SRX Services Gateway
Highlighted
SRX Services Gateway

Does anyone ever success with site-to-site VPN configuration between Juniper SRX and Cyberoam?

[ Edited ]
‎06-12-2014 08:04 AM

I would like to establish a site-to-site vpn between my HQ (which is using Cyberoam) and Branch Office (which is using Juniper SRX240). And there are multiple subnets at both side.

 

By following the guide shown at here : http://kb.juniper.net/InfoCenter/index?page=content&id=KB21238

 

My achievement so far is only able to ping a remote host (192.168.20.1) at HQ from a local host (10.10.10.1) at BO. The weird thing is the remote host (192.168.20.1) fails to send ICMP packet to my local host (10.10.10.1) at BO.

Does anyone have any idea regarding this? ^

 

However, I intend to send ICMP packet from my another local host (192.168.10.1) at BO to the same remote host (192.168.20.1) at HQ but it fails too.

 

For your better understanding, I attach together my network diagram here.

 

Kindly advise. 

Attachments

5 REPLIES 5
Highlighted
SRX Services Gateway

Re: Does anyone ever success with site-to-site VPN configuration between Juniper SRX and Cyberoam?

‎06-12-2014 06:42 PM

Together I attached the snippet code for my configuration here.

 

Appreciate a lot if someone can look into this matter and shed me some lights. Thanks a lot.

Attachments

Highlighted
SRX Services Gateway

Re: Does anyone ever success with site-to-site VPN configuration between Juniper SRX and Cyberoam?

‎06-16-2014 03:48 AM

Hi jasonlim,

I would suggest keeping the configuration simple.

creating routing instance and importing the routes between them is little complicated.


from the configuration, you have 2 local subnets(10.10.10.0/24 & 192.168.10.0/24) and 1 remote subnet (192.168.20.0/24).

Policy based vpn will be best suited for this kind of step up

or in the latest Junos codes (12.1X46 onwards) in route based configuration , we can specify many traffic selector's under one st0 interface.


Configuration for policy based tunnels: proxy-ids are derived from security policy: separate policies are needed:

1. security vpn configuration:

security ipsec vpn vpn1 ike gateway ike_gw;               
security ipsec vpn vpn1 ipsec-policy ipsec_pol;
also add establish-tunnels immediately configuration.

2. Two security policys are needed from trust to untrust zones.

1. policy with source as 10.10.10.0/24 and destination as 192.168.20.0/24
2. policy with source as 192.168.10.0/24 and destination as 192.168.20.0/24

+++++++++++++++++++++++++++

In Junos 12.1X46 , Traffic selector configuration:

http://www.juniper.net/techpubs/en_US/junos12.1x46/topics/example/ipsec-vpn-traffic-selector-configu...

Example config:

vpn ipsec-vpn-to-he-srx {
bind-interface st0.1;
ike {
ipsec-policy ipsec_policy;
gateway ike-gateway-to-he-srx;
}

traffic-selector TS2-ipv4 {
local-ip 10.1.1.0/24;
remote-ip 20.1.0.0/16;
}
traffic-selector TS3-ipv4 {
local-ip 10.1.1.0/24;
remote-ip 20.1.1.0/24;
}

Regards,
rparthi
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Please Mark My Solution Accepted if it Helped,

 

Kudos are Appreciated Too] .....

Highlighted
SRX Services Gateway

Re: Does anyone ever success with site-to-site VPN configuration between Juniper SRX and Cyberoam?

‎06-16-2014 04:34 AM

Hi rparthi,

 

Thanks for replying my question. 🙂

 

Unfortunately, the traffics travel through the VPN are required to be NATed. Hence, I can only proceed with route based VPN.

 

Is the traffic selector configuration can be used to pair with non-juniper device (which is a Cyberoam in my case)?

 

Given the configuration provided by you, I have made a few amendments to my configuration, which are removing the -multipoint with next-hop-tunnel, policy-options, firewall filter and routing-instances. Also, using only 1 ipsec vpn (vpn1) instead of 2 ipsec vpn (vpn1 & vpn2).

 

Appreciate a lot if you can take a look into it and see whether it is working or not.

Attachments

Highlighted
SRX Services Gateway

Re: Does anyone ever success with site-to-site VPN configuration between Juniper SRX and Cyberoam?

‎06-16-2014 05:09 AM

Hi ,

 

Configuration looks good.

 

Tried doing a commit and verify if it works fine.

 

if it is not working , then roll back the changes and update me this new traffic selector related complete configuration.

 

Regards,
rparthi
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too] .....

Highlighted
SRX Services Gateway

Re: Does anyone ever success with site-to-site VPN configuration between Juniper SRX and Cyberoam?

‎07-05-2014 06:47 PM

Hi,

 

JTAC has take over this case and making up with a new configuration, however the VPN establishment seems fail with Cyberoam.

 

Anyway, thanks for your help. 🙂 Kudos to you.

Feedback