Screen OS

Dear All,

 

I have one cisco 1841 router and 1 ISG 1000. i want to implement route based VPN between these devices. and i want that 1841 get the route through OSPF behind ISG 1000 and vice versa. 

 

i have configure 2 loopback addressess on cisco1841 and advertise them in ospf. i tried gre over ipsec and simple ipsec.

i am unable to get route through OSPF on both devices. i tried to advertise routes through tunnel interfaces as well.

 

diagram is attached and also the config of both ISG and cisc0 1841.

 

Thanks and regards,

Badar

It was my understanding that you cannot have route based vpns to cisco routers because the cisco router is actually a policy based vpn. This is what i was told and i have tried with no luck. However the policy based vpn is very viable.

Pat

Well as far as I know you can use both route/policy based VPNs with Cisco as long as there is only one subnet in the proxy-id/interesting traffic. If you have more than one VPN subnet you have to use policy-based VPNs or NAT the multiple subnets into one.

 

However that said, there are serious interoperability issues between Cisco and Juniper VPNs when it comes to route-based VPNs. So if possible, it would be much easier to use policy-based VPNs on the Juniper side, this will save you a lot of unnecessary trouble.

 

Also have a look at:

 

http://kb.juniper.net/KB10980

 

http://kb.juniper.net/KB7746

 

Regards

 

Farrukh

Hi bro,

 

Actually  cisco uses GRE over IPSEC for routing trafffic to be tunneled bcs through IPSEC only unicast traffic can pass, not broadcast or multicast so routing traffic can not pass through IPSEC tunnel, so solution is that first tunnel multicast/broadcast ip payload (like routing protocol traffic) in GRE tunnel to make it unicast and then encrypt it via IPSEC tunnel.

 

But on juniper firewalls IPSEC tunnel can pass routing traffic so no need to make GRE over IPSEC tunnel to pass routing protocol traffic between two Juniper firewalls.

 

Now cisco also support route based VPN which can pass routing traffic through IPSEC VPN with out help of GRE. The sample configuration of route based VPN is below:

 

 RTRA(config)# crypto isakmp policy 10
RTRA(config-isakmp)# encryption 3des
RTRA(config-isakmp)# hash sha
RTRA(config-isakmp)# authentication pre-share
RTRA(config-isakmp)# group 2
RTRA(config-isakmp)# exit
RTRA(config)# crypto isakmp key cisco123 address <public IP of ISG> 255.255.255.255 no-xauth
RTRA(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
RTRA(cfg-crypto-trans)# exit
RTRA(config)# crypto ipsec profile VTI
RTRA(ipsec-profile)# set transform-set RTRtran
RTRA(ipsec-profile)# exit
RTRA(config)# interface tunnel 0
RTRA(config-if)# ip address 192.168.3.1 255.255.255.0
RTRA(config-if)# tunnel source <WAN IP at cisco side>

RTRA(config-if)# tunnel destination <WAN IP of ISG>

RTRA(config-if)# tunnel mode ipsec ipv4
RTRA(config-if)# tunnel protection ipsec VTI

 

-For routing traffic passed through u should enable routing protocol like OSPF on tunnel interface not WAN interface

 

Hope this helps

 

Thanks

In this scenario you donont need any GRE tunnel unless you have any intervention of public network between your private networks.

If you have peer IPs as private and reachable simply run ospf between your ISG and ISR(1841) devices and configure a static route through your tunnel interface on your ISG towards the encryption domain, exits behind the router (i can see it in your conf). NO static routing is required on your cisco box. And you dont need to run ospf on tunnel interafce of ISG as well.Your traffic must be passed through your VPN.

Furthermore, 

 

Actually the core point is, not to encrypt ospf related traffic through VPN (IPSEC),hence you may use this genaric ACL on cisco side, and let me know if you have further problem

 

access-list 101 deny   ospf any any
access-list 101 deny   esp any any
access-list 101 deny   udp any any eq isakmp
access-list 101 deny   udp any eq isakmp any
access-list 101 permit ip any any 

 

OR

 

access-list 101 deny   ospf any any
access-list 101 permit ip <source ecryption domain> <dest encryption domain>

 

HTH

Hi

 

If u dont pass encrypt ospf traffic means routing protocol traffic should not pass through IPSEC than its means that u should use static route for reachability to remote peer LAN and offcourse which is not desired. 

 

 

Nopes, You dont need static routing, you will see that ospf adjacencies will be established and ISG and ISR wil learn routes via ospf. Although you may need a tunnel based route (thats used in traditional route-based VPN) on ISG only. NO static routing is required on ISR at all.

 

also simulate the diagram for cisco routers only like

 

LAN1-R1------Rx-------R2-LAN2

 

your can establish ipsec with ospf end to end (lan1 to lan2) by using the ACL defined in my last post.

Dear Friends,

 

i did all the config told by both of u. One thing is that i have to use IPSEC tunnel  between cisco router and ISG/SSG. I need to route every traffic even OSPF through the tunnel. We are still trying to configure this. Still we are failed to do this.

Any more ideas ????

 

Regards,

Badar

Hi badar,

 

Did u try the route based VPN on ciso as i posted configuration of route based VPN on ciso? Can u post ur configuraiton on ISG and cisco in this connection?

 

Thanks

Dear Bro,

 

While applying your config we got the debug on cisco router, it says "decrypted packet failed SA indentity check"   while tunnel is up on both cisco and netscreen. netscreen shows no error.

 

No ping is being successfull on either way.

 

Regards

Badar

Kinldy paste the ipsec related configs of both or your Boxes.

 

regards,

Are you guys sure VTI-based VPNs are inter-operable with Juniper? I thought this was a Cisco proprietory techology?

Regards

 

Farrukh Haroon

CCIE # 20184 (Security) 

I think I got the answer to my initial concern, this is what the Cisco website says:

"Dynamic VTIs are standards based, so interoperability in a multiple-vendor environment is supported"

http://www.ciscosystems.com/en/US/docs/ios/security/configuration/guide/sec_ipsec_virt_tunnl_ps6350_TSD_Products_Configuration_Guide_Chapter.html

I guess the same is true for Static VTIs (SVTIs).

Regards

Farrukh Haroon

CCIE # 20184 (Security)

Dear All,

 

At last route based IPSec vpn is working with ospf. Thanks to all of you epscially Mr Kashif, and one of my friend Irfan.

 

I am pasting the tested config of both cisco1841 and SSG550.

 

Router1841#sh run
Building configuration...

Current configuration : 1551 bytes
!
version 12.4
!
hostname Router


username badar privilege 15 password 0 cisco
!
!
crypto isakmp policy 10
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key 6 123456789 address 2.2.2.1
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
 set transform-set test
!
!
!
interface Tunnel0
 ip address 10.1.1.2 255.255.255.0
 ip mtu 1400
 tunnel source 2.2.2.2
 tunnel destination 2.2.2.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 2.2.2.2 255.255.255.0
 duplex auto
 speed auto
!
!
router ospf 1
 log-adjacency-changes
 redistribute connected
 network 10.1.1.0 0.0.0.255 area 0
 network 192.168.2.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!

control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
scheduler allocate 20000 1000
end

 

 

SSG-550

 

SSG550-> get config

unset auto-route-export
set protocol ospf
set enable
exit

set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"

unset zone "Untrust" tcp-rst
set zone "MGT" block


set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Trust"
set interface "ethernet0/2" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
set interface "loopback.1" zone "Trust"
set interface "loopback.2" zone "Trust"
set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/0 route
unset interface vlan1 ip
set interface ethernet0/1 ip 1.2.3.2/30
set interface ethernet0/1 nat
set interface ethernet0/2 ip 2.2.2.1/24
set interface ethernet0/2 route
set interface loopback.1 ip 10.1.20.0/24
set interface loopback.1 nat
set interface loopback.2 ip 192.168.10.254/24
set interface loopback.2 nat
set interface tunnel.1 ip 10.1.1.1/24
set interface tunnel.1 mtu 1400
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip

set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set address "Trust" "2.2.2.1/32" 2.2.2.1 255.255.255.255
set address "Untrust" "192.168.2.0/24" 192.168.2.0 255.255.255.0
set address "Untrust" "2.2.2.2/32" 2.2.2.2 255.255.255.255
set ike gateway "to cisco" address 2.2.2.2 Main outgoing-interface "ethernet0/2"

preshare "ZVlHvqCtNcmMBZsDRICAURUag2nKme/GUQ==" sec-level compatible
set ike gateway "to cisco" cert peer-ca-hash 48B76449F3D5FEFA1133AA805E420F0FCA643651

set vpn "cisco" gateway "to cisco" no-replay tunnel idletime 0 sec-level compatible
set vpn "cisco" monitor rekey
set vpn "cisco" id 6 bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 1
set log session-init
exit
set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log
set policy id 2
set log session-init
exit

set route 0.0.0.0/0 gateway 10.1.1.2
set route 192.168.2.24/0 interface tunnel.1 gateway 10.1.1.2 preference 20
exit
set interface ethernet0/0 protocol ospf area 0.0.0.0
set interface ethernet0/0 protocol ospf enable
set interface ethernet0/0 protocol ospf cost 1
set interface ethernet0/1 protocol ospf area 0.0.0.0
set interface ethernet0/1 protocol ospf enable
set interface ethernet0/1 protocol ospf retransmit-interval 5
set interface tunnel.1 protocol ospf area 0.0.0.0
set interface tunnel.1 protocol ospf enable
set interface tunnel.1 protocol ospf cost 10
set interface loopback.1 protocol ospf area 0.0.0.0
set interface loopback.1 protocol ospf enable
set interface loopback.1 protocol ospf retransmit-interval 5
set interface loopback.1 protocol ospf cost 1
set interface loopback.2 protocol ospf area 0.0.0.0
set interface loopback.2 protocol ospf enable
set interface loopback.2 protocol ospf retransmit-interval 5
set interface loopback.2 protocol ospf cost 1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
SSG550->        

 

Enjoy .

 

Regards,

Badar

Hi!

I was tring to do the same setup stated in this post, but without sucess.

Do I need to configure something else? For what i'm able of debuging ipsec SA are established, tunnel goes up, but no traffic passes. Any idea?

Hi, I am trying to get the same thing working. Can you please tell me where you get the peer-ca-hash to input into the NetScreen? > set ike gateway "to cisco" cert peer-ca-hash 48B76449F3D5FEFA1133AA805E420F0FCA643651

Salam Badar Bhai,

 

I hope u must be doing fine, Sir whenever you vist askari bank do call me we will discuss that issue. i will give you the solution. or send me both configs of ISG & CISCO i will fix it and send you back.

 

 

 

Thanks

Best Regards,

Irfan Ur Rehman