SSL VPN
Reply
Contributor
rsilva
Posts: 25
Registered: ‎09-27-2011
0
Accepted Solution

Problem creating VPN firewall to firewall from Juniper SRX210B to Cisco PIX 535

Hi all,

I write by following. I need create one VPN from SRX210B to PIX535, and I was configure it.

 

show 
## Last changed: 2011-09-29 10:21:28 UTC
version 10.0R3.10;
system {
    host-name ROU-PLATCO;
    root-authentication {
        encrypted-password "$1$WOzy96.aaaaaaaaaaaaaaaaaa5lwc6Oy1"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
        }
    }
}
interfaces {
    interface-range interfaces-trust {
        member ge-0/0/1;
        member fe-0/0/3;
        member fe-0/0/4;
        member fe-0/0/5;
        member fe-0/0/6;
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/0 {
        unit 0;
    }
    fe-0/0/7 {
        speed 100m;
        link-mode full-duplex;
        unit 0 {
            family inet {
                address 10.0.16.3/24;
            }
        }
    }
    e1-1/0/0 {
        encapsulation cisco-hdlc;
        e1-options {
            framing g704;
        }
        unit 0 {
            family inet {
                address 192.168.41.222/30;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 206.49.166.0/24 next-hop st0.0;
    }
}
security {
    ike {
        proposal P1-3DES {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 1440;
        }
        policy IKE-POLICY-1 {
            mode main;
            proposals P1-3DES;
            pre-shared-key ascii-text "$9$7RNwwwwwwww-Vws4ZUDkQ36"; ## SECRET-DATA
        }
        gateway GW-1 {
            ike-policy IKE-POLICY-1;
            address 192.168.41.221;
            external-interface e1-1/0/0.0;
        }
    }
    ipsec {
        proposal P2-3DES {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy IPSEC-POLICY-1 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals P2-3DES;
        }
        vpn VPN-1 {
            bind-interface st0.0;
            ike {
                gateway GW-1;
                ipsec-policy IPSEC-POLICY-1;
            }
            establish-tunnels immediately;
        }
    }
    zones {
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ping;
                    ike;
                    all;
                }
            }
            interfaces {
                e1-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ike;
                            all;
                        }
                    }
                }
            }
        }
        security-zone trust {
            address-book {
                address LAN 10.0.16.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
                st0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
[edit]
root@ROU-PLATCO# 
I don't skills with VPN. The topology is following form: 
SRX--->Router Cisco--->PIX
These be parameters of configuring:
IKE - Hashing algorithm :IKE/3DES/SHA-1/DH2/Aggressive mode=no
IKE - SA lifetime :1440sec
Initital mode :Main mode
IPSEC :ESP
IPSEC- ESP Encryption Algorithm    :3DES
IPSEC - Hashing algorithm :MD5
IPSEC - SA time lifetime: :3600sec
IPSEC - PFS :No (It is possible to change it)
Compression :None
Authentication (pre-share only) :smileytongue:re-shared (provided by phone)
Protocol :IP
When i do write command show security ike security-association detail, these is results
IKE peer 206.49.166.253, Index 52,
  Role: Initiator, State: DOWN
  Initiator cookie: ac99e923555018cb, Responder cookie: 0000000000000000
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 192.168.41.222:500, Remote: 206.49.166.253:500
  Lifetime: Expires in 1331 seconds
  Algorithms:
   Authentication        : unknown
   Encryption            : unknown
   Pseudo random function: unknown
  Traffic statistics:
   Input  bytes  :                    0
   Output bytes  :                 1300
   Input  packets:                    0
   Output packets:                    5
  IPSec security associations: 0 created, 0 deleted
  Phase 2 negotiations in progress: 0
The VPN is DOWN, i don't know do...
Helpme please.
Thanks,
Contributor
rsilva
Posts: 25
Registered: ‎09-27-2011
0

Re: Problem creating VPN firewall to firewall from Juniper SRX210B to Cisco PIX 535

I need yours knowledge please....

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Problem creating VPN firewall to firewall from Juniper SRX210B to Cisco PIX 535

rsilva, you might have more luck getting some help in the SRX forum as this is an SRX question, rather than a SSL-VPN (Secure Access) issue.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.