Tag Archives: ASA

PSK IPSec VPN – SRX to ASA

In this video, we’re going to configure an IPSec VPN between Juniper SRX and Cisco ASA using pre-shared key for authentication. We’re going use IKEv2 for phase 1, and for phase 2, we’re going to use the ASA’s relatively new static virtual tunnel interface, or SVTI.

Video
Topology & Final Configs
TopologySRX0ASA0

#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoASAlab
set security ike gateway ASA0 ike-policy IKE_POLI
set security ike gateway ASA0 address 208.105.102.30
set security ike gateway ASA0 local-identity hostname SRX0
set security ike gateway ASA0 remote-identity hostname ASA0
set security ike gateway ASA0 external-interface ge-0/0/0.0
set security ike gateway ASA0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn ASA0 bind-interface st0.0
set security ipsec vpn ASA0 ike gateway ASA0
set security ipsec vpn ASA0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.0
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 0 description ASA0
set interfaces st0 unit 0 family inet address 172.16.0.0/31
set protocols bgp group ASA0 export Export_to_ASA0
set protocols bgp group ASA0 peer-as 10
set protocols bgp group ASA0 local-as 10
set protocols bgp group ASA0 neighbor 172.16.0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
set policy-options policy-statement Export_to_ASA0 term Loopback from protocol direct
set policy-options policy-statement Export_to_ASA0 term Loopback from route-filter 10.0.0.0/32 exact
set policy-options policy-statement Export_to_ASA0 term Loopback then accept
set policy-options policy-statement Export_to_ASA0 term Reject then reject
#
!
hostname ASA0
!
interface GigabitEthernet0/0
nameif WWW
security-level 0
ip address 208.105.102.30 255.255.255.224
!
interface GigabitEthernet0/1
nameif LAN
security-level 100
ip address 192.168.0.1 255.255.255.0
!
icmp permit any WWW
!
route WWW 0.0.0.0 0.0.0.0 208.105.102.1 1
!
crypto ikev2 enable WWW
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
!
tunnel-group SRX0 type ipsec-l2l
tunnel-group SRX0 ipsec-attributes
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key thisisanSRXtoASAlab
ikev2 local-authentication pre-shared-key thisisanSRXtoASAlab
!
crypto isakmp identity hostname
!
crypto ipsec ikev2 ipsec-proposal IPSEC_PROP
protocol esp encryption aes-256
protocol esp integrity sha-256
!
crypto ipsec profile SRX0
set ikev2 ipsec-proposal IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
!
interface Tunnel0
nameif SRX0
ip address 172.16.0.1 255.255.255.254
tunnel source interface WWW
tunnel destination 107.22.138.98
tunnel mode ipsec ipv4
tunnel protection ipsec profile SRX0
!
router bgp 10
bgp log-neighbor-changes
bgp router-id 192.168.0.1
address-family ipv4 unicast
neighbor 172.16.0.0 remote-as 10
neighbor 172.16.0.0 activate
network 192.168.0.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
management-access LAN
!