Configuration VPN GRE over IPSEC between Juniper SRX and Cisco 1841
Introduction.
We have two networks. Each network has own routing device. The first network has Juniper SRX and second network has Cisco 1841.
Task:
configure GRE over VPN for providing availability of OSPF routing.
Juniper SRX cann't to terminate GRE and IPSEC with one interface. We will use lo interface for GRE termination.
Addressing
Juniper SRX:
GLOBAL IP: 217.9.80.22
Lo IP: 172.31.254.1
Gre IP: 192.168.254.0
Cisco 1841:
GLOBAL IP: 91.208.39.30
Lo IP: 172.31.254.2
Gre IP: 192.168.254.1
IKE policy:
encryption: aes128
hash: sha1
Diffie-Hellman group: 5
pre shared key: test
IPSEC policy:
encryption: aes128
hash: hmac_sha1
Diffie-Hellman group: 5
VPN - tunnel mode esp
1. Apply lo ip address:
{primary:node1}[edit]
set interfaces lo0 unit 0 family inet address 172.31.254.1/32
2. Create GRE interface:
{primary:node1}[edit]
set interfaces gr-0/0/0 unit 0 description Cisco_link
set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.1
set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.2
set interfaces gr-0/0/0 unit 0 family inet mtu 1476
set interfaces gr-0/0/0 unit 0 family inet address 192.168.254.0/31
3. Create ST interface:
{primary:node1}[edit]
set interfaces st0 unit 0 description VPN_Cisco_link
set interfaces st0 unit 0 family inet
4. Configure three security zones on the Juniper:
{primary:node1}[edit]
set security zones security-zone ISPs interfaces reth0.0
set security zones security-zone Internal interfaces reth1.0
set security zones security-zone Tunnels gr-0/0/0.0
set security zones security-zone Tunnels st0.0
set security zones security-zone Tunnels lo0.0
5. Configure security policies (for this example I will not configure detail policy.)
{primary:node1}[edit]
set security policies default-policy permit-all
6. Configure IKE
{primary:node1}[edit]
set security ike proposal IKE_PRO_MY_NET description MY_NETWORK_IKE_PROPOSAL
set security ike proposal IKE_PRO_MY_NET authentication-method pre-shared-keys
set security ike proposal IKE_PRO_MY_NET dh-group group5
set security ike proposal IKE_PRO_MY_NET authentication-algorithm sha1
set security ike proposal IKE_PRO_MY_NET encryption-algorithm aes-128-cbc
set security ike proposal IKE_PRO_MY_NET lifetime-seconds 28800
set security ike policy IKE_POL_MY_NET mode aggressive
set security ike policy IKE_POL_MY_NET proposals IKE_PRO_MY_NET
set security ike policy IKE_POL_MY_NET pre-shared-key ascii-text test
set security ike gateway IKE_CISCO_1841 ike-policy IKE_POL_MY_NET
set security ike gateway IKE_CISCO_1841 address 91.208.39.30
set security ike gateway IKE_CISCO_1841 local-identity inet 217.9.80.22
set security ike gateway IKE_CISCO_1841 external-interface reth0.0
7. Configure IPSEC
{primary:node1}[edit]
set security ipsec proposal IPSEC_PRO_MY_NET protocol esp
set security ipsec proposal IPSEC_PRO_MY_NET authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC_PRO_MY_NET encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC_PRO_MY_NET lifetime-seconds 28800
set security ipsec proposal IPSEC_PRO_MY_NET lifetime-kilobytes 4608000
set security ipsec policy IPSEC_POL_MY_NET perfect-forward-secrecy keys group5
set security ipsec policy IPSEC_POL_MY_NET proposals IPSEC_PRO_MY_NET
set security ipsec vpn VPN_CISCO_1841 bind-interface st0.0
set security ipsec vpn VPN_CISCO_1841 df-bit clear
set security ipsec vpn VPN_CISCO_1841 ike gateway IKE_CISCO_1841
set security ipsec vpn VPN_CISCO_1841 ike no-anti-replay
set security ipsec vpn VPN_CISCO_1841 ike proxy-identity local 172.31.254.1/32
set security ipsec vpn VPN_CISCO_1841 ike proxy-identity remote 172.31.254.2/32
set security ipsec vpn VPN_CISCO_1841 ike proxy-identity service junos-gre
set security ipsec vpn VPN_CISCO_1841 ike ipsec-policy IPSEC_POL_MY_NET
set security ipsec vpn VPN_CISCO_1841 establish-tunnels immediately
8. Configure routing
{primary:node1}[edit]
set routing-options static route 172.31.254.2/32 next-hop st0.0
9. Commit
{primary:node1}[edit]
commit
1. Apply lo ip address:
conf t
interface Loopback0
ip address 172.31.254.2 255.255.255.255
end
2. Create GRE interface:
conf t
interface Tunnel0
description link1 Cisco_1841 -> Juniper SRX
ip address 192.168.254.1 255.255.255.254
ip mtu 1476
ip ospf network point-to-point
no clns route-cache
tunnel source Loopback0
tunnel destination 172.31.254.2
end
3. Configure IKE
conf t
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
lifetime 28800
exit
crypto isakmp key test address 217.9.80.22
end
4. Configure access list
conf t
ip access-list extended ipsec_Juniper_SRX
permit ip host 172.31.254.2 host 172.31.254.1
end
5. Configure IPSEC
conf t
crypto ipsec transform-set MY_NET esp-aes esp-sha-hmac
exit
crypto map my-cmap 10 ipsec-isakmp
set peer 217.9.80.22
set security-association lifetime seconds 28800
set transform-set MY_NET
set pfs group5
match address ipsec_Juniper_SRX
6. Apply crypto-map
conf t
int fa 0/0
crypto map my-cmap
end
7. Save configuration
wr
About author