Juniper – Cisco – GRE IPSec with OSPF

I had the privilege of introducing Cisco and Juniper into a new relationship. They were happy, holding hands and exchange routes, but the relationship was taboo, so they wanted to keep it private. Solution? OSPF over GRE/IPSec.

Here is the topology:

juniper-cisco-topology-1

This diagram is helpful when mapping out the configuration:

juniper-cisco-topology-with-ports

Here are my notes on how to set this up:

Cisco 3845 – HQ

Configure Phase 1

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key 123456789 address 33.33.33.33

Configure Phase 2

ip access-list extended LOOPBACK1-TO-SRX-LOOPBACK
 permit ip host 10.255.0.1 host 10.255.0.3
crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha-hmac
crypto map CRYPTO-MAP 1 ipsec-isakmp
 set peer 33.33.33.33
 set transform-set TRANSFORM
 set pfs group2
 match address LOOPBACK1-TO-SRX-LOOPBACK

Configure the Loopback (Used as the tunnel source)

interface Loopback1
 ip address 10.255.0.1 255.255.255.255

Configure the Virtual Tunnel Interface

interface Tunnel1
 description *** GRE to SRX ***
 ip address 10.0.0.1 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip ospf flood-reduction
 ip ospf 10 area 990
 keepalive 10 3
 tunnel source Loopback1
 tunnel destination 10.255.0.3

Configure OSPF

router ospf 10
 area 990 stub

Prevent Recursive Routing

ip route 10.255.0.3 255.255.255.255 11.11.11.1

Apply crypto-map

interface GigabitEthernet0/0
 crypto map CRYPTO-MAP

Juniper SRX – Remote Site

Configure Phase 1 – IKE

set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL dh-group group2
set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-PROPOSAL encryption-algorithm aes-256-cbc
set security ike proposal IKE-PROPOSAL lifetime-seconds 28800
set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals IKE-PROPOSAL
set security ike policy IKE-POLICY pre-shared-key ascii-text 123456789

Configure Phase 1 – IKE Gateways

set security ike gateway HQ-1 ike-policy IKE-POLICY
set security ike gateway HQ-1 address 11.11.11.11
set security ike gateway HQ-1 local-identity inet 33.33.33.33
set security ike gateway HQ-1 external-interface ge-0/0/0.0

Configure Phase 2 – IPSec

set security ipsec proposal IPSEC-PROPOSAL protocol esp
set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 3600
set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group2
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL

Configure Phase 2 – IPSec Peers

set security ipsec vpn HQ-1 bind-interface st0.0
set security ipsec vpn HQ-1 ike gateway HQ-1
set security ipsec vpn HQ-1 ike proxy-identity local 10.255.0.3/32
set security ipsec vpn HQ-1 ike proxy-identity remote 10.255.0.1/32
set security ipsec vpn HQ-1 ike proxy-identity service junos-gre
set security ipsec vpn HQ-1 ike ipsec-policy IPSEC-POLICY
set security ipsec vpn HQ-1 establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350

Configure the Loopback (Used as the tunnel source)

set interfaces lo0 unit 0 family inet address 10.255.0.3/32
set security zones security-zone signaling interfaces lo0.0

Configure the Virtual Tunnel Interface

set interfaces st0 unit 0 family inet
set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 0 tunnel source 10.255.0.3
set interfaces gr-0/0/0 unit 0 tunnel destination 10.255.0.1
set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 0 family inet mtu 1400
set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.2/30

Configure OSPF

set protocols ospf area 0.0.3.222 stub
set protocols ospf area 0.0.3.222 interface gr-0/0/0.0 flood-reduction
set protocols ospf area 0.0.3.222 interface gr-0/0/0.1 flood-reduction
set protocols ospf area 0.0.3.222 interface vlan.1 passive
set protocols ospf area 0.0.3.222 interface vlan.1 flood-reduction
set security zones security-zone vpn host-inbound-traffic protocols ospf

Configure Security Zones and Policies

For troubleshooting purposes, you might want to permit-all in the default policy and apply more granular control afterwards:

set security policies default-policy permit-all

Sample security zones:

set security zones security-zone public host-inbound-traffic system-services ike
set security zones security-zone signaling host-inbound-traffic system-services ike
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone public interfaces ge-0/0/0.0 host-inbound-traffic system-services any-service
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn interfaces gr-0/0/0.0
set security zones security-zone signaling interfaces lo0.0
set security policies from-zone vpn to-zone signaling policy vpn match source-address any
set security policies from-zone vpn to-zone signaling policy vpn match destination-address any
set security policies from-zone vpn to-zone signaling policy vpn match application any
set security policies from-zone vpn to-zone signaling policy vpn then permit
set policy-options prefix-list concentrators 11.11.11.11/32
set firewall family inet filter ingress-from-inet term ipsec-allow from prefix-list concentrators

Configure Routing

set routing-options static route 10.255.0.1/32 next-hop st0.0

Verify

admin@SRX240# run show security ike security-associations
 Index State Initiator cookie Responder cookie Mode Remote Address
 7251638 UP 47ffe2c472e10db5 c14aab1a09ec22b3 Main 11.11.11.11
admin@SRX240# run show security ipsec security-associations
 Total active tunnels: 2
 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
 131073 ESP:aes-256/sha1 4d1c403b 876/ 4608000 - root 4500 11.11.11.11
admin@SRX240# run show ospf neighbor
 Address Interface State ID Pri Dead
 10.0.0.1 gr-0/0/0.0 Full 1.1.1.7 1 38

Add a redundant tunnel? Sure!

New topology would look like this:

topology-2

Cisco 3845 – Secondary

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key 123456789 address 33.33.33.33
ip access-list extended LOOPBACK1-TO-SRX-LOOPBACK
 permit ip host 10.255.0.2 host 10.255.0.3
crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha-hmac
crypto map CRYPTO-MAP 1 ipsec-isakmp
 set peer 33.33.33.33
 set transform-set TRANSFORM
 set pfs group2
 match address LOOPBACK1-TO-SRX-LOOPBACK
interface Loopback1
 ip address 10.255.0.2 255.255.255.255
interface Tunnel1
 description *** GRE to SRX ***
 ip address 10.0.0.5 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip ospf flood-reduction
 ip ospf 10 area 990
 keepalive 10 3
 tunnel source Loopback1
 tunnel destination 10.255.0.3
router ospf 10
 area 990 stub
ip route 10.255.0.3 255.255.255.255 22.22.22.1
interface GigabitEthernet0/0
 crypto map CRYPTO-MAP

Juniper SRX

set security ike gateway HQ-2 ike-policy IKE-POLICY
set security ike gateway HQ-2 address 22.22.22.22
set security ike gateway HQ-2 local-identity inet 33.33.33.33
set security ike gateway HQ-2 external-interface ge-0/0/0.0
set security ipsec vpn HQ-2 bind-interface st0.1
set security ipsec vpn HQ-2 ike gateway HQ-2
set security ipsec vpn HQ-2 ike proxy-identity local 10.255.0.3/32
set security ipsec vpn HQ-2 ike proxy-identity remote 10.255.0.2/32
set security ipsec vpn HQ-2 ike proxy-identity service junos-gre
set security ipsec vpn HQ-2 ike ipsec-policy IPSEC-POLICY
set security ipsec vpn HQ-2 establish-tunnels immediately
set interfaces gr-0/0/0 unit 1 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 1 tunnel source 10.255.0.3
set interfaces gr-0/0/0 unit 1 tunnel destination 10.255.0.2
set interfaces gr-0/0/0 unit 1 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 1 family inet mtu 1400
set interfaces gr-0/0/0 unit 1 family inet address 10.0.0.6/30
set interfaces st0 unit 1 family inet
set security zones security-zone vpn interfaces st0.1
set security zones security-zone vpn interfaces gr-0/0/0.1

Helpful references:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB19372
http://myitnotes.info/doku.php?id=en:jobs:vpn_gre_over_ipsec_1
http://expert-mode.blogspot.ca/2013/05/juniper-srx-route-based-vpn-howto.html
http://expert-mode.blogspot.com/2013/05/juniper-srx-ospf-over-gre-over-ipsec.html

David Varnum

here

You may also like...

7 Responses

  1. bilunov77 says:

    Reblogged this on 49514262200010.

  2. Alex says:

    Wow that was really helpful as I’m new to JUNOS. Thanks, David!

  3. Dharmeh says:

    Hi I want to Create configuration between Cisco 7604 & JUNIPER SRX can you some on provide the Configuration detaikl on both router

  4. Khiz says:

    1. Dont we need static routes to ipsec tunnel end points with nexthop to service provider network?
    2. I tried the similar config with vMX router and Cisco but it doesnt work. Can you please confirm if this works on VMX routers as well

    Thanks

    • David Varnum says:

      Yes, good point, you would certainly need a route out to your SP. The configuration was done with Juniper SRX. The syntax will, unfortunately, be different on the MX platforms. I’m sorry I don’t have an example of that, but please come back and share if you end up figuring it out!

      • khiz says:

        Hi David
        Yes I was trying to do it using EVE-NG between Cisco and vMX router but unfortunately I couldn’t make it to work. I will paste the config here if you would like to replicate

        Topology:
        vMx:ge-0/0/0———————-ISP——————Eth0/1:Cisco

        vMX Configs JUNIPER:
        =================

        set chassis fpc 0 pic 0 tunnel-services bandwidth 10g -> to enable gre-0/0/0
        set chassis fpc 0 pic 0 inline-services bandwidth 10g -> to enable si-0/0/0 for IPSEC

        set interfaces ge-0/0/0 unit 0 family inet address 33.33.33.33/24

        set interfaces gr-0/0/0 unit 0 tunnel source 10.255.0.3
        set interfaces gr-0/0/0 unit 0 tunnel destination 10.255.0.1
        set interfaces gr-0/0/0 unit 0 family inet mtu 1400
        set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.2/30

        set interfaces si-0/0/0 unit 0 family inet
        set interfaces si-0/0/0 unit 1 family inet
        set interfaces si-0/0/0 unit 1 service-domain inside
        set interfaces si-0/0/0 unit 2 family inet
        set interfaces si-0/0/0 unit 2 service-domain outside

        set interfaces lo0 unit 0 family inet address 10.255.0.3/32

        set services service-set SS next-hop-service inside-service-interface si-0/0/0.1
        set services service-set SS next-hop-service outside-service-interface si-0/0/0.2
        set services service-set SS ipsec-vpn-options local-gateway 33.33.33.33
        set services service-set SS ipsec-vpn-rules IPSEC

        set services ipsec-vpn rule IPSEC term GRE from source-address 10.255.0.3/32
        set services ipsec-vpn rule IPSEC term GRE from destination-address 10.255.0.1/32
        set services ipsec-vpn rule IPSEC term GRE then remote-gateway 11.11.11.11
        set services ipsec-vpn rule IPSEC term GRE then dynamic ike-policy IKE_POLCIY
        set services ipsec-vpn rule IPSEC term GRE then dynamic ipsec-policy IPSEC_POLICY
        set services ipsec-vpn rule IPSEC term GRE then clear-dont-fragment-bit
        set services ipsec-vpn rule IPSEC match-direction input

        set services ipsec-vpn ipsec proposal IPSEC_PROPOSAL protocol esp
        set services ipsec-vpn ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96
        set services ipsec-vpn ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-128-cbc
        set services ipsec-vpn ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL

        set services ipsec-vpn ike proposal IKE_PROPOSAL authentication-method pre-shared-keys
        set services ipsec-vpn ike proposal IKE_PROPOSAL dh-group group5
        set services ipsec-vpn ike proposal IKE_PROPOSAL authentication-algorithm sha-256
        set services ipsec-vpn ike proposal IKE_PROPOSAL encryption-algorithm aes-128-cbc
        set services ipsec-vpn ike policy IKE_POLCIY mode main
        set services ipsec-vpn ike policy IKE_POLCIY proposals IKE_PROPOSAL
        set services ipsec-vpn ike policy IKE_POLCIY pre-shared-key ascii-text cisco123

        set services ipsec-vpn traceoptions file ipsec_log
        set services ipsec-vpn traceoptions level all
        set services ipsec-vpn traceoptions flag all
        set services ipsec-vpn establish-tunnels immediately

        set routing-options static route 0.0.0.0/0 next-hop 33.33.33.1
        set routing-options static route 10.255.0.1/32 next-hop si-0/0/0.1

        set system root-authentication plain-text-password

        ============================================================================

        ISP Router Configs:Just routes for reachability

        interface Ethernet0/0
        description Connected to Juniper vMX
        ip address 33.33.33.1 255.255.255.0
        end

        interface Ethernet0/1
        description Connected to Cisco IOL
        ip address 11.11.11.1 255.255.255.0
        end

        ISP#show run | sec ip route
        ip route 10.255.0.1 255.255.255.255 11.11.11.11
        ip route 10.255.0.3 255.255.255.255 33.33.33.33
        ==============================================================================

        CiSCO Router Configs:
        ==================

        crypto isakmp policy 10
        encr aes
        hash sha256
        authentication pre-share
        group 5
        crypto isakmp key cisco123 address 33.33.33.33

        crypto ipsec transform-set TRANSFORM-1 esp-aes esp-sha-hmac
        mode transport
        crypto map VPN 10 ipsec-isakmp
        set peer 33.33.33.33
        set transform-set TRANSFORM-1

        CISCO#show run | sec ip route
        ip route 10.255.0.3 255.255.255.255 11.11.11.1
        ip route 33.33.33.33 255.255.255.255 11.11.11.1

        interface Ethernet0/1
        ip address 11.11.11.11 255.255.255.0
        crypto map VPN
        end

        =================================================================================

Leave a Reply

%d