This article describes how to create a Site to Site IPSec VPN from a site running a Juniper SRX firewall to another site running a Cisco ASA firewall. You can use this article as a quick reference while creating similar VPN setup. VPN troubleshooting will be covered in a separate article.
Let’s say that you have a request to create site-to-site IPSec VPN between Juniper SRX and Cisco ASA firewalls. You would automatically assume that you have to use policy based VPN on SRX as Cisco ASA supports only policy-based VPNs. Well, you can, but there is another option. You can use route based VPN on the Juniper SRX firewall and Policy based VPN on the Cisco ASA firewall. Here is how you can do that using traffic selector on the Juniper SRX firewall.
As of Junos version 12.1X46, Juniper SRX finally supports multiple Proxy-ID’s on the route based VPN using traffic-selectors. A traffic selector (also known as a proxy ID in IKEv1), is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. Only traffic that conforms to a traffic selector is permitted through the associated IPsec SA.
Example
In this article, I am demonstrating the VPN configuration for following requirements between Juniper SRX and Cisco ASA firewalls. Refer to the above-mentioned diagram as well to determine segments behind the firewalls. For this example, I am using Juniper vSRX running the Junos OS 15.1X49-D60 and Cisco ASA running 9.4(1) software code.
Phase 1 parameters: Pre-shared-keys, DH-group2, Sha1, Aes-128, 86400 sec, Main mode.
Phase 2 parameters: ESP, Hmac-sha1, Aes-128, 3600 sec
Juniper SRX VPN Configuration
Interface and Zone configuration
edit interfaces st0
set unit 0 family inet
!
edit security zones security-zone VPN-REMOTE-ASA
set interfaces st0.0
!
edit security zones security-zone OUTSIDE
set host-inbound-traffic system-services ike
NOTE: When you create the virtual st0 interface for this type of VPN, it has to be unnumbered, meaning it should not have an IP address assigned just like we do with other route-based VPNs.
IKE Phase 1 configuration
edit security ike proposal pre-gr2-sha1-aes128
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
!
edit security ike policy ike-pol-vpn-REMOTE-ASA
set mode main
set proposals pre-gr2-sha1-aes128
set pre-shared-key ascii-text 395psksecr3t
!
edit security ike gateway gw-vpn-REMOTE-ASA
set external-interface reth0.0
set ike-policy ike-pol-vpn-REMOTE-ASA
set address 30.30.30.30
NOTE: There is an order of operation for this configuration; IKE gateway requires an IKE policy. IKE policy requires an IKE proposal .
IKE Phase 2 configuration
edit security ipsec proposal esp-hmac-sha-aes128
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc
!
edit security ipsec policy ipsec-pol-vpn-REMOTE-ASA
set proposals esp-hmac-sha-aes128
set perfect-forward-secrecy keys group2
!
edit security ipsec vpn vpn-REMOTE-ASA
set ike gateway gw-vpn-REMOTE-ASA
set ike ipsec-policy ipsec-pol-vpn-REMOTE-ASA
set bind-interface st0.0
!
set traffic-selector TS1-DMZ-VPN-REMOTE-ASA local-ip 192.168.50.0/24
set traffic-selector TS1-DMZ-VPN-REMOTE-ASA remote-ip 172.16.50.0/24
set traffic-selector TS1-INSIDE-VPN-REMOTE-ASA local-ip 192.168.60.0/24
set traffic-selector TS1-INSIDE-VPN-REMOTE-ASA remote-ip 172.16.50.0/24
NOTE: There is an order of operation for this configuration; IPSec gateway requires an IPSec policy. IPSec policy requires an IPSec proposal .
Security Policies configuration
edit security address-book global
set address 192.168.50.0/24 192.168.50.0/24
set address 172.16.50.0/24 172.16.50.0/24
set address-set VPN-REMOTE-ASA-REMOTE address 172.16.50.0/24
!
edit security policies from-zone DMZ to-zone VPN-REMOTE-ASA
set policy VPN-DMZ-REMOTE-ASA match source-address 192.168.50.0/24
set policy VPN-DMZ-REMOTE-ASA match destination-address VPN-REMOTE-ASA-REMOTE
set policy VPN-DMZ-REMOTE-ASA match application any
set policy VPN-DMZ-REMOTE-ASA then permit
!
edit security policies from-zone VPN-REMOTE-ASA to-zone DMZ
set policy VPN-REMOTE-ASA-DMZ match source-address VPN-REMOTE-ASA-REMOTE
set policy VPN-REMOTE-ASA-DMZ match destination-address 192.168.50.0/24
set policy VPN-REMOTE-ASA-DMZ match application any
set policy VPN-REMOTE-ASA-DMZ then permit
!
edit security policies from-zone INSIDE to-zone VPN-REMOTE-ASA
set policy VPN-INSIDE-REMOTE-ASA match source-address 192.168.60.0/24
set policy VPN-INSIDE-REMOTE-ASA match destination-address VPN-REMOTE-ASA-REMOTE
set policy VPN-INSIDE-REMOTE-ASA match application any
set policy VPN-INSIDE-REMOTE-ASA then permit
!
edit security policies from-zone VPN-REMOTE-ASA to-zone DMZ
set policy VPN-REMOTE-ASA-INSIDE match source-address VPN-REMOTE-ASA-REMOTE
set policy VPN-REMOTE-ASA-INSIDE match destination-address 192.168.60.0/24
set policy VPN-REMOTE-ASA-INSIDE match application any
set policy VPN-REMOTE-ASA-INSIDE then permit
Cisco ASA VPN configuration
ASA VPN configuration is very straight forward just like any regular IKEv1 site 2 site VPN configuration.
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
crypto isakmp identity address
!
tunnel-group 20.20.20.20 type ipsec-l2l
tunnel-group 20.20.20.20 ipsec-attributes
ikev1 pre-shared-key 395psksecr3t
!
object-group network VPN-INSIDE-NET
network-object 172.16.50.0 255.255.255.0
!
object-group network VPN-REMOTE-NET
network-object 192.168.50.0 255.255.255.0
network-object 192.168.60.0 255.255.255.0
!
access-list VPN2SRX permit ip object-group VPN-INSIDE-NET object-group VPN-REMOTE-NET
!
nat (any,OUTSIDE) source static VPN-INSIDE-NET VPN-INSIDE-NET destination static VPN-REMOTE-NET VPN-REMOTE-NET
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map S2S-VPN-CMAP 11 match address VPN2SRX
crypto map S2S-VPN-CMAP 11 set peer 20.20.20.20
crypto map S2S-VPN-CMAP 11 set transform-set ESP-AES-SHA
!
crypto map S2S-VPN-CMAP interface OUTSIDE
!
crypto ikev1 enable OUTSIDE
!
access-list INSIDE-OUT permit ip object-group VPN-INSIDE-NET object-group VPN-REMOTE-NET
I hope you enjoyed this article. Please feel free to leave a comment or feedback.
