Tag Archives: Cisco

PSK IPSec VPN – SRX to ASA

In this video, we’re going to configure an IPSec VPN between Juniper SRX and Cisco ASA using pre-shared key for authentication. We’re going use IKEv2 for phase 1, and for phase 2, we’re going to use the ASA’s relatively new static virtual tunnel interface, or SVTI.

Video
Topology & Final Configs
TopologySRX0ASA0

#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoASAlab
set security ike gateway ASA0 ike-policy IKE_POLI
set security ike gateway ASA0 address 208.105.102.30
set security ike gateway ASA0 local-identity hostname SRX0
set security ike gateway ASA0 remote-identity hostname ASA0
set security ike gateway ASA0 external-interface ge-0/0/0.0
set security ike gateway ASA0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn ASA0 bind-interface st0.0
set security ipsec vpn ASA0 ike gateway ASA0
set security ipsec vpn ASA0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.0
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 0 description ASA0
set interfaces st0 unit 0 family inet address 172.16.0.0/31
set protocols bgp group ASA0 export Export_to_ASA0
set protocols bgp group ASA0 peer-as 10
set protocols bgp group ASA0 local-as 10
set protocols bgp group ASA0 neighbor 172.16.0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
set policy-options policy-statement Export_to_ASA0 term Loopback from protocol direct
set policy-options policy-statement Export_to_ASA0 term Loopback from route-filter 10.0.0.0/32 exact
set policy-options policy-statement Export_to_ASA0 term Loopback then accept
set policy-options policy-statement Export_to_ASA0 term Reject then reject
#
!
hostname ASA0
!
interface GigabitEthernet0/0
nameif WWW
security-level 0
ip address 208.105.102.30 255.255.255.224
!
interface GigabitEthernet0/1
nameif LAN
security-level 100
ip address 192.168.0.1 255.255.255.0
!
icmp permit any WWW
!
route WWW 0.0.0.0 0.0.0.0 208.105.102.1 1
!
crypto ikev2 enable WWW
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
!
tunnel-group SRX0 type ipsec-l2l
tunnel-group SRX0 ipsec-attributes
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key thisisanSRXtoASAlab
ikev2 local-authentication pre-shared-key thisisanSRXtoASAlab
!
crypto isakmp identity hostname
!
crypto ipsec ikev2 ipsec-proposal IPSEC_PROP
protocol esp encryption aes-256
protocol esp integrity sha-256
!
crypto ipsec profile SRX0
set ikev2 ipsec-proposal IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
!
interface Tunnel0
nameif SRX0
ip address 172.16.0.1 255.255.255.254
tunnel source interface WWW
tunnel destination 107.22.138.98
tunnel mode ipsec ipv4
tunnel protection ipsec profile SRX0
!
router bgp 10
bgp log-neighbor-changes
bgp router-id 192.168.0.1
address-family ipv4 unicast
neighbor 172.16.0.0 remote-as 10
neighbor 172.16.0.0 activate
network 192.168.0.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
management-access LAN
!

PKI IPSec VPN – SRX to IOS

In this video, we’re going to update an existing IPSec VPN between Juniper SRX and Cisco IOS from pre-shared key to certificate authentication. We’re going to be looking at how IOS certificate configuration differs from SRX.

Video
Topology & Final Configs
TopologySRX0 PKI StepsSRX0IOS1 PKI StepsIOS1

  • At the configuration prompt (#), do the following:
  • If using a CRL, configure a DNS server: “set system name-server X.X.X.X”.
  • Configure a CA profile: “set security pki ca-profile CA_PROF ca-identity CA_CERT”.
  • Commit both
  • At the operational prompt (>), do the following:
  • Verify accurate date/time: “show system uptime”. If not accurate: “set date X”.
  • Make PKI directory: “file make-directory /var/tmp/PKI/”
  • Copy CA cert to PKI directory: “file copy http://X.X.X.X/ca.crt /var/tmp/PKI/”
  • Load CA cert into CA profile: “request security pki ca-certificate load ca-profile CA_PROF filename /var/tmp/PKI/ca.crt”
  • Verify CA cert: “show security pki ca-certificate detail”
  • Verify CRL, if applicable: “show security pki crl detail”
  • Generate keypair: “request security pki generate-key-pair certificate-id SRX0_CERT size 2048 type rsa”
  • Generate CSR: “request security pki generate-certificate-request certificate-id SRX0_CERT digest sha-256 domain-name SRX0.node9.lab filename /var/tmp/PKI/SRX0.csr subject “CN=SRX0.node9.lab,OU=Lab,O=Node 9,L=Oahu,ST=HI,C=US” “
  • Have CA sign CSR which generates local cert.
  • Copy local cert to PKI directory: “file copy http://X.X.X.X/SRX0.crt /var/tmp/PKI/”
  • Load local cert: “request security pki local-certificate load certificate-id SRX0_CERT filename /var/tmp/PKI/SRX0.crt”
  • Verify local cert: “show security pki local-certificate detail”
#
set system host-name SRX0
set system name-server 35.15.173.8
set security pki ca-profile CA_PROF ca-identity CA_CERT
set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI certificate local-certificate SRX0_CERT
set security ike gateway IOS1 ike-policy IKE_POLI
set security ike gateway IOS1 address 208.105.102.30
set security ike gateway IOS1 local-identity distinguished-name
set security ike gateway IOS1 remote-identity distinguished-name container CN=IOS1.node9.tech
set security ike gateway IOS1 external-interface ge-0/0/0.0
set security ike gateway IOS1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn IOS1 bind-interface st0.1
set security ipsec vpn IOS1 df-bit copy
set security ipsec vpn IOS1 ike gateway IOS1
set security ipsec vpn IOS1 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description IOS1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.31.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
  • At the configuration prompt (config)#, do the following:
  • If using a CRL, configure a DNS server: “ip name-server X.X.X.X”.
  • Configure the trustpoint:
    crypto pki trustpoint CA
    enrollment terminal pem
    subject-name CN=IOS1.node9.tech,OU=Lab,O=Node 9,L=Oahu,ST=HI,C=US
    revocation-check none
    rsakeypair IOS1 2048
    hash sha256
  • At the operational prompt (#), do the following:
  • Verify accurate date/time: “show clock”. If not accurate: “clock set X”.
  • Load CA cert into CA profile: “crypto pki authenticate CA”
  • Generate CSR: “crypto pki enroll CA”
  • Load local cert: “crypto pki import CA certificate”
  • Verify trustpoint: “show crypto pki trustpoints CA status”
  • Verify certificates: “show crypto pki certificates CA”
!
hostname IOS1
!
ip name-server 35.15.173.8
!
crypto pki trustpoint CA
enrollment terminal pem
subject-name CN=IOS1.node9.tech,OU=Lab,O=Node 9,L=Oahu,ST=HI,C=US
revocation-check none
rsakeypair IOS1 2048
hash sha256
!
crypto pki certificate map SRX0 10
subject-name co cn = SRX0.node9.tech
!
crypto ikev2 proposal IKE_PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKE_POLI
proposal IKE_PROP
match address local 208.105.102.30
!
crypto ikev2 profile SRX0
match certificate SRX0
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
!
crypto ipsec transform-set IPSEC_PROP esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile SRX0
set ikev2-profile SRX0
set transform-set IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
set security-association dfbit copy
!
interface Tunnel1
tunnel mode ipsec ipv4
description SRX0
ip address 172.16.1.1 255.255.255.254
ip mtu 1400
tunnel source 208.105.102.30
tunnel destination 107.22.138.98
tunnel protection ipsec profile SRX0
ip ospf cost 1
!
interface Loopback0
description Loopback
ip address 10.0.0.1 255.255.255.255
!
interface GigabitEthernet0/0
description WWW
ip address 208.105.102.30 255.255.255.224
!
router ospf 1
router-id 10.0.0.1
passive-interface Loopback0
network 10.0.0.1 0.0.0.0 area 0
network 172.16.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 208.105.102.1
!

PSK IPSec VPN – SRX to IOS

In this video, we’re going to set up an IPSec VPN between Juniper SRX and Cisco IOS. Our Phase 1 tunnel will be IKE version 2 with pre-shared keys for authentication. Our Phase 2 tunnel will be route-based with tunnel interfaces. We’re going to be looking at the IOS configuration and how it differs from the SRX, plus looking at how to do a dynamic peer on IOS.

Video
Topology & Final Configs
TopologySRX0 Static PeerSRX0 Dynamic PeerIOS1 Static VTIIOS1 Dynamic VTI

#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoIOSlab
set security ike gateway IOS1 ike-policy IKE_POLI
set security ike gateway IOS1 address 208.105.102.30
set security ike gateway IOS1 local-identity hostname SRX0
set security ike gateway IOS1 remote-identity hostname IOS1
set security ike gateway IOS1 external-interface ge-0/0/0.0
set security ike gateway IOS1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn IOS1 bind-interface st0.1
set security ipsec vpn IOS1 df-bit copy
set security ipsec vpn IOS1 ike gateway IOS1
set security ipsec vpn IOS1 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description IOS1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoIOSlab
set security ike gateway IOS1 ike-policy IKE_POLI
set security ike gateway IOS1 dynamic hostname IOS1
set security ike gateway IOS1 local-identity hostname SRX0
set security ike gateway IOS1 external-interface ge-0/0/0.0
set security ike gateway IOS1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn IOS1 bind-interface st0.1
set security ipsec vpn IOS1 df-bit copy
set security ipsec vpn IOS1 ike gateway IOS1
set security ipsec vpn IOS1 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description IOS1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.31.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
!
hostname IOS1
!
crypto ikev2 proposal IKE_PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKE_POLI
proposal IKE_PROP
match address local 208.105.102.30
!
crypto ikev2 profile SRX0
match identity remote fqdn SRX0
identity local fqdn IOS1
authentication remote pre-share key thisisanSRXtoIOSlab
authentication local pre-share key thisisanSRXtoIOSlab
lifetime 86400
!
crypto ipsec transform-set IPSEC_PROP esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile SRX0
set ikev2-profile SRX0
set transform-set IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
set security-association dfbit copy
!
interface Tunnel1
tunnel mode ipsec ipv4
description SRX0
ip address 172.16.1.1 255.255.255.254
ip mtu 1400
tunnel source 208.105.102.30
tunnel destination 107.22.138.98
tunnel protection ipsec profile SRX0
ip ospf cost 1
!
interface Loopback0
description Loopback
ip address 10.0.0.1 255.255.255.255
!
interface GigabitEthernet0/0
description WWW
ip address 208.105.102.30 255.255.255.224
!
router ospf 1
router-id 10.0.0.1
passive-interface Loopback0
network 10.0.0.1 0.0.0.0 area 0
network 172.16.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 208.105.102.1
!
!
hostname IOS1
!
crypto ikev2 proposal IKE_PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKE_POLI
proposal IKE_PROP
match address local 208.105.102.30
!
crypto ikev2 profile SRX0
match identity remote fqdn SRX0
identity local fqdn IOS1
authentication remote pre-share key thisisanSRXtoIOSlab
authentication local pre-share key thisisanSRXtoIOSlab
lifetime 86400
virtual-template 1
!
crypto ipsec transform-set IPSEC_PROP esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile SRX0
set ikev2-profile SRX0
set transform-set IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
set security-association dfbit copy
!
interface Loopback0
description Loopback
ip address 10.0.0.1 255.255.255.255
!
interface Loopback1
description DVTI
ip address 172.16.1.1 255.255.255.255
!
interface GigabitEthernet0/0
description WWW
ip address 208.105.102.30 255.255.255.224
!
interface Virtual-Template1 type tunnel
description SRX0
ip unnumbered Loopback1
ip mtu 1400
tunnel source 208.105.102.30
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile SRX0
ip ospf cost 1
!
router ospf 1
router-id 10.0.0.1
passive-interface Loopback0
network 10.0.0.1 0.0.0.0 area 0
network 172.16.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 208.105.102.1
!