I had the privilege of introducing Cisco and Juniper into a new relationship. They were happy, holding hands and exchange routes, but the relationship was taboo, so they wanted to keep it private. Solution? OSPF over GRE/IPSec.
Here is the topology:
This diagram is helpful when mapping out the configuration:
Here are my notes on how to set this up:
Cisco 3845 – HQ
Configure Phase 1
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 123456789 address 33.33.33.33
Configure Phase 2
ip access-list extended LOOPBACK1-TO-SRX-LOOPBACK permit ip host 10.255.0.1 host 10.255.0.3 crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha-hmac crypto map CRYPTO-MAP 1 ipsec-isakmp set peer 33.33.33.33 set transform-set TRANSFORM set pfs group2 match address LOOPBACK1-TO-SRX-LOOPBACK
Configure the Loopback (Used as the tunnel source)
interface Loopback1
ip address 10.255.0.1 255.255.255.255
Configure the Virtual Tunnel Interface
interface Tunnel1 description *** GRE to SRX *** ip address 10.0.0.1 255.255.255.252 ip mtu 1400 ip tcp adjust-mss 1360 ip ospf flood-reduction ip ospf 10 area 990 keepalive 10 3 tunnel source Loopback1 tunnel destination 10.255.0.3
Configure OSPF
router ospf 10 area 990 stub
Prevent Recursive Routing
ip route 10.255.0.3 255.255.255.255 11.11.11.1
Apply crypto-map
interface GigabitEthernet0/0 crypto map CRYPTO-MAP
Juniper SRX – Remote Site
Configure Phase 1 – IKE
set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys set security ike proposal IKE-PROPOSAL dh-group group2 set security ike proposal IKE-PROPOSAL authentication-algorithm sha1 set security ike proposal IKE-PROPOSAL encryption-algorithm aes-256-cbc set security ike proposal IKE-PROPOSAL lifetime-seconds 28800 set security ike policy IKE-POLICY mode main set security ike policy IKE-POLICY proposals IKE-PROPOSAL set security ike policy IKE-POLICY pre-shared-key ascii-text 123456789
Configure Phase 1 – IKE Gateways
set security ike gateway HQ-1 ike-policy IKE-POLICY set security ike gateway HQ-1 address 11.11.11.11 set security ike gateway HQ-1 local-identity inet 33.33.33.33 set security ike gateway HQ-1 external-interface ge-0/0/0.0
Configure Phase 2 – IPSec
set security ipsec proposal IPSEC-PROPOSAL protocol esp set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96 set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm aes-256-cbc set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 3600 set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group2 set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
Configure Phase 2 – IPSec Peers
set security ipsec vpn HQ-1 bind-interface st0.0 set security ipsec vpn HQ-1 ike gateway HQ-1 set security ipsec vpn HQ-1 ike proxy-identity local 10.255.0.3/32 set security ipsec vpn HQ-1 ike proxy-identity remote 10.255.0.1/32 set security ipsec vpn HQ-1 ike proxy-identity service junos-gre set security ipsec vpn HQ-1 ike ipsec-policy IPSEC-POLICY set security ipsec vpn HQ-1 establish-tunnels immediately set security flow tcp-mss ipsec-vpn mss 1350
Configure the Loopback (Used as the tunnel source)
set interfaces lo0 unit 0 family inet address 10.255.0.3/32
set security zones security-zone signaling interfaces lo0.0
Configure the Virtual Tunnel Interface
set interfaces st0 unit 0 family inet set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit set interfaces gr-0/0/0 unit 0 tunnel source 10.255.0.3 set interfaces gr-0/0/0 unit 0 tunnel destination 10.255.0.1 set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation set interfaces gr-0/0/0 unit 0 family inet mtu 1400 set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.2/30
Configure OSPF
set protocols ospf area 0.0.3.222 stub set protocols ospf area 0.0.3.222 interface gr-0/0/0.0 flood-reduction set protocols ospf area 0.0.3.222 interface gr-0/0/0.1 flood-reduction set protocols ospf area 0.0.3.222 interface vlan.1 passive set protocols ospf area 0.0.3.222 interface vlan.1 flood-reduction set security zones security-zone vpn host-inbound-traffic protocols ospf
Configure Security Zones and Policies
For troubleshooting purposes, you might want to permit-all in the default policy and apply more granular control afterwards:
set security policies default-policy permit-all
Sample security zones:
set security zones security-zone public host-inbound-traffic system-services ike
set security zones security-zone signaling host-inbound-traffic system-services ike
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone public interfaces ge-0/0/0.0 host-inbound-traffic system-services any-service
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn interfaces gr-0/0/0.0
set security zones security-zone signaling interfaces lo0.0
set security policies from-zone vpn to-zone signaling policy vpn match source-address any
set security policies from-zone vpn to-zone signaling policy vpn match destination-address any
set security policies from-zone vpn to-zone signaling policy vpn match application any
set security policies from-zone vpn to-zone signaling policy vpn then permit
set policy-options prefix-list concentrators 11.11.11.11/32
set firewall family inet filter ingress-from-inet term ipsec-allow from prefix-list concentrators
Configure Routing
set routing-options static route 10.255.0.1/32 next-hop st0.0
Verify
admin@SRX240# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 7251638 UP 47ffe2c472e10db5 c14aab1a09ec22b3 Main 11.11.11.11 admin@SRX240# run show security ipsec security-associations Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway 131073 ESP:aes-256/sha1 4d1c403b 876/ 4608000 - root 4500 11.11.11.11 admin@SRX240# run show ospf neighbor Address Interface State ID Pri Dead 10.0.0.1 gr-0/0/0.0 Full 1.1.1.7 1 38
Add a redundant tunnel? Sure!
New topology would look like this:
Cisco 3845 – Secondary
crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 lifetime 28800 crypto isakmp key 123456789 address 33.33.33.33 ip access-list extended LOOPBACK1-TO-SRX-LOOPBACK permit ip host 10.255.0.2 host 10.255.0.3 crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha-hmac crypto map CRYPTO-MAP 1 ipsec-isakmp set peer 33.33.33.33 set transform-set TRANSFORM set pfs group2 match address LOOPBACK1-TO-SRX-LOOPBACK interface Loopback1 ip address 10.255.0.2 255.255.255.255 interface Tunnel1 description *** GRE to SRX *** ip address 10.0.0.5 255.255.255.252 ip mtu 1400 ip tcp adjust-mss 1360 ip ospf flood-reduction ip ospf 10 area 990 keepalive 10 3 tunnel source Loopback1 tunnel destination 10.255.0.3 router ospf 10 area 990 stub ip route 10.255.0.3 255.255.255.255 22.22.22.1 interface GigabitEthernet0/0 crypto map CRYPTO-MAP
Juniper SRX
set security ike gateway HQ-2 ike-policy IKE-POLICY set security ike gateway HQ-2 address 22.22.22.22 set security ike gateway HQ-2 local-identity inet 33.33.33.33 set security ike gateway HQ-2 external-interface ge-0/0/0.0 set security ipsec vpn HQ-2 bind-interface st0.1 set security ipsec vpn HQ-2 ike gateway HQ-2 set security ipsec vpn HQ-2 ike proxy-identity local 10.255.0.3/32 set security ipsec vpn HQ-2 ike proxy-identity remote 10.255.0.2/32 set security ipsec vpn HQ-2 ike proxy-identity service junos-gre set security ipsec vpn HQ-2 ike ipsec-policy IPSEC-POLICY set security ipsec vpn HQ-2 establish-tunnels immediately set interfaces gr-0/0/0 unit 1 clear-dont-fragment-bit set interfaces gr-0/0/0 unit 1 tunnel source 10.255.0.3 set interfaces gr-0/0/0 unit 1 tunnel destination 10.255.0.2 set interfaces gr-0/0/0 unit 1 tunnel allow-fragmentation set interfaces gr-0/0/0 unit 1 family inet mtu 1400 set interfaces gr-0/0/0 unit 1 family inet address 10.0.0.6/30 set interfaces st0 unit 1 family inet set security zones security-zone vpn interfaces st0.1 set security zones security-zone vpn interfaces gr-0/0/0.1
Helpful references:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB19372
http://myitnotes.info/doku.php?id=en:jobs:vpn_gre_over_ipsec_1
http://expert-mode.blogspot.ca/2013/05/juniper-srx-route-based-vpn-howto.html
http://expert-mode.blogspot.com/2013/05/juniper-srx-ospf-over-gre-over-ipsec.html
Reblogged this on 49514262200010.
Wow that was really helpful as I’m new to JUNOS. Thanks, David!
Thanks for reading!
Hi I want to Create configuration between Cisco 7604 & JUNIPER SRX can you some on provide the Configuration detaikl on both router
1. Dont we need static routes to ipsec tunnel end points with nexthop to service provider network?
2. I tried the similar config with vMX router and Cisco but it doesnt work. Can you please confirm if this works on VMX routers as well
Thanks
Yes, good point, you would certainly need a route out to your SP. The configuration was done with Juniper SRX. The syntax will, unfortunately, be different on the MX platforms. I’m sorry I don’t have an example of that, but please come back and share if you end up figuring it out!
Hi David
Yes I was trying to do it using EVE-NG between Cisco and vMX router but unfortunately I couldn’t make it to work. I will paste the config here if you would like to replicate
Topology:
vMx:ge-0/0/0———————-ISP——————Eth0/1:Cisco
vMX Configs JUNIPER:
=================
set chassis fpc 0 pic 0 tunnel-services bandwidth 10g -> to enable gre-0/0/0
set chassis fpc 0 pic 0 inline-services bandwidth 10g -> to enable si-0/0/0 for IPSEC
set interfaces ge-0/0/0 unit 0 family inet address 33.33.33.33/24
set interfaces gr-0/0/0 unit 0 tunnel source 10.255.0.3
set interfaces gr-0/0/0 unit 0 tunnel destination 10.255.0.1
set interfaces gr-0/0/0 unit 0 family inet mtu 1400
set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.2/30
set interfaces si-0/0/0 unit 0 family inet
set interfaces si-0/0/0 unit 1 family inet
set interfaces si-0/0/0 unit 1 service-domain inside
set interfaces si-0/0/0 unit 2 family inet
set interfaces si-0/0/0 unit 2 service-domain outside
set interfaces lo0 unit 0 family inet address 10.255.0.3/32
set services service-set SS next-hop-service inside-service-interface si-0/0/0.1
set services service-set SS next-hop-service outside-service-interface si-0/0/0.2
set services service-set SS ipsec-vpn-options local-gateway 33.33.33.33
set services service-set SS ipsec-vpn-rules IPSEC
set services ipsec-vpn rule IPSEC term GRE from source-address 10.255.0.3/32
set services ipsec-vpn rule IPSEC term GRE from destination-address 10.255.0.1/32
set services ipsec-vpn rule IPSEC term GRE then remote-gateway 11.11.11.11
set services ipsec-vpn rule IPSEC term GRE then dynamic ike-policy IKE_POLCIY
set services ipsec-vpn rule IPSEC term GRE then dynamic ipsec-policy IPSEC_POLICY
set services ipsec-vpn rule IPSEC term GRE then clear-dont-fragment-bit
set services ipsec-vpn rule IPSEC match-direction input
set services ipsec-vpn ipsec proposal IPSEC_PROPOSAL protocol esp
set services ipsec-vpn ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96
set services ipsec-vpn ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-128-cbc
set services ipsec-vpn ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL
set services ipsec-vpn ike proposal IKE_PROPOSAL authentication-method pre-shared-keys
set services ipsec-vpn ike proposal IKE_PROPOSAL dh-group group5
set services ipsec-vpn ike proposal IKE_PROPOSAL authentication-algorithm sha-256
set services ipsec-vpn ike proposal IKE_PROPOSAL encryption-algorithm aes-128-cbc
set services ipsec-vpn ike policy IKE_POLCIY mode main
set services ipsec-vpn ike policy IKE_POLCIY proposals IKE_PROPOSAL
set services ipsec-vpn ike policy IKE_POLCIY pre-shared-key ascii-text cisco123
set services ipsec-vpn traceoptions file ipsec_log
set services ipsec-vpn traceoptions level all
set services ipsec-vpn traceoptions flag all
set services ipsec-vpn establish-tunnels immediately
set routing-options static route 0.0.0.0/0 next-hop 33.33.33.1
set routing-options static route 10.255.0.1/32 next-hop si-0/0/0.1
set system root-authentication plain-text-password
============================================================================
ISP Router Configs:Just routes for reachability
interface Ethernet0/0
description Connected to Juniper vMX
ip address 33.33.33.1 255.255.255.0
end
interface Ethernet0/1
description Connected to Cisco IOL
ip address 11.11.11.1 255.255.255.0
end
ISP#show run | sec ip route
ip route 10.255.0.1 255.255.255.255 11.11.11.11
ip route 10.255.0.3 255.255.255.255 33.33.33.33
==============================================================================
CiSCO Router Configs:
==================
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
crypto isakmp key cisco123 address 33.33.33.33
crypto ipsec transform-set TRANSFORM-1 esp-aes esp-sha-hmac
mode transport
crypto map VPN 10 ipsec-isakmp
set peer 33.33.33.33
set transform-set TRANSFORM-1
CISCO#show run | sec ip route
ip route 10.255.0.3 255.255.255.255 11.11.11.1
ip route 33.33.33.33 255.255.255.255 11.11.11.1
interface Ethernet0/1
ip address 11.11.11.11 255.255.255.0
crypto map VPN
end
=================================================================================