Example Configuration IPSec VPN Between Juniper and Cisco

Few weeks back I have chance to configure IPSec VPN for one of our customers. It’s Juniper SRX at one side and Cisco IOS at another. Make sure you understand what VPN is then you are good to go with the example configuration below.

The Sample Network Diagram

Here is the sample network diagram that I am going to do the configuration for. Just make it easy and simple, I have both sides connected to each other via Internet and have 192.168.0.0/24 stay behind Juniper and 172.16.0.0/24 behind Cisco. Both private network need to talk to each other directly through a secure tunnel.

At Juniper SRX side, I have interface ge-0/0/0 connected to the Internet and Gi0/0 on Cisco side. Both have its own /30 IP address to Internet Provider.

The Configuration

Juniper Side

Be noted that I will do policy based routing in this sample configuration. The configuration on Juniper SRX would be as following.

Phase 1 configuration.

set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL dh-group group2
set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-PROPOSAL encryption-algorithm aes-256-cbc
set security ike proposal IKE-PROPOSAL lifetime-seconds 86400

set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals IKE-PROPOSAL
set security ike policy IKE-POLICY pre-shared-key ascii-text KEY@Secure

set security ike gateway IKE-GATEWAY ike-policy IKE-POLICY
set security ike gateway IKE-GATEWAY address 2.2.2.2
set security ike gateway IKE-GATEWAY external-interface ge-0/0/0.0

Phase 2 configuration.

set security ipsec proposal IPSEC-PROPOSAL protocol esp
set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
set security ipsec vpn IPSEC-VPN ike gateway IKE-GATEWAY
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY
set security ipsec vpn IPSEC-VPN establish-tunnels immediately

Create Address Book to reference in Security Policy

set security zones security-zone untrust address-book address 172-16-0-0_24 172.16.0.0/24
set security zones security-zone trust address-book address 192-168-0-0_24 192.168.0.0/24

Allow traffic between Zones

set security policies from-zone trust to-zone untrust policy IPSec-VPN match source-address any
set security policies from-zone trust to-zone untrust policy IPSec-VPN match destination-address 172-16-0-0_24
set security policies from-zone trust to-zone untrust policy IPSec-VPN match application any
set security policies from-zone trust to-zone untrust policy IPSec-VPN then permit tunnel ipsec-vpn IPSEC-VPN

set security policies from-zone untrust to-zone trust policy IPSec-VPN match source-address any
set security policies from-zone untrust to-zone trust policy IPSec-VPN match destination-address 192-168-0-0_24
set security policies from-zone untrust to-zone trust policy IPSec-VPN match application any
set security policies from-zone untrust to-zone trust policy IPSec-VPN then permit tunnel ipsec-vpn IPSEC-VPN
Cisco Side

Create an ISAKMP policy for Phase 1 negotiations for the L2L tunnels.

crypto isakmp policy 10
 group 2
 encryption aes 256
 lifetime 86400
 hash sha
 authentication pre-share

Specify the pre-shared key and the remote peer address to match for the L2L tunnel.

crypto isakmp key KEY@Secure address  1.1.1.2

Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set MYSET esp-sha-hmac esp-aes 256

Create the actual crypto map. Specify the peer IP address, transform set, and an access control list (ACL) for the split tunneling.

crypto map MYMAP 10 ipsec-isakmp
 set peer  1.1.1.2
 set transform-set MYSET
 match address 100

Apply the crypto map on the outside interface.

interface Gi0/0
 crypto map MYMAP

Create an ACL for the traffic to be encrypted. In this example, the traffic from 172.16.0.0/24 to 192.168.0.0/24  is encrypted. The traffic which does not match the access list is unencrypted for the Internet.

access-list 100 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
Verification

On Juniper SRX, you can use below command to verify both phase 1 and 2 status as well as traffic flow between the network.

show security ike sa
show security ipsec sa
show security flow session

Also, here is some common verification commands that you can use on Cisco side.

show crypto ike sa
show crypto ipsec sa

Above command is also useful when you want to see encrypted/decrypted packets statistic which means the number of packets that send to and from the tunnel.

NOTE: Sometime the tunnel on Cisco is not coming up until you send some packets to go through the tunnel. The best way to do this is PING from one LAN to another.

Let us know in the comment below! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *