i'm getting ready for the JN0-333 exam. i have made a GNS3 lab to see how a route-based IPsec VPN works. following you can see my network topology:
i would like to configure a point-to-multi point IPsec VPN using OSPF as the routing protocol. i want to build a hub and spoke network, with the vsrx-milan as the hub for the branch and non-branch remote sites. but before to do this I need to see implementations a little easier, like a simple site-to-site IPsec VPN.
currently i just configure a point-to-point IPsec VPN between Milan and Turin sites. I have used static routes for the routing and none IP address for the st0.1 interfaces. you can see my configurations in the attachments. i see the ike phase 1 and 2 tunnel up and working:
root@vsrx-milan> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
5856949 UP 96b1ec76aeece4a1 83993bda88bfb67f Main 184.108.40.206
root@vsrx-milan> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-256/sha1 6ea3f868 3567/ unlim U root 500 220.127.116.11
>131073 ESP:aes-cbc-256/sha1 83805b5e 3567/ unlim U root 500 18.104.22.168
root@vsrx-milan> show security ipsec statistics
Encrypted bytes: 608
Decrypted bytes: 336
Encrypted packets: 4
Decrypted packets: 4
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
but, if the tunnel is up and the security policies are ok, why the pc-milan can't make a telnet to reach the pc-turin? note: pc-milan and pc-turin are the cisco routers and their routing is ok. it's the same for the INTERNET cloud.
Trying 192.168.20.1 ...
% Connection timed out; remote host not responding
where i'm going wrong?
IKE/IPSEC seems to be working as per your output.
The Policies seems right too.
How about your routing table, is it installing the right routes?
--Jorge Bonilla | Chief Technology OfficerAWS-SAA | JNCIP | JNCDS-DC | JNCDS-SEC | CCNP | MCSE | ACMA | CCA | VCP | LPIe: email@example.com: +1.754.900.7033Twitter: @bonillatech
you are missing a security policy on vsrx-turin which allows traffic from-zone vpn to-zone trust. You are only allowing traffic from trust to vpn zones on both firewalls.
thanks Jonashauge. you are right! now the comunication works 🙂
hey guys, now I want to ask you another question about the Cisco and Juniper VPNs. is it possibile implement a route-based IPsec VPN between a Juniper SRX and a Cisco ASA?
Cisco need to use the GRE header to implement the dynamic routing inside the IPsec tunnel. for Juniper instead the ESP header is enough. in this scenario the end-users packets will be encapsulated in different way by both vendors. is it right? how can it works the VPN comunication between Juniper and Cisco?
IPsec packets forwarded by a Cisco ASA: |FRAME|IPv4*|ESP|GRE|IPv4**|DATA|
IPsec packets forwarded by a Juniper SRX: |FRAME|IPv4*|ESP|IPv4**|DATA|
IPv4*: IPv4 header with source IP took from the egree interface.
IPv4**: IPv4 original header, generated by the sorce host of the network communication.
It has been done before with success. Please see the following links: