And finally: A route-based VPN between a Juniper ScreenOS SSG firewall and a Cisco router with a virtual tunnel interface (VTI). Both sides with tunnel interfaces and IPv4 addresses. Both sides with a real routing entry in the routing table. Great. ;)
(The VPN between those two parties without a tunnel interface on the Cisco router is documented here. However, use the route-based VPN where you can. It is easier and more flexible. Routing decisions based on the routing table. This is how it should be.)
My lab with a SSG5 (6.3.0r17.0) and a Cisco 2811 (12.4(24)T8):
Laboratory
Juniper ScreenOS SSG
The configuration steps on the SSG are the following:
- P1 and P2 Proposals, e.g., PFS group 14 (!), AES256, SHA1, 28800/3600 sec
- Gateway with the IPv4 address of the other side (Cisco router), Preshared Key and user defined P1 Proposal
- Numbered (Fixed IP) Tunnel Interface
- AutoKey IKE profile which points to the just created gateway, P2 proposal and tunnel interface. The VPN Monitor can be set to automatically build the tunnel
- Route through the tunnel interface with a gateway IP address of the tunnel interface of the other side
Here are my configuration screenshots:
Cisco Router
These are the commands for the Cisco CLI. The crypto isakmp policy and crypto ipsec transform-set values are exactly the same as the P1 and P2 proposals on the SSG. The crypto ipsec profile references the transform-set and is configured with a perfect-forward secrecy group of 14. The interface Tunnel has an IPv4 address, a source and destination (outside/untrust IP addresses from the router and the firewall), a mode of ipsec and a reference to the ipsec profile. Finally, the route to the remote network flows through the tunnel. (Note that this VPN does not use the “crypto map” commands.)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 lifetime 28800 ! crypto isakmp key aXedLr6oO4P83QIM2HlQPQnHy3aO9f address 172.16.1.1 ! crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac ! crypto ipsec profile SSG set transform-set aes256-sha set pfs group14 ! interface Tunnel111 ip address 10.0.0.10 255.255.255.252 tunnel source 172.16.1.5 tunnel destination 172.16.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile SSG ! ip route 192.168.111.0 255.255.255.0 Tunnel111 10.0.0.9 |
Stats
After the tunnel establishment, the monitor status on the SSG is Up:
And the Cisco router can be queried with the following commands:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
fd-wv-ro03#show crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal T - cTCP encapsulation, X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1134 172.16.1.5 172.16.1.1 ACTIVE aes sha psk 14 00:58:33 Engine-id:Conn-id = SW:134 IPv6 Crypto ISAKMP SA --------------------------------------- fd-wv-ro03#show crypto ipsec sa interface: Tunnel111 Crypto map tag: Tunnel111-head-0, local addr 172.16.1.5 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 172.16.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 279508, #pkts encrypt: 279508, #pkts digest: 279508 #pkts decaps: 279547, #pkts decrypt: 279547, #pkts verify: 279547 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.16.1.5, remote crypto endpt.: 172.16.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xBFC4F0CA(3217354954) PFS (Y/N): Y, DH group: group14 inbound esp sas: spi: 0x665D5E6E(1717395054) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 4171, flow_id: NETGX:2171, sibling_flags 80000046, crypto map: Tunnel111-head-0 sa timing: remaining key lifetime (k/sec): (4493506/2655) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xBFC4F0CA(3217354954) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 4172, flow_id: NETGX:2172, sibling_flags 80000046, crypto map: Tunnel111-head-0 sa timing: remaining key lifetime (k/sec): (4493506/2655) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: --------------------------------------- fd-wv-ro03#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 172.16.1.1 to network 0.0.0.0 S 192.168.121.0/24 [1/0] via 10.0.0.5, Tunnel121 C 192.168.151.0/24 is directly connected, FastEthernet0/1.151 S 192.168.120.0/24 [1/0] via 172.16.1.2 C 192.168.150.0/24 is directly connected, FastEthernet0/1.150 S 192.168.111.0/24 [1/0] via 10.0.0.9, Tunnel111 S 192.168.125.0/24 [1/0] via 172.16.1.2 172.16.0.0/24 is subnetted, 1 subnets C 172.16.1.0 is directly connected, FastEthernet0/0 10.0.0.0/30 is subnetted, 2 subnets C 10.0.0.8 is directly connected, Tunnel111 C 10.0.0.4 is directly connected, Tunnel121 S* 0.0.0.0/0 [1/0] via 172.16.1.1 |
The end. ;)
Great document.