Huhuhu, I already made almost everything trial and error but still doesnt work for me.

              Please help me....juniper srx210(static) to cisco router1841(dynamic). And maybe if I have extra money I will send a little for the help.

Thank You so Much in Advance Guys,

Heres the config

JuniperSRX210 (Static IP)

root@VISCEBU_SRX210HE# show interfaces                                           
ge-0/0/0 {
    description WAN-ISP-PLDT;
    unit 0 {
        family inet {
            address 2.2.2.2/29;
        }
    }
}
ge-0/0/1 {
    description WAN-ISP-Bayantel;
    unit 0 {
        family inet {
            address x.x.x.x;
        }
    }
}
fe-0/0/2 {
    description WAN-ISP-Globe-DHCP;
    unit 0 {
        family inet {
            dhcp;
        }
    }
}
fe-0/0/3 {
    unit 0 {
        family ethernet-switching {
            port-mode access;
            vlan {
                members vlan-trust;
            }
        }
    }
}
fe-0/0/4 {
    unit 0;                             
}
fe-0/0/5 {
    description intranet-local-DMZ;
    unit 0;
}
fe-0/0/6 {
    unit 0 {
        family ethernet-switching {
            vlan {
                members vlan-trust;
            }
        }
    }
}
fe-0/0/7 {
    description Intranet-Local-Network;
    unit 0 {
        family inet {
            filter {
                input test2-firewall;
            }
            address 172.16.173.15/16;
        }
    }
}
lo0 {
    description Loopback-Interface;
    unit 0 {
        family inet {
            address 172.16.254.254/32;
        }
    }
st0 {
    unit 0 {                            
        description Site-to-Site-VPN-Testing;
        family inet;
    }
}
vlan {
    unit 0 {
        family inet {
            address 192.168.100.1/24;
        }
    }
}

proposal ike-phase1-proposal {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm md5;
    encryption-algorithm 3des-cbc;
}
policy ike-phase1-policy {
    mode aggressive;
    proposals ike-phase1-proposal;
    pre-shared-key ascii-text "$9$SvbeK8ws4ZDkvW4ZUDkquOBEre8X7w24"; ## SECRET-DATA
}
gateway testing {
    ike-policy ike-phase1-policy;
    dynamic hostname testing.vpn;
    external-interface ge-0/0/0.0;
}

[edit]
root@VISCEBU_SRX210HE# show security ipsec
proposal ipsec-phase2-proposal {
    protocol esp;
    authentication-algorithm hmac-md5-96;
    encryption-algorithm 3des-cbc;
}
policy ipsec-phase2-policy {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals ipsec-phase2-proposal;
}
vpn ike-vpn-testing {
    bind-interface st0.0;
    ike {
        gateway testing;
        proxy-identity {
            local 192.168.100.0/24;
            remote 172.16.250.0/24;
            service any;
        }
        ipsec-policy ipsec-phase2-policy;
    }
    establish-tunnels immediately;
}

-------------------------------------------------------------------------------------------------------------------------------------------

CCISO 1841 (Dynamic IP)

Building configuration...

Current configuration : 1381 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c1841-adventerprisek9-mz.124-8a.bin
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
!
!
!
!
!
crypto keyring test
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco12345 address 2.2.2.2
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set myset
 match address 102
!
!
!
interface FastEthernet0/0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map mymap
!
interface FastEthernet0/1
 ip address 172.16.250.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
 no fair-queue
 clock rate 2000000
!
interface Dialer1
 no ip address
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
!
ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
!
access-list 101 permit ip 172.16.250.0 0.0.0.255 any
access-list 102 permit ip 172.16.250.0 0.0.0.255 192.168.100.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!