Juniper – Cisco – GRE IPSec with OSPF

I had the privilege of introducing Cisco and Juniper into a new relationship. They were happy, holding hands and exchange routes, but the relationship was taboo, so they wanted to keep it private. Solution? OSPF over GRE/IPSec.

Here is the topology:

juniper-cisco-topology-1

This diagram is helpful when mapping out the configuration:

juniper-cisco-topology-with-ports

Here are my notes on how to set this up:

Cisco 3845 – HQ

Configure Phase 1

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key 123456789 address 33.33.33.33

Configure Phase 2

ip access-list extended LOOPBACK1-TO-SRX-LOOPBACK
 permit ip host 10.255.0.1 host 10.255.0.3
crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha-hmac
crypto map CRYPTO-MAP 1 ipsec-isakmp
 set peer 33.33.33.33
 set transform-set TRANSFORM
 set pfs group2
 match address LOOPBACK1-TO-SRX-LOOPBACK

Configure the Loopback (Used as the tunnel source)

interface Loopback1
 ip address 10.255.0.1 255.255.255.255

Configure the Virtual Tunnel Interface

interface Tunnel1
 description *** GRE to SRX ***
 ip address 10.0.0.1 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip ospf flood-reduction
 ip ospf 10 area 990
 keepalive 10 3
 tunnel source Loopback1
 tunnel destination 10.255.0.3

Configure OSPF

router ospf 10
 area 990 stub

Prevent Recursive Routing

ip route 10.255.0.3 255.255.255.255 11.11.11.1

Apply crypto-map

interface GigabitEthernet0/0
 crypto map CRYPTO-MAP

Juniper SRX – Remote Site

Configure Phase 1 – IKE

set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL dh-group group2
set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-PROPOSAL encryption-algorithm aes-256-cbc
set security ike proposal IKE-PROPOSAL lifetime-seconds 28800
set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals IKE-PROPOSAL
set security ike policy IKE-POLICY pre-shared-key ascii-text 123456789

Configure Phase 1 – IKE Gateways

set security ike gateway HQ-1 ike-policy IKE-POLICY
set security ike gateway HQ-1 address 11.11.11.11
set security ike gateway HQ-1 local-identity inet 33.33.33.33
set security ike gateway HQ-1 external-interface ge-0/0/0.0

Configure Phase 2 – IPSec

set security ipsec proposal IPSEC-PROPOSAL protocol esp
set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 3600
set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group2
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL

Configure Phase 2 – IPSec Peers

set security ipsec vpn HQ-1 bind-interface st0.0
set security ipsec vpn HQ-1 ike gateway HQ-1
set security ipsec vpn HQ-1 ike proxy-identity local 10.255.0.3/32
set security ipsec vpn HQ-1 ike proxy-identity remote 10.255.0.1/32
set security ipsec vpn HQ-1 ike proxy-identity service junos-gre
set security ipsec vpn HQ-1 ike ipsec-policy IPSEC-POLICY
set security ipsec vpn HQ-1 establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350

Configure the Loopback (Used as the tunnel source)

set interfaces lo0 unit 0 family inet address 10.255.0.3/32
set security zones security-zone signaling interfaces lo0.0

Configure the Virtual Tunnel Interface

set interfaces st0 unit 0 family inet
set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 0 tunnel source 10.255.0.3
set interfaces gr-0/0/0 unit 0 tunnel destination 10.255.0.1
set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 0 family inet mtu 1400
set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.2/30

Configure OSPF

set protocols ospf area 0.0.3.222 stub
set protocols ospf area 0.0.3.222 interface gr-0/0/0.0 flood-reduction
set protocols ospf area 0.0.3.222 interface gr-0/0/0.1 flood-reduction
set protocols ospf area 0.0.3.222 interface vlan.1 passive
set protocols ospf area 0.0.3.222 interface vlan.1 flood-reduction
set security zones security-zone vpn host-inbound-traffic protocols ospf

Configure Security Zones and Policies

For troubleshooting purposes, you might want to permit-all in the default policy and apply more granular control afterwards:

set security policies default-policy permit-all

Sample security zones:

set security zones security-zone public host-inbound-traffic system-services ike
set security zones security-zone signaling host-inbound-traffic system-services ike
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone public interfaces ge-0/0/0.0 host-inbound-traffic system-services any-service
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn interfaces gr-0/0/0.0
set security zones security-zone signaling interfaces lo0.0
set security policies from-zone vpn to-zone signaling policy vpn match source-address any
set security policies from-zone vpn to-zone signaling policy vpn match destination-address any
set security policies from-zone vpn to-zone signaling policy vpn match application any
set security policies from-zone vpn to-zone signaling policy vpn then permit
set policy-options prefix-list concentrators 11.11.11.11/32
set firewall family inet filter ingress-from-inet term ipsec-allow from prefix-list concentrators

Configure Routing

set routing-options static route 10.255.0.1/32 next-hop st0.0

Verify

admin@SRX240# run show security ike security-associations
 Index State Initiator cookie Responder cookie Mode Remote Address
 7251638 UP 47ffe2c472e10db5 c14aab1a09ec22b3 Main 11.11.11.11
admin@SRX240# run show security ipsec security-associations
 Total active tunnels: 2
 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
 131073 ESP:aes-256/sha1 4d1c403b 876/ 4608000 - root 4500 11.11.11.11
admin@SRX240# run show ospf neighbor
 Address Interface State ID Pri Dead
 10.0.0.1 gr-0/0/0.0 Full 1.1.1.7 1 38

Add a redundant tunnel? Sure!

New topology would look like this:

topology-2

Cisco 3845 – Secondary

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key 123456789 address 33.33.33.33
ip access-list extended LOOPBACK1-TO-SRX-LOOPBACK
 permit ip host 10.255.0.2 host 10.255.0.3
crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha-hmac
crypto map CRYPTO-MAP 1 ipsec-isakmp
 set peer 33.33.33.33
 set transform-set TRANSFORM
 set pfs group2
 match address LOOPBACK1-TO-SRX-LOOPBACK
interface Loopback1
 ip address 10.255.0.2 255.255.255.255
interface Tunnel1
 description *** GRE to SRX ***
 ip address 10.0.0.5 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip ospf flood-reduction
 ip ospf 10 area 990
 keepalive 10 3
 tunnel source Loopback1
 tunnel destination 10.255.0.3
router ospf 10
 area 990 stub
ip route 10.255.0.3 255.255.255.255 22.22.22.1
interface GigabitEthernet0/0
 crypto map CRYPTO-MAP

Juniper SRX

set security ike gateway HQ-2 ike-policy IKE-POLICY
set security ike gateway HQ-2 address 22.22.22.22
set security ike gateway HQ-2 local-identity inet 33.33.33.33
set security ike gateway HQ-2 external-interface ge-0/0/0.0
set security ipsec vpn HQ-2 bind-interface st0.1
set security ipsec vpn HQ-2 ike gateway HQ-2
set security ipsec vpn HQ-2 ike proxy-identity local 10.255.0.3/32
set security ipsec vpn HQ-2 ike proxy-identity remote 10.255.0.2/32
set security ipsec vpn HQ-2 ike proxy-identity service junos-gre
set security ipsec vpn HQ-2 ike ipsec-policy IPSEC-POLICY
set security ipsec vpn HQ-2 establish-tunnels immediately
set interfaces gr-0/0/0 unit 1 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 1 tunnel source 10.255.0.3
set interfaces gr-0/0/0 unit 1 tunnel destination 10.255.0.2
set interfaces gr-0/0/0 unit 1 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 1 family inet mtu 1400
set interfaces gr-0/0/0 unit 1 family inet address 10.0.0.6/30
set interfaces st0 unit 1 family inet
set security zones security-zone vpn interfaces st0.1
set security zones security-zone vpn interfaces gr-0/0/0.1

Helpful references:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB19372
http://myitnotes.info/doku.php?id=en:jobs:vpn_gre_over_ipsec_1
http://expert-mode.blogspot.ca/2013/05/juniper-srx-route-based-vpn-howto.html
http://expert-mode.blogspot.com/2013/05/juniper-srx-ospf-over-gre-over-ipsec.html

4 comments

  1. Hi I want to Create configuration between Cisco 7604 & JUNIPER SRX can you some on provide the Configuration detaikl on both router

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s