SRX Services Gateway
Highlighted
SRX Services Gateway

Allow (CiscoVPN) IPsec through

12.16.09   |  
‎12-16-2009 04:27 AM

I've just received notice that some users in out "internal" network want to use a CiscoVPN solution to connect from their PCs to a remote server. As far as I can tell, this is based on IPsec.

 

The default policy from internal to external is "permit" (for source-address any; destination-address any; application anySmiley Wink. Does this cover protocols like ESP (50) and AH (51), or does it only mean TCP ?

 

If the latter (since it does not seem to work), how do I allow IPsec to pass through?

Many thanks in advance,
8 REPLIES
SRX Services Gateway

Re: Allow (CiscoVPN) IPsec through

[ Edited ]
12.16.09   |  
‎12-16-2009 07:48 AM

Hello,

AFAIAA, Cisco VPN client can also work over TCP/10000, UDP/10000 or UDP/4500 depending on version. May be a good idea to try and reconfigure  VPN clients for these users since you mentioned only "some users" have trouble.

I'd hazard a guess that your users in "internal" network are also NAPT-ed when going to "external", or are they?

If yes, then I think that NAT-ing ESP/proto 50 could only be done statically at the moment.

Rgds

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: Allow (CiscoVPN) IPsec through

[ Edited ]
12.16.09   |  
‎12-16-2009 08:17 AM

During Phase 1 negotiation, you will need UDP 500 (ISAKMP).  Phase 2 (the encrypted data) can be passed on numerous ports, ranging from ESP to TCP/10000 to Custom UDP ports.  We run our Cisco VPN environment with IPSec over a custom UDP port.  We also run NAT-T (UDP 4500).  I do not know if Juniper's "application any" looks at the IP header for protocol, such as TCP (protocol 6), UDP (protocol 17), ESP (protocol 50) or if it looks at the TCP/UDP header for port.  I know with Cisco, an ACL is based on the layer 3 protocol.  Example, permit ip any any.  That would allow all TCP or UDP ports from any host to any host.  It would not allow ESP, ICMP or GRE.  To allow those protocols, the statement would have to read, permit esp any any, or permit icmp any any.  I hope this helps.

____________
CCNP - GCFW
SRX Services Gateway

Re: Allow (CiscoVPN) IPsec through

12.16.09   |  
‎12-16-2009 08:41 AM

Thanks for your reply!

 

Oh, yes, I forgot to mention this very important fact that the "internal" network is NAT-ted, and as a matter of fact NAPT: all internal addresses of 10.x.x.x get mapped to a (small) range of public IP addresses (and ports).

 

I didn't mention that "only some users" have trouble; "only some users" want to use this connection method and they all have trouble :-)

 

Any reference to NAT-ing ESP and/or AH ?

SRX Services Gateway

Re: Allow (CiscoVPN) IPsec through

12.16.09   |  
‎12-16-2009 08:49 AM

This question would have to be answered by someone more knowledged in JUNOS than I.  The real question comes back to the "match application any" statement.  What exactly does the "any" include. 

____________
CCNP - GCFW
SRX Services Gateway

Re: Allow (CiscoVPN) IPsec through

12.16.09   |  
‎12-16-2009 09:08 AM

I think I found what you need.  You might have to create a custom application with protocol option.  Try this and see if it works.

 

applications {
    application ESP protocol esp;
    application ISAKMP {
        protocol udp;
        destination-port 500;
    }
    application NAT-T {
        protocol udp;
        destination-port 4500;
    }
    application-set Cisco_VPN {
        application ESP;
        application NAT-T;
        application ISAKMP;
    }
}

from-zone trust to-zone untrust {
    policy permit_Cisco_VPN {
        match {
            source-address any;
            destination-address any;
            application Cisco_VPN;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
            count;
        }
    }
}

 

You can add more custom applications to the application-set Cisco_VPN and then just reference the application-set Cisco_VPN in your policy.  I would ask the Cisco VPN administrator what the client ports/protocols that they have configured and add them all to the Cisco_VPN application-set.  Source NAT should only be looking at source and destination IP addressing, so I do not thnk you will need to add any application specific information to the source NAT rules.

 

Hope this helps.

____________
CCNP - GCFW
SRX Services Gateway

Re: Allow (CiscoVPN) IPsec through

12.16.09   |  
‎12-16-2009 09:23 AM

Hello there,

ScreenOS supports this from 6.3 onwards

http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_rn_r1.pdf page 9

Also

http://kb.juniper.net/index?page=content&id=KB13422

I have no idea when ESP NAT with IP overload is going to be supported in SRX.

Also, Cisco IOS supports this only with "predictive SPI"

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsecnat.html#wp1054728

Rgds

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: Allow (CiscoVPN) IPsec through

08.26.13   |  
‎08-26-2013 03:30 PM

I know your post is from like 4 years ago, but the config snippet resolved the problem I was having, so thanks!

SRX Services Gateway

Re: Allow (CiscoVPN) IPsec through

08.29.13   |  
‎08-29-2013 02:05 AM

i also met this prob. Cisco VPN uses fragment packet, if you configure ip frag screen options, device will drop frag ip packet. So user could not connect Cisco VPN.