Tag Archives: DVTI

PSK IPSec VPN – SRX to IOS

In this video, we’re going to set up an IPSec VPN between Juniper SRX and Cisco IOS. Our Phase 1 tunnel will be IKE version 2 with pre-shared keys for authentication. Our Phase 2 tunnel will be route-based with tunnel interfaces. We’re going to be looking at the IOS configuration and how it differs from the SRX, plus looking at how to do a dynamic peer on IOS.

Video
Topology & Final Configs
TopologySRX0 Static PeerSRX0 Dynamic PeerIOS1 Static VTIIOS1 Dynamic VTI

#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoIOSlab
set security ike gateway IOS1 ike-policy IKE_POLI
set security ike gateway IOS1 address 208.105.102.30
set security ike gateway IOS1 local-identity hostname SRX0
set security ike gateway IOS1 remote-identity hostname IOS1
set security ike gateway IOS1 external-interface ge-0/0/0.0
set security ike gateway IOS1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn IOS1 bind-interface st0.1
set security ipsec vpn IOS1 df-bit copy
set security ipsec vpn IOS1 ike gateway IOS1
set security ipsec vpn IOS1 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description IOS1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoIOSlab
set security ike gateway IOS1 ike-policy IKE_POLI
set security ike gateway IOS1 dynamic hostname IOS1
set security ike gateway IOS1 local-identity hostname SRX0
set security ike gateway IOS1 external-interface ge-0/0/0.0
set security ike gateway IOS1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn IOS1 bind-interface st0.1
set security ipsec vpn IOS1 df-bit copy
set security ipsec vpn IOS1 ike gateway IOS1
set security ipsec vpn IOS1 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description IOS1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.31.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
!
hostname IOS1
!
crypto ikev2 proposal IKE_PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKE_POLI
proposal IKE_PROP
match address local 208.105.102.30
!
crypto ikev2 profile SRX0
match identity remote fqdn SRX0
identity local fqdn IOS1
authentication remote pre-share key thisisanSRXtoIOSlab
authentication local pre-share key thisisanSRXtoIOSlab
lifetime 86400
!
crypto ipsec transform-set IPSEC_PROP esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile SRX0
set ikev2-profile SRX0
set transform-set IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
set security-association dfbit copy
!
interface Tunnel1
tunnel mode ipsec ipv4
description SRX0
ip address 172.16.1.1 255.255.255.254
ip mtu 1400
tunnel source 208.105.102.30
tunnel destination 107.22.138.98
tunnel protection ipsec profile SRX0
ip ospf cost 1
!
interface Loopback0
description Loopback
ip address 10.0.0.1 255.255.255.255
!
interface GigabitEthernet0/0
description WWW
ip address 208.105.102.30 255.255.255.224
!
router ospf 1
router-id 10.0.0.1
passive-interface Loopback0
network 10.0.0.1 0.0.0.0 area 0
network 172.16.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 208.105.102.1
!
!
hostname IOS1
!
crypto ikev2 proposal IKE_PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKE_POLI
proposal IKE_PROP
match address local 208.105.102.30
!
crypto ikev2 profile SRX0
match identity remote fqdn SRX0
identity local fqdn IOS1
authentication remote pre-share key thisisanSRXtoIOSlab
authentication local pre-share key thisisanSRXtoIOSlab
lifetime 86400
virtual-template 1
!
crypto ipsec transform-set IPSEC_PROP esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile SRX0
set ikev2-profile SRX0
set transform-set IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
set security-association dfbit copy
!
interface Loopback0
description Loopback
ip address 10.0.0.1 255.255.255.255
!
interface Loopback1
description DVTI
ip address 172.16.1.1 255.255.255.255
!
interface GigabitEthernet0/0
description WWW
ip address 208.105.102.30 255.255.255.224
!
interface Virtual-Template1 type tunnel
description SRX0
ip unnumbered Loopback1
ip mtu 1400
tunnel source 208.105.102.30
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile SRX0
ip ospf cost 1
!
router ospf 1
router-id 10.0.0.1
passive-interface Loopback0
network 10.0.0.1 0.0.0.0 area 0
network 172.16.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 208.105.102.1
!