---------- SRX ---------- ## Loopback interface for GRE termination set interfaces lo0 unit 0 family inet address 172.30.1.1/32 set interfaces lo0 unit 0 description "GRE Termination Interface" ## GRE Interface set interfaces gr-0/0/0 unit 0 description "To SPOKE (using st0.670)" set interfaces gr-0/0/0 unit 0 tunnel source 172.30.1.1 set interfaces gr-0/0/0 unit 0 tunnel destination 172.30.1.70 set interfaces gr-0/0/0 unit 0 family inet mtu 1476 set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.1/30 ## st Interface set interfaces st0.670 family inet set interfaces st0.670 description "To SPOKE" set routing-options static route 172.30.1.2/32 next-hop st0.670 ## Security zones set security zones security-zone vpn-ext_sites interfaces st0.670 set security zones security-zone MGT interfaces lo0.0 set security zones security-zone vpn-ext_sites interfaces gr-0/0/0 set security zones security-zone Internet host-inbound-traffic system-services ike ## Address book entries set security address-book global address 172.30.1.0/24 172.30.1.0/24 set security address-book global address 172.30.1.1 172.30.1.1 ## IKE policy set security ike policy ike-ext_sites_SPOKE mode aggressive set security ike policy ike-ext_sites_SPOKE pre-shared-key ascii-text "KEY" set security ike policy ike-ext_sites_SPOKE proposals ike_proposal-SPOKE ## IKE gateway set security ike gateway ike_gw-SPOKE ike-policy ike-ext_sites_SPOKE set security ike gateway ike_gw-SPOKE external-interface ge-0/0/0 set security ike gateway ike_gw-SPOKE dynamic hostname SPOKE.domain.com set security ike gateway ike_gw-SPOKE local-identity hostname HUB.domain.com ## IKE proposal set security ike proposal ike_proposal-SPOKE authentication-method pre-shared-keys set security ike proposal ike_proposal-SPOKE encryption-algorithm aes-256-cbc set security ike proposal ike_proposal-SPOKE authentication-algorithm sha1 set security ike proposal ike_proposal-SPOKE dh-group group5 set security ike proposal ike_proposal-SPOKE lifetime-seconds 86400 ## IPsec vpn set security ipsec vpn vpn_ext_sites-SPOKE ike gateway ike_gw-SPOKE set security ipsec vpn vpn_ext_sites-SPOKE ike ipsec-policy ipsec_policy-SPOKE set security ipsec vpn vpn_ext_sites-SPOKE bind-interface st0.670 set security ipsec vpn vpn_ext_sites-SPOKE establish-tunnels immediately set security ipsec vpn vpn_ext_sites-SPOKE ike proxy-identity local 172.30.1.1/32 remote 172.30.1.70/32 service junos-gre ## IPsec proposal & policy set security ipsec proposal ipsec_proposal-SPOKE protocol esp set security ipsec policy ipsec_policy-SPOKE proposals ipsec_proposal-SPOKE set security ipsec policy ipsec_policy-SPOKE perfect-forward-secrecy keys group5 set security ipsec proposal ipsec_proposal-SPOKE encryption-algorithm aes-256-cbc set security ipsec proposal ipsec_proposal-SPOKE authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec_proposal-SPOKE lifetime-seconds 28800 ## Security policy for GRE traffic set security policies from-zone MGT to-zone vpn-ext_sites policy allow_GRE_for_ext_sites_out match source-address 172.30.1.1 set security policies from-zone MGT to-zone vpn-ext_sites policy allow_GRE_for_ext_sites_out match destination-address 172.30.1.0/24 set security policies from-zone MGT to-zone vpn-ext_sites policy allow_GRE_for_ext_sites_out match application junos-gre set security policies from-zone MGT to-zone vpn-ext_sites policy allow_GRE_for_ext_sites_out then permit set security policies from-zone vpn-ext_sites to-zone MGT policy allow_GRE_for_ext_sites_in match source-address 172.30.1.0/24 set security policies from-zone vpn-ext_sites to-zone MGT policy allow_GRE_for_ext_sites_in match destination-address 172.30.1.1 set security policies from-zone vpn-ext_sites to-zone MGT policy allow_GRE_for_ext_sites_in match application junos-gre set security policies from-zone vpn-ext_sites to-zone MGT policy allow_GRE_for_ext_sites_in then permit --------------------- CISCO --------------------- interface Loopback0 ip address 172.30.1.70 255.255.255.255 desc GRE Termination Interface int tunnel 670 desc To HUB ip addr 10.0.0.2 255.255.255.252 ip mtu 1476 tunnel source lo0 tunnel destination 172.30.1.1 crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 86400 hash sha ! ip access-list extended ACL_IPSEC-HUB permit ip host 172.30.1.2 host 172.30.1.1 ! crypto keyring keys pre-shared-key address 0.0.0.0 0.0.0.0 key KEY ! crypto isakmp profile HUB_ike keyring keys self-identity fqdn SPOKE.domain.com match identity host HUB.domain.com initiate mode aggressive ! crypto isakmp key KEY address 0.0.0.0 0.0.0.0 no-xauth ! crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac ! crypto dynamic-map dyn 10 set transform-set HUB ! crypto map CM_HUB isakmp-profile HUB_ike ! crypto map CM_HUB 10 ipsec-isakmp match address ACL_IPSEC-HUB set peer HUB.domain.com dynamic set transform-set HUB set pfs group5 set security-association lifetime seconds 28800 crypto map CM_HUB 65535 ipsec-isakmp dynamic dyn ! interface Fa4 crypto map CM_HUB