SRX Services Gateway
SRX Services Gateway

IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

11.25.11   |  
‎11-25-2011 12:40 PM

Hi Experts

 

I have scenario like, SRX100 with dynamic IP and Cisco ASA with static public IP. I need to configure site to site IPSEC VPN. My question is that, on SRX100 we will define the ike gateway and local identity  as below:

 

set security ike gateway CISCO-ASA local-identity srx100

 

But what is the equivalent command of JUNOS on Cisco ASA  to define the SRX100 as dynamic peer as below?????

 

set security ike gateway JUNIPER-SRX100 dynamic hostname srx100

7 REPLIES
SRX Services Gateway

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

11.27.11   |  
‎11-27-2011 11:04 AM
In juniper you will have to for "aggressive" mode vpn instead of "main" mode ....

see http://forums.juniper.net/t5/SRX-Services-Gateway/Full-mesh-route-based-VPN-with-one-odd-ball/td-p/7...
Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

SRX Services Gateway

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

11.27.11   |  
‎11-27-2011 11:11 AM
which cisco asa firewall you are using ... tell me if i could write a config for you ...
Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

SRX Services Gateway

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

11.27.11   |  
‎11-27-2011 11:20 PM

Hi,

In cisco ASA there is a command to specify the ike identity of the peer as either ip address or hostname based on the requirement. If the peer end is having dynamic ip, you can go for the below config and you can sepcify the local ike identity value as below.

 

cisco(config)#crypto isakmp peer hostname srx100.juniper.net  -> peer end ike identification

 

cisco10(config)#crypto isakmp identity address  -> local ike identification type

SRX Services Gateway

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

12.06.11   |  
‎12-06-2011 09:38 PM

Hi Venu

 

So just for understanding what you wrote, If I have ASA with static IP at one side and on the other side there is ASA with dynamic IP address then you means, in static side ASA I need to run below command to specify the peer ID:

 

cisco(config)#crypto isakmp peer hostname srx100.juniper.net  -> peer end ike identification

 

AND in dynamic side ASA side I need to specify below command to specify the local ID:

 

cisco10(config)#crypto isakmp identity hostname srx100.juniper.net

 

Am I right in understanding???

 

Thanks

 

Highlighted
SRX Services Gateway

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

12.11.11   |  
‎12-11-2011 10:45 PM

Yes, If you are using ASA on both ends, 1st command reflects the ike-identity of the peer and second command to specify the local identity values. If the dynamic end is our srx, and don't mention the remote-identity value explicitly, srx will take gateway address as remote ike-identity which is defalut behavior. In this case use the below command

 

cisco10(config)#crypto isakmp identity address 

SRX Services Gateway

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

01.01.12   |  
‎01-01-2012 11:24 PM

Thanks Dear

SRX Services Gateway

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

11.25.13   |  
‎11-25-2013 01:03 AM

Hi Venu,

 

 

                Can you give us sample configs to your post? This is a good source of this forum.

 

 

Thanks a lot