In this video, we’re going to configure an IPSec VPN between Juniper SRX and Cisco ASA using pre-shared key for authentication. We’re going use IKEv2 for phase 1, and for phase 2, we’re going to use the ASA’s relatively new static virtual tunnel interface, or SVTI.
Topology & Final Configs
TopologySRX0ASA0
#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoASAlab
set security ike gateway ASA0 ike-policy IKE_POLI
set security ike gateway ASA0 address 208.105.102.30
set security ike gateway ASA0 local-identity hostname SRX0
set security ike gateway ASA0 remote-identity hostname ASA0
set security ike gateway ASA0 external-interface ge-0/0/0.0
set security ike gateway ASA0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn ASA0 bind-interface st0.0
set security ipsec vpn ASA0 ike gateway ASA0
set security ipsec vpn ASA0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.0
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 0 description ASA0
set interfaces st0 unit 0 family inet address 172.16.0.0/31
set protocols bgp group ASA0 export Export_to_ASA0
set protocols bgp group ASA0 peer-as 10
set protocols bgp group ASA0 local-as 10
set protocols bgp group ASA0 neighbor 172.16.0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
set policy-options policy-statement Export_to_ASA0 term Loopback from protocol direct
set policy-options policy-statement Export_to_ASA0 term Loopback from route-filter 10.0.0.0/32 exact
set policy-options policy-statement Export_to_ASA0 term Loopback then accept
set policy-options policy-statement Export_to_ASA0 term Reject then reject
#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoASAlab
set security ike gateway ASA0 ike-policy IKE_POLI
set security ike gateway ASA0 address 208.105.102.30
set security ike gateway ASA0 local-identity hostname SRX0
set security ike gateway ASA0 remote-identity hostname ASA0
set security ike gateway ASA0 external-interface ge-0/0/0.0
set security ike gateway ASA0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn ASA0 bind-interface st0.0
set security ipsec vpn ASA0 ike gateway ASA0
set security ipsec vpn ASA0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.0
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 0 description ASA0
set interfaces st0 unit 0 family inet address 172.16.0.0/31
set protocols bgp group ASA0 export Export_to_ASA0
set protocols bgp group ASA0 peer-as 10
set protocols bgp group ASA0 local-as 10
set protocols bgp group ASA0 neighbor 172.16.0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
set policy-options policy-statement Export_to_ASA0 term Loopback from protocol direct
set policy-options policy-statement Export_to_ASA0 term Loopback from route-filter 10.0.0.0/32 exact
set policy-options policy-statement Export_to_ASA0 term Loopback then accept
set policy-options policy-statement Export_to_ASA0 term Reject then reject
#
!
hostname ASA0
!
interface GigabitEthernet0/0
nameif WWW
security-level 0
ip address 208.105.102.30 255.255.255.224
!
interface GigabitEthernet0/1
nameif LAN
security-level 100
ip address 192.168.0.1 255.255.255.0
!
icmp permit any WWW
!
route WWW 0.0.0.0 0.0.0.0 208.105.102.1 1
!
crypto ikev2 enable WWW
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
!
tunnel-group SRX0 type ipsec-l2l
tunnel-group SRX0 ipsec-attributes
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key thisisanSRXtoASAlab
ikev2 local-authentication pre-shared-key thisisanSRXtoASAlab
!
crypto isakmp identity hostname
!
crypto ipsec ikev2 ipsec-proposal IPSEC_PROP
protocol esp encryption aes-256
protocol esp integrity sha-256
!
crypto ipsec profile SRX0
set ikev2 ipsec-proposal IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
!
interface Tunnel0
nameif SRX0
ip address 172.16.0.1 255.255.255.254
tunnel source interface WWW
tunnel destination 107.22.138.98
tunnel mode ipsec ipv4
tunnel protection ipsec profile SRX0
!
router bgp 10
bgp log-neighbor-changes
bgp router-id 192.168.0.1
address-family ipv4 unicast
neighbor 172.16.0.0 remote-as 10
neighbor 172.16.0.0 activate
network 192.168.0.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
management-access LAN
!
hostname ASA0
!
interface GigabitEthernet0/0
nameif WWW
security-level 0
ip address 208.105.102.30 255.255.255.224
!
interface GigabitEthernet0/1
nameif LAN
security-level 100
ip address 192.168.0.1 255.255.255.0
!
icmp permit any WWW
!
route WWW 0.0.0.0 0.0.0.0 208.105.102.1 1
!
crypto ikev2 enable WWW
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
!
tunnel-group SRX0 type ipsec-l2l
tunnel-group SRX0 ipsec-attributes
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key thisisanSRXtoASAlab
ikev2 local-authentication pre-shared-key thisisanSRXtoASAlab
!
crypto isakmp identity hostname
!
crypto ipsec ikev2 ipsec-proposal IPSEC_PROP
protocol esp encryption aes-256
protocol esp integrity sha-256
!
crypto ipsec profile SRX0
set ikev2 ipsec-proposal IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
!
interface Tunnel0
nameif SRX0
ip address 172.16.0.1 255.255.255.254
tunnel source interface WWW
tunnel destination 107.22.138.98
tunnel mode ipsec ipv4
tunnel protection ipsec profile SRX0
!
router bgp 10
bgp log-neighbor-changes
bgp router-id 192.168.0.1
address-family ipv4 unicast
neighbor 172.16.0.0 remote-as 10
neighbor 172.16.0.0 activate
network 192.168.0.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
management-access LAN
!