SRX

Expand all | Collapse all

VPN site to site Juniper-Cisco with 8 encryption domain

Jump to Best Answer
  • 1.  VPN site to site Juniper-Cisco with 8 encryption domain

    Posted 08-24-2017 08:11

    Hello,

     

    I’m trying to configure a site to site VPN between a Juniper SRX 550 (my side) and a Cisco ASA 5555 (partner side). They imposed the configuration and I try to match it. I have no detail of the configuration on their side.

     

    The phase 1 is ok. The phase 2 isn’t not: Phase 2 Mismatch
    That’s clear but I don’t know which parameter isn’t.

     

    == Parameters ==

    IKE/IPSEC Parameters

    Support Key Exchanged for Subnets     : ON

    IKE Encryption Method                          : AES256 SHA

    IKE Diffie-Hellman Groups for Phase 1   : Group 2 (1024 bit)

    IKE (Phase-1) Timeout                           : 1440 Min        

    IPSEC Encryption Method                     : AES256 SHA

    IPSEC (Phase-2) Timeout                       : 3600 sec

    PFS (Perfect Forward Secrecy)              : Disabled

    Keepalive                                              : Disabled
    VPN Gateway                            : X.X.X.X                 

     

    Here is what I don’t know how to configure.

     

    1. encryption domain

     

    We agreed that the domain encryption (on my side?) is my public IP (y.y.y.y/32). They will accept in the tunnel only packet with the source IP my public IP. So, I need to NAT inside the tunnel.

     

    Questions 1: How do I configure that?

     

    1. They are using on the ASA 8 encryption domain

     

    And on their side, they give me that:

    VPN Encryption Domain 1         : 1.x.x.x/x

    VPN Encryption Domain 2         : 2.x.x.x/x

    VPN Encryption Domain 3         : 3.x.x.x/x

    VPN Encryption Domain 4         : 4.x.x.x/x

    VPN Encryption Domain 5         : 5.x.x.x/x

    VPN Encryption Domain 6         : 6.x.x.x/x

    VPN Encryption Domain 7         : 7.x.x.x/x

    VPN Encryption Domain 8         : 8.x.x.x/x

     

    Questions 2: how do I match that ?

    proxy-identity local and a proxy-identity remote in the same IP sec vpn configuration?

    or with a

    ipsec vpn vpn-partnaire traffic-selector domaine1 local-ip

    ipsec vpn vpn-partnaire traffic-selector domaine1 remote-ip

    And I need to declare multiple IP sec vpn configuration and many st0.X ?

     

    Here is my configuration:

     #Conf interface + Zone

    set interfaces st0 unit 6 family inet

    set security zones security-zone Internet1 interfaces st0.6

    set routing-instances PRODUCTION protocols ospf area 0.0.0.0 interface st0.6

     

    #Conf Routing-instance + route

    set routing-instances PRODUCTION interface st0.6

     

    #Conf Phase 1

    set security ike proposal Proposal-Ph1-partenaire1 authentication-method pre-shared-keys

    set security ike proposal Proposal-Ph1-partenaire1 dh-group group2

    set security ike proposal Proposal-Ph1-partenaire1 authentication-algorithm sha1

    set security ike proposal Proposal-Ph1-partenaire1 encryption-algorithm aes-256-cbc

    set security ike proposal Proposal-Ph1-partenaire1 lifetime-seconds 86400

     

    set security ike policy IKE-Pha1-Policy-partenaire1 mode main

    set security ike policy IKE-Pha1-Policy-partenaire1 proposals Proposal-Ph1-partenaire1

    set security ike policy IKE-Pha1-Policy-partenaire1 pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXX"

     

    set security ike gateway gw-partenaire1 ike-policy IKE-Pha1-Policy-partenaire1

    set security ike gateway gw-partenaire1 address X.X.X.X

    set security ike gateway gw-partenaire1 external-interface reth0.200

     

    #Conf Phase 2

    set security ipsec proposal Proposal-Ph2-partenaire1 protocol esp

    set security ipsec proposal Proposal-Ph2-partenaire1 authentication-algorithm hmac-sha-256-128

    set security ipsec proposal Proposal-Ph2-partenaire1 encryption-algorithm aes-256-cbc

    set security ipsec proposal Proposal-Ph2-partenaire1 lifetime-seconds 3600

     

    set security ipsec policy IPSEC-Pha2-policy-partenaire1 proposals Proposal-Ph2-partenaire1

     

    set security ipsec vpn vpn-partenaire1-primaire bind-interface st0.6

    set security ipsec vpn vpn-partenaire1-primaire ike gateway gw-partenaire1

    set security ipsec vpn vpn-partenaire1-primaire ike ipsec-policy IPSEC-Pha2-policy-partenaire1

    set security ipsec vpn vpn-partenaire1-primaire establish-tunnels on-traffic

     

    #Rules

    set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test match source-address my-net

    set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test match destination-address partenaire1-net

    set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test match application any

    set security policies from-zone Trust to-zone Internet1 policy rule-3to1-666-partenaire1-test then permit

    When it will work I will filter.

     

    ##### NAT Options #####

    set security nat source pool src-nat-partenaire1 address mypublicIP

    set security nat source rule-set trust-to-Internet1 from zone Trust

    set security nat source rule-set trust-to-Internet1 to zone Internet1

    set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match source-address 0.0.0.0/0

    set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 1.x.x.x/x

    set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 2.x.x.x/x

    set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 3.x.x.x/x

    set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 4.x.x.x/x

    set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 5.x.x.x/x

    set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 6.x.x.x/x

    set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 7.x.x.x/x

    set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 match destination-address 8.x.x.x/x

    set security nat source rule-set trust-to-Internet1 rule source-nat-rule-partenaire1 then source-nat pool src-nat-partenaire1

     

    Thanks a lot.

    Mickael.



  • 2.  RE: VPN site to site Juniper-Cisco with 8 encryption domain

    Posted 08-24-2017 09:33

    set security ipsec proposal Proposal-Ph2-partenaire1 authentication-algorithm hmac-sha-256-128

    This is probably the incorrect line. They appear to be using SHA-1 (although it's not very clear from the way they have phrased it).

     

    By the way, using Diffie-Hellman Group 2 makes absolutely no sense in combination with AES-256. This is an extremely strong encryption algorithm being combined with a weak key exchange method. They should be using Group 14 (or one of the newer ECDH groups if available). The chain of security is only as strong as its weakest link.



  • 3.  RE: VPN site to site Juniper-Cisco with 8 encryption domain

    Posted 08-24-2017 11:00

    Well I feel s*****.  The tunnel is up.
    Thanks a lot. 
    I still have no communication but I will look again on the TS or proxy-identity. I'm not comfortable with this notion.

     

    I agree the combo encryption / authentication isn't good but they are working like this..



  • 4.  RE: VPN site to site Juniper-Cisco with 8 encryption domain

    Posted 08-31-2017 12:04

    Hello,

     

    My vpn is up, I can see the route in the routing table. But I have no paquets going throught.

    How can I see where my packet is blocked or refused?

     

    Thanks,
    Mickael.



  • 5.  RE: VPN site to site Juniper-Cisco with 8 encryption domain
    Best Answer

     
    Posted 08-31-2017 15:03

    This gives you the steps to walk through a VPN up but not passing traffic.  If you have confirmed the route the next step is verifying the security policy in place.  Then check to see if sessions are created and if not enable the trace options to find out why.  If you have trouble interpreting the trace options output post them here.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093



  • 6.  RE: VPN site to site Juniper-Cisco with 8 encryption domain

    Posted 09-05-2017 15:51

    Hello,


    It's exactly what I needed! Step by step check everything. And I look at the junos flow module..
    I'm using nat inside my VPN tunnel so from the srx I tried ping X.X.X.X source {myPublic IP} routing-instance PRODUCTION and it's works, so the vpn tunnel is up and packet going through.

    So it's my rules or my NAT.

     

     

    show security flow session (step 7) show nothing at all.
    A show security nat source rule all shown my dedicated rule for this VPN is never matched.
    And because I'm using NAT inside my VPN with the same public IP as my default NAT I was never matching the dedicated NAT rule for the vpn. Ok it's maybe not the best to do that..

     

    I switched the VPN dedicated rule before my default NAT and it's working normally.
    insert security nat source rule-set {rule number2} before rule-set {rule default}

     

    Thanks for the step.

     

    Subjet closed.

     

    Mickael.



  • 7.  RE: VPN site to site Juniper-Cisco with 8 encryption domain

    Posted 08-14-2020 07:48

    Hello,

    I am facing the same issue to established a tunnel with a client in China.

    I will appreciate if you share your change settting IKE and Ipsec.

     

    Thank you.



  • 8.  RE: VPN site to site Juniper-Cisco with 8 encryption domain

     
    Posted 08-15-2020 04:10

    Your settings for ike and ipsec will depend on what your remote site has on their side as they must match.

     

    To help narrow down mismatches there are some guides but it depends on how far in the process of creating the tunnel you site is.  For this thread the site-to-site was showing established both ike and ipsec but no traffic was flowing.  If your tunnel is not coming up start with this document to narrow down where the issue is.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10100

     

    Also since your partner is in China, there is a possibility that the vpn is being blocked by the "great firewall" of China.  When I worked at one company we had to get government permission to have a vpn to the site which was then permitted.  But start with the technical kb first.

     



  • 9.  RE: VPN site to site Juniper-Cisco with 8 encryption domain

    Posted 08-24-2020 00:45

    Hi,

    I know this is marked as resolved but might be worth to mention... The Cisco ASA uses Policy Based IPSEC, and it looks like the Juniper side is Route Based. This will work, if there is only 1 encryption domain. Not several traffic selectors as usually used when doing route-based between to devices.

    There is KBs within Juniper side that explains this in detail.

    Ref: https://kb.juniper.net/InfoCenter/index?page=content&id=KB20543&cat=SRX_SERIES&actp=LIST

     

    So one thing is to setup policy based on the Juniper as well, or simplify the encryption domain a bit to get it to one.

    I've been told that some ASAs (maybe older) cant handle the setup by using the peer-ip(gateway ip) as both peer ip and encryption domain to NAT the network behind it. But I havent been able to try it myself 🙂

    I hope this information might help someone out there!

     

    //Rob