ScreenOS Firewalls (NOT SRX)
Reply
Visitor
lz_yq
Posts: 5
Registered: ‎06-22-2008
0

Can I use Juniper Firewall(static IP Address) and Cisco Router(dynamic IP address) IPSec VPN ?

Juniper Firewall (static IP Address) -----<Internet>-----Cisco router(dynamic IP Address)

 

Site to Site , IPSec VPN ,  Can it ?  If can , specifically, how do?

 

Thanks.

 

 

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008
0

Re: Can I use Juniper Firewall(static IP Address) and Cisco Router(dynamic IP address) IPSec VPN ?

Hi

 

Yes, definitely, you just need to use the FQDN. There is a  complete example here:

http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/CE_v5.pdf Page 129:

Exerpt of the config from the above guide:

 

10.1.1.1/24 (trust) Tokyo (untrust)1.1.1.1/24 ------------------www-----------------www.nspar.com(untrust)Paris(trust)10.2.2.1/24

CLI (Tokyo)

1. Interfaces

set interface ethernet1 zone trust

set interface ethernet1 ip 10.1.1.1/24

set interface ethernet1 nat

set interface ethernet3 zone untrust

set interface ethernet3 ip 1.1.1.1/24

set interface tunnel.1 zone untrust

set interface tunnel.1 ip unnumbered interface ethernet3

2. Addresses

set address trust Trust_LAN 10.1.1.0/24

set address untrust paris_office 10.2.2.0/24

3. VPN

 

set ike gateway to_paris address www.nspar.com main outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-sha

set vpn tokyo_paris gateway to_paris sec-level compatible

set vpn tokyo_paris bind interface tunnel.1

set vpn tokyo_paris proxy-id local-ip 10.1.1.0/24 remote-ip 10.2.2.0/24 any

CLI (Paris)

1. Host Name and Domain Name

set hostname www

set domain nspar.com

2. Interfaces

set interface ethernet1 zone trust

set interface ethernet1 ip 10.2.2.1/24

set interface ethernet1 nat

set interface ethernet3 zone untrust

set interface ethernet3 ip dhcp-client enable

set interface tunnel.1 zone untrust

set interface tunnel.1 ip unnumbered interface ethernet3

3. Addresses

set address trust Trust_LAN 10.2.2.0/24

set address untrust tokyo_office 10.1.1.0/24

4. VPN

set ike gateway to_tokyo address 1.1.1.1 main outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-sha

set vpn paris_tokyo gateway to_tokyo sec-level compatible

set vpn paris_tokyo bind interface tunnel.1

set vpn paris_tokyo proxy-id local-ip 10.2.2.0/24 remote-ip 10.1.1.0/24 any

 

Let us know if you have any further qns.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Visitor
lz_yq
Posts: 5
Registered: ‎06-22-2008
0

Re: Can I use Juniper Firewall(static IP Address) and Cisco Router(dynamic IP address) IPSec VPN ?

can I use aggressive mode ? Because FQDN is the realization of DDNS in disguise static ip address VPN. About FQDN, we do not have DNS server ,ISP does not provide.
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008
0

Re: Can I use Juniper Firewall(static IP Address) and Cisco Router(dynamic IP address) IPSec VPN ?

Yes, you will need aggressive mode as the Cisco has dynamic IP. same guide has the configuration:

 Page 170

10.1.1.1/24 (trust) Tokyo (untrust)(dynamic IP) ------------------www-----------------(2.2.2.2/24)(untrust)Paris(trust)10.2.2.1/24

 

CLI (Tokyo)

1. Interfaces

set interface ethernet1 zone trust

set interface ethernet1 ip 10.1.1.1/24

set interface ethernet1 nat

set interface ethernet3 zone untrust

set interface ethernet3 dhcp client

set interface ethernet3 dhcp client settings server 1.1.1.5

set interface tunnel.1 zone untrust

set interface tunnel.1 ip unnumbered interface ethernet3

2. Addresses

set address trust Trust_LAN 10.1.1.0/24

set address untrust Paris_Office 10.2.2.0/24

3. VPN

Preshared Key

set ike gateway To_Paris address 2.2.2.2 aggressive local-id pmason@abc.com outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-sha

set vpn Tokyo_Paris gateway To_Paris tunnel sec-level compatible

set vpn Tokyo_Paris bind interface tunnel.1

set vpn Tokyo_Paris proxy-id local-ip 10.1.1.0/24 remote-ip 10.2.2.0/24 any

 

set vrouter trust-vr route 0.0.0.0/0 interface ethernet3

set vrouter trust-vr route 10.2.2.0/24 interface tunnel.1

set vrouter trust-vr route 10.2.2.0/24 interface null metric 10

 

Policies

set policy top from trust to untrust Trust_LAN Paris_Office any permit

set policy top from untrust to trust Paris_Office Trust_LAN any permit

save

CLI (Paris)

1. Interfaces

set interface ethernet1 zone trust

set interface ethernet1 ip 10.2.2.1/24

set interface ethernet1 nat

set interface ethernet3 zone untrust

set interface ethernet3 ip 2.2.2.2/24

set interface tunnel.1 zone untrust

set interface tunnel.1 ip unnumbered interface ethernet3

2. Addresses

set address trust Trust_LAN 10.2.2.0/24

set address untrust Tokyo_Office 10.1.1.0/24

3. VPN

Preshared Key

set ike gateway To_Tokyo dynamic pmason@abc.com aggressive outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-sha

set vpn Paris_Tokyo gateway To_Tokyo tunnel sec-level compatible

set vpn Paris_Tokyo bind interface tunnel.1

set vpn Paris_Tokyo proxy-id local-ip 10.2.2.0/24 remote-ip 10.1.1.0/24 any

 

Routes

set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 2.2.2.250

set vrouter trust-vr route 10.1.1.0/24 interface tunnel.1

set vrouter trust-vr route 10.1.1.0/24 interface null metric 10

5. Policies

set policy top from trust to untrust Trust_LAN Tokyo_Office any permit

set policy top from untrust to trust Tokyo_Office Trust_LAN any permit

save

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Visitor
lz_yq
Posts: 5
Registered: ‎06-22-2008
0

Re: Can I use Juniper Firewall(static IP Address) and Cisco Router(dynamic IP address) IPSec VPN ?

Hi,WL,thank you。

 

But Tokyo side is a cisco router ,I do not know whether to configure cisco router parameters "local id".

 

 

Visitor
lz_yq
Posts: 5
Registered: ‎06-22-2008
0

Re: Can I use Juniper Firewall(static IP Address) and Cisco Router(dynamic IP address) IPSec VPN ?

I do not use Juniper  "local id" parameter, and different manufacturers of equipment can be configured dynamic IP-VPN it?
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.