IPSEC ××× between SRX and Cisco

Tech Notes / RtoDto.net

SRX,JunOS,Linux and security

Skip to content

• Home

• About

• Sergüzeşt

IPSEC ××× between SRX and Cisco

6 Replies

In this post, I would like to share my site-to-site ipsec *** configuration between srx100 (junos 11.1R4.4) and cisco3725 (ios 12.4) (on dynamips)

Cisco Configuration

version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Cisco3725 ! boot-start-marker boot-end-marker ! enable password 7 030455DDD03241D1C5A ! no aaa new-model ! resource policy ! memory-size iomem 5 ip cef crypto isakmp policy 1 encr 3des hash md5 authentication pre-share lifetime 28800 crypto isakmp key juniper123 address 192.168.0.1 ! ! crypto ipsec transform-set ***-with-junos esp-3des esp-md5-hmac ! crypto map junos-map 1 ipsec-isakmp set peer 192.168.0.1 set transform-set ***-with-junos match address 101 ! ! ! ! interface FastEthernet0/0 ip address 192.168.222.2 255.255.255.0 duplex auto speed auto crypto map junos-map ! interface FastEthernet0/1 ip address 192.168.223.1 255.255.255.0 duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 192.168.222.1 ! ! ip http server no ip http secure-server ! access-list 101 permit ip 192.168.223.0 0.0.0.255 10.3.3.0 0.0.0.255 ! ! ! ! control-plane ! line con 0 line aux 0 line vty 0 4 password 7 011B04055E07035Y731F login ! ! end

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70

version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Cisco3725 ! boot-start-marker boot-end-marker ! enable password 7 030455DDD03241D1C5A ! no aaa new-model ! resource policy ! memory-size iomem 5 ip cef   crypto isakmp policy 1 encr 3des hash md5 authentication pre-share lifetime 28800 crypto isakmp key juniper123 address 192.168.0.1 ! ! crypto ipsec transform-set ***-with-junos esp-3des esp-md5-hmac ! crypto map junos-map 1 ipsec-isakmp set peer 192.168.0.1 set transform-set ***-with-junos match address 101 ! ! ! ! interface FastEthernet0/0 ip address 192.168.222.2 255.255.255.0 duplex auto speed auto crypto map junos-map ! interface FastEthernet0/1 ip address 192.168.223.1 255.255.255.0 duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 192.168.222.1 ! ! ip http server no ip http secure-server ! access-list 101 permit ip 192.168.223.0 0.0.0.255 10.3.3.0 0.0.0.255 ! ! ! ! control-plane !   line con 0 line aux 0 line vty 0 4 password 7 011B04055E07035Y731F login ! ! end

JUNOS IPSEC related config

[edit] root@hub# show security ike proposal cisco-prop {    authentication-method pre-shared-keys;    dh-group group1;    authentication-algorithm md5;    lifetime-seconds 28800; } policy cisco-pol {    mode main;    proposals cisco-prop;    pre-shared-key ascii-text "$9$IB6hyKX7V4aUM8aUjH5TRhSrM8xNdsgo"; ## SECRET-DATA } gateway gw-cisco {    ike-policy cisco-pol;    address 192.168.222.2;    external-interface vlan.10; }

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

[edit] root@hub# show security ike proposal cisco-prop {     authentication-method pre-shared-keys;     dh-group group1;     authentication-algorithm md5;     lifetime-seconds 28800; } policy cisco-pol {     mode main;     proposals cisco-prop;     pre-shared-key ascii-text "$9$IB6hyKX7V4aUM8aUjH5TRhSrM8xNdsgo"; ## SECRET-DATA } gateway gw-cisco {     ike-policy cisco-pol;     address 192.168.222.2;     external-interface vlan.10; }

[edit] root@hub# show security ipsec proposal cisco-prop {    protocol esp;    authentication-algorithm hmac-md5-96;    encryption-algorithm 3des-cbc;    lifetime-seconds 3600; } policy cisco-pol {    proposals cisco-prop; } *** ***-cisco {    bind-interface st0.0;    ike {        gateway gw-cisco;        proxy-identity {            local 10.3.3.0/24;            remote 192.168.223.0/24;            service any;        }        ipsec-policy cisco-pol;    }    establish-tunnels immediately; }

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

[edit] root@hub# show security ipsec proposal cisco-prop {     protocol esp;     authentication-algorithm hmac-md5-96;     encryption-algorithm 3des-cbc;     lifetime-seconds 3600; } policy cisco-pol {     proposals cisco-prop; } *** ***-cisco {     bind-interface st0.0;     ike {         gateway gw-cisco;         proxy-identity {             local 10.3.3.0/24;             remote 192.168.223.0/24;             service any;         }         ipsec-policy cisco-pol;     }     establish-tunnels immediately; }

root@hub# show routing-options static {    route 192.168.222.0/24 next-hop 192.168.0.101;    route 192.168.223.0/24 next-hop 192.168.100.244; }

1 2 3 4 5

root@hub# show routing-options static {     route 192.168.222.0/24 next-hop 192.168.0.101;     route 192.168.223.0/24 next-hop 192.168.100.244; }

Troubleshooting outputs

[edit] root@hub# run show security ike security-associations Index   State  Initiator cookie  Responder cookie  Mode           Remote Address 528164  UP     aa10d2af78cf71e3  c90e04cbcd0385b9  Main           192.168.222.2

1 2 3 4

[edit] root@hub# run show security ike security-associations Index   State  Initiator cookie  Responder cookie  Mode           Remote Address 528164  UP     aa10d2af78cf71e3  c90e04cbcd0385b9  Main           192.168.222.2

root@hub# run show security ipsec security-associations  Total active tunnels: 1  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway  <131075 ESP:3des/md5  a9fd9418 2106/  3686400 -  root 500   192.168.222.2  >131075 ESP:3des/md5  c90f79c  2106/  3686400 -  root 500   192.168.222.2

1 2 3 4 5

root@hub# run show security ipsec security-associations   Total active tunnels: 1   ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   <131075 ESP:3des/md5  a9fd9418 2106/  3686400 -  root 500   192.168.222.2   >131075 ESP:3des/md5  c90f79c  2106/  3686400 -  root 500   192.168.222.2

And finally the proof that ipsec tunnel works

root@hub# run ping 192.168.223.1 source 10.3.3.1 PING 192.168.223.1 (192.168.223.1): 56 data bytes 64 bytes from 192.168.223.1: icmp_seq=0 ttl=255 time=12.787 ms 64 bytes from 192.168.223.1: icmp_seq=1 ttl=255 time=9.699 ms 64 bytes from 192.168.223.1: icmp_seq=2 ttl=255 time=9.372 ms

1 2 3 4 5

root@hub# run ping 192.168.223.1 source 10.3.3.1 PING 192.168.223.1 (192.168.223.1): 56 data bytes 64 bytes from 192.168.223.1: icmp_seq=0 ttl=255 time=12.787 ms 64 bytes from 192.168.223.1: icmp_seq=1 ttl=255 time=9.699 ms 64 bytes from 192.168.223.1: icmp_seq=2 ttl=255 time=9.372 ms

Actually I have tried to setup a multipoint tunnel interface on SRX side however I could never make it. If I use multipoint interface, I have to use NHTB like;

root@hub# top show interfaces st0.0 multipoint; family inet {    next-hop-tunnel 192.168.100.244 ipsec-*** ***-cisco;    address 192.168.100.5/24; }

1 2 3 4 5 6

root@hub# top show interfaces st0.0 multipoint; family inet {     next-hop-tunnel 192.168.100.244 ipsec-*** ***-cisco;     address 192.168.100.5/24; }

PS: 192.168.100.244  is a dummy IP and it doesn’t have to be assigned to any interface

PS: Why can st0.0 interface be down? If you have multipoint *** tunnels, for st0.0 interface to be up at least one of the tunnels must be UP (i.e IPSEC SA must be established)