This post describes the steps to configure a Site-to-Site VPN between a Juniper ScreenOS firewall and the Cisco ASA firewall. With the correct IKE and IPsec parameters as well as the correct Proxy IDs on both sides, the VPN establishment works without any problems. And since the Juniper firewall can ping an IPv4 address on the remote side through the tunnel (VPN Monitor), the VPN tunnel is established by the firewalls themselves without the need for initial traffic.
The following figure shows my test laboratory:
The Juniper SSG 5 firewall had version 6.3.0r16.0 installed, while the Cisco ASA 5505 ran on version 9.1(4).
Note that I am not showing the creation of the IKE and IPsec parameter sets since their reference names are self-explanatory, such as “pre-g5-aes256-sha1” and “g5-esp-aes256-sha1-3600”.
Concerning the automatic tunnel establishment: The Juniper VPN Monitor, which pings the inside interface of the ASA, only works if the “Management Access Interface” on the ASA is set to this specific inside network. Otherwise, the ASA will not reply to these ping requests and will generate log messages such as “Failed to locate egress interface for ICMP from outside: …”. Really bad! Especially if you have more than one inside network.
Juniper ScreenOS SSG
The creation of the VPN on the ScreenOS device requires the following steps: tunnel interface, gateway, AutoKey IKE with Proxy IDs, and static IPv4 route through the tunnel. The following screenshots document these steps:
On the Cisco ASA, a Group Policy and a Connection Profile must be created. On the following screenshots, I am also showing the created Crypto Map:
Monitoring the VPN Sessions
Due to the VPN Monitor on the Juniper firewall, the tunnel should be established right after all configuration settings are done. The Juniper monitor status will indicate an “Up” link and the logs filtered to the peer IPv4 address will show several success messages:
The same is true for the Cisco ASA, which will reveal the successful VPN tunnel with the chosen security parameters:
2 thoughts on “IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco ASA”
Can I get a template when using cli to configure the site to site vpn on both devices since https server has not been enabled.
yes, it would have been a good idea to publish a CLI template as well. Unluckily I don’t have one out of the box. You have to figure out the CLI lines according to the screenshots by yourself. I am sorry.