Juniper – Cisco – GRE IPSec with OSPF

I had the privilege of introducing Cisco and Juniper into a new relationship. They were happy, holding hands and exchange routes, but the relationship was taboo, so they wanted to keep it private. Solution? OSPF over GRE/IPSec.

Here is the topology:

juniper-cisco-topology-1

This diagram is helpful when mapping out the configuration:

juniper-cisco-topology-with-ports

Here are my notes on how to set this up:

Cisco 3845 – HQ

Configure Phase 1

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key 123456789 address 33.33.33.33

Configure Phase 2

ip access-list extended LOOPBACK1-TO-SRX-LOOPBACK
 permit ip host 10.255.0.1 host 10.255.0.3
crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha-hmac
crypto map CRYPTO-MAP 1 ipsec-isakmp
 set peer 33.33.33.33
 set transform-set TRANSFORM
 set pfs group2
 match address LOOPBACK1-TO-SRX-LOOPBACK

Configure the Loopback (Used as the tunnel source)

interface Loopback1
 ip address 10.255.0.1 255.255.255.255

Configure the Virtual Tunnel Interface

interface Tunnel1
 description *** GRE to SRX ***
 ip address 10.0.0.1 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip ospf flood-reduction
 ip ospf 10 area 990
 keepalive 10 3
 tunnel source Loopback1
 tunnel destination 10.255.0.3

Configure OSPF

router ospf 10
 area 990 stub

Prevent Recursive Routing

ip route 10.255.0.3 255.255.255.255 11.11.11.1

Apply crypto-map

interface GigabitEthernet0/0
 crypto map CRYPTO-MAP

Juniper SRX – Remote Site

Configure Phase 1 – IKE

set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL dh-group group2
set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-PROPOSAL encryption-algorithm aes-256-cbc
set security ike proposal IKE-PROPOSAL lifetime-seconds 28800
set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals IKE-PROPOSAL
set security ike policy IKE-POLICY pre-shared-key ascii-text 123456789

Configure Phase 1 – IKE Gateways

set security ike gateway HQ-1 ike-policy IKE-POLICY
set security ike gateway HQ-1 address 11.11.11.11
set security ike gateway HQ-1 local-identity inet 33.33.33.33
set security ike gateway HQ-1 external-interface ge-0/0/0.0

Configure Phase 2 – IPSec

set security ipsec proposal IPSEC-PROPOSAL protocol esp
set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 3600
set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group2
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL

Configure Phase 2 – IPSec Peers

set security ipsec vpn HQ-1 bind-interface st0.0
set security ipsec vpn HQ-1 ike gateway HQ-1
set security ipsec vpn HQ-1 ike proxy-identity local 10.255.0.3/32
set security ipsec vpn HQ-1 ike proxy-identity remote 10.255.0.1/32
set security ipsec vpn HQ-1 ike proxy-identity service junos-gre
set security ipsec vpn HQ-1 ike ipsec-policy IPSEC-POLICY
set security ipsec vpn HQ-1 establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350

Configure the Loopback (Used as the tunnel source)

set interfaces lo0 unit 0 family inet address 10.255.0.3/32
set security zones security-zone signaling interfaces lo0.0

Configure the Virtual Tunnel Interface

set interfaces st0 unit 0 family inet
set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 0 tunnel source 10.255.0.3
set interfaces gr-0/0/0 unit 0 tunnel destination 10.255.0.1
set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 0 family inet mtu 1400
set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.2/30

Configure OSPF

set protocols ospf area 0.0.3.222 stub
set protocols ospf area 0.0.3.222 interface gr-0/0/0.0 flood-reduction
set protocols ospf area 0.0.3.222 interface gr-0/0/0.1 flood-reduction
set protocols ospf area 0.0.3.222 interface vlan.1 passive
set protocols ospf area 0.0.3.222 interface vlan.1 flood-reduction
set security zones security-zone vpn host-inbound-traffic protocols ospf

Configure Security Zones and Policies

For troubleshooting purposes, you might want to permit-all in the default policy and apply more granular control afterwards:

set security policies default-policy permit-all

Sample security zones:

set security zones security-zone public host-inbound-traffic system-services ike
set security zones security-zone signaling host-inbound-traffic system-services ike
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone public interfaces ge-0/0/0.0 host-inbound-traffic system-services any-service
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn interfaces gr-0/0/0.0
set security zones security-zone signaling interfaces lo0.0
set security policies from-zone vpn to-zone signaling policy vpn match source-address any
set security policies from-zone vpn to-zone signaling policy vpn match destination-address any
set security policies from-zone vpn to-zone signaling policy vpn match application any
set security policies from-zone vpn to-zone signaling policy vpn then permit
set policy-options prefix-list concentrators 11.11.11.11/32
set firewall family inet filter ingress-from-inet term ipsec-allow from prefix-list concentrators

Configure Routing

set routing-options static route 10.255.0.1/32 next-hop st0.0

Verify

admin@SRX240# run show security ike security-associations
 Index State Initiator cookie Responder cookie Mode Remote Address
 7251638 UP 47ffe2c472e10db5 c14aab1a09ec22b3 Main 11.11.11.11
admin@SRX240# run show security ipsec security-associations
 Total active tunnels: 2
 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
 131073 ESP:aes-256/sha1 4d1c403b 876/ 4608000 - root 4500 11.11.11.11
admin@SRX240# run show ospf neighbor
 Address Interface State ID Pri Dead
 10.0.0.1 gr-0/0/0.0 Full 1.1.1.7 1 38

Add a redundant tunnel? Sure!

New topology would look like this:

topology-2

Cisco 3845 – Secondary

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key 123456789 address 33.33.33.33
ip access-list extended LOOPBACK1-TO-SRX-LOOPBACK
 permit ip host 10.255.0.2 host 10.255.0.3
crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha-hmac
crypto map CRYPTO-MAP 1 ipsec-isakmp
 set peer 33.33.33.33
 set transform-set TRANSFORM
 set pfs group2
 match address LOOPBACK1-TO-SRX-LOOPBACK
interface Loopback1
 ip address 10.255.0.2 255.255.255.255
interface Tunnel1
 description *** GRE to SRX ***
 ip address 10.0.0.5 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip ospf flood-reduction
 ip ospf 10 area 990
 keepalive 10 3
 tunnel source Loopback1
 tunnel destination 10.255.0.3
router ospf 10
 area 990 stub
ip route 10.255.0.3 255.255.255.255 22.22.22.1
interface GigabitEthernet0/0
 crypto map CRYPTO-MAP

Juniper SRX

set security ike gateway HQ-2 ike-policy IKE-POLICY
set security ike gateway HQ-2 address 22.22.22.22
set security ike gateway HQ-2 local-identity inet 33.33.33.33
set security ike gateway HQ-2 external-interface ge-0/0/0.0
set security ipsec vpn HQ-2 bind-interface st0.1
set security ipsec vpn HQ-2 ike gateway HQ-2
set security ipsec vpn HQ-2 ike proxy-identity local 10.255.0.3/32
set security ipsec vpn HQ-2 ike proxy-identity remote 10.255.0.2/32
set security ipsec vpn HQ-2 ike proxy-identity service junos-gre
set security ipsec vpn HQ-2 ike ipsec-policy IPSEC-POLICY
set security ipsec vpn HQ-2 establish-tunnels immediately
set interfaces gr-0/0/0 unit 1 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 1 tunnel source 10.255.0.3
set interfaces gr-0/0/0 unit 1 tunnel destination 10.255.0.2
set interfaces gr-0/0/0 unit 1 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 1 family inet mtu 1400
set interfaces gr-0/0/0 unit 1 family inet address 10.0.0.6/30
set interfaces st0 unit 1 family inet
set security zones security-zone vpn interfaces st0.1
set security zones security-zone vpn interfaces gr-0/0/0.1

Helpful references:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB19372
http://myitnotes.info/doku.php?id=en:jobs:vpn_gre_over_ipsec_1
http://expert-mode.blogspot.ca/2013/05/juniper-srx-route-based-vpn-howto.html
http://expert-mode.blogspot.com/2013/05/juniper-srx-ospf-over-gre-over-ipsec.html

7 comments

  1. Hi I want to Create configuration between Cisco 7604 & JUNIPER SRX can you some on provide the Configuration detaikl on both router

  2. 1. Dont we need static routes to ipsec tunnel end points with nexthop to service provider network?
    2. I tried the similar config with vMX router and Cisco but it doesnt work. Can you please confirm if this works on VMX routers as well

    Thanks

    1. Yes, good point, you would certainly need a route out to your SP. The configuration was done with Juniper SRX. The syntax will, unfortunately, be different on the MX platforms. I’m sorry I don’t have an example of that, but please come back and share if you end up figuring it out!

      1. Hi David
        Yes I was trying to do it using EVE-NG between Cisco and vMX router but unfortunately I couldn’t make it to work. I will paste the config here if you would like to replicate

        Topology:
        vMx:ge-0/0/0———————-ISP——————Eth0/1:Cisco

        vMX Configs JUNIPER:
        =================

        set chassis fpc 0 pic 0 tunnel-services bandwidth 10g -> to enable gre-0/0/0
        set chassis fpc 0 pic 0 inline-services bandwidth 10g -> to enable si-0/0/0 for IPSEC

        set interfaces ge-0/0/0 unit 0 family inet address 33.33.33.33/24

        set interfaces gr-0/0/0 unit 0 tunnel source 10.255.0.3
        set interfaces gr-0/0/0 unit 0 tunnel destination 10.255.0.1
        set interfaces gr-0/0/0 unit 0 family inet mtu 1400
        set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.2/30

        set interfaces si-0/0/0 unit 0 family inet
        set interfaces si-0/0/0 unit 1 family inet
        set interfaces si-0/0/0 unit 1 service-domain inside
        set interfaces si-0/0/0 unit 2 family inet
        set interfaces si-0/0/0 unit 2 service-domain outside

        set interfaces lo0 unit 0 family inet address 10.255.0.3/32

        set services service-set SS next-hop-service inside-service-interface si-0/0/0.1
        set services service-set SS next-hop-service outside-service-interface si-0/0/0.2
        set services service-set SS ipsec-vpn-options local-gateway 33.33.33.33
        set services service-set SS ipsec-vpn-rules IPSEC

        set services ipsec-vpn rule IPSEC term GRE from source-address 10.255.0.3/32
        set services ipsec-vpn rule IPSEC term GRE from destination-address 10.255.0.1/32
        set services ipsec-vpn rule IPSEC term GRE then remote-gateway 11.11.11.11
        set services ipsec-vpn rule IPSEC term GRE then dynamic ike-policy IKE_POLCIY
        set services ipsec-vpn rule IPSEC term GRE then dynamic ipsec-policy IPSEC_POLICY
        set services ipsec-vpn rule IPSEC term GRE then clear-dont-fragment-bit
        set services ipsec-vpn rule IPSEC match-direction input

        set services ipsec-vpn ipsec proposal IPSEC_PROPOSAL protocol esp
        set services ipsec-vpn ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96
        set services ipsec-vpn ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-128-cbc
        set services ipsec-vpn ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL

        set services ipsec-vpn ike proposal IKE_PROPOSAL authentication-method pre-shared-keys
        set services ipsec-vpn ike proposal IKE_PROPOSAL dh-group group5
        set services ipsec-vpn ike proposal IKE_PROPOSAL authentication-algorithm sha-256
        set services ipsec-vpn ike proposal IKE_PROPOSAL encryption-algorithm aes-128-cbc
        set services ipsec-vpn ike policy IKE_POLCIY mode main
        set services ipsec-vpn ike policy IKE_POLCIY proposals IKE_PROPOSAL
        set services ipsec-vpn ike policy IKE_POLCIY pre-shared-key ascii-text cisco123

        set services ipsec-vpn traceoptions file ipsec_log
        set services ipsec-vpn traceoptions level all
        set services ipsec-vpn traceoptions flag all
        set services ipsec-vpn establish-tunnels immediately

        set routing-options static route 0.0.0.0/0 next-hop 33.33.33.1
        set routing-options static route 10.255.0.1/32 next-hop si-0/0/0.1

        set system root-authentication plain-text-password

        ============================================================================

        ISP Router Configs:Just routes for reachability

        interface Ethernet0/0
        description Connected to Juniper vMX
        ip address 33.33.33.1 255.255.255.0
        end

        interface Ethernet0/1
        description Connected to Cisco IOL
        ip address 11.11.11.1 255.255.255.0
        end

        ISP#show run | sec ip route
        ip route 10.255.0.1 255.255.255.255 11.11.11.11
        ip route 10.255.0.3 255.255.255.255 33.33.33.33
        ==============================================================================

        CiSCO Router Configs:
        ==================

        crypto isakmp policy 10
        encr aes
        hash sha256
        authentication pre-share
        group 5
        crypto isakmp key cisco123 address 33.33.33.33

        crypto ipsec transform-set TRANSFORM-1 esp-aes esp-sha-hmac
        mode transport
        crypto map VPN 10 ipsec-isakmp
        set peer 33.33.33.33
        set transform-set TRANSFORM-1

        CISCO#show run | sec ip route
        ip route 10.255.0.3 255.255.255.255 11.11.11.1
        ip route 33.33.33.33 255.255.255.255 11.11.11.1

        interface Ethernet0/1
        ip address 11.11.11.11 255.255.255.0
        crypto map VPN
        end

        =================================================================================

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s