Hi all,
Question regarding JunOS (SRX) route based VPN with Cisco remote end. In such a route-based configuration, how are the SA's generated with the Cisco? On the Cisco side you match an ACL as interesting traffic and the SA's are created based on that. On JunOS route-based vpn, is it the policy that creates the SA or does the policy simply enforce the FW rules on the tunnel? If that is the case, can I have many such rules and specify ports for each rule? In the below configuration I would like to specify application ports for each rule (rather than the current "any"), but I am unsure how the remote Cisco would respond depending on how the Juniper creates the SA (note unnumbered ST interface used)... I used the following tool to generate this config: https://www.juniper.net/customers/support/configtools/vpnconfig.html# ###Configure interface IP and route for tunnel traffic set interfaces st0.0 family inet set routing-options static route 2.16.68.0/24 next-hop st0.0 set routing-options static route 2.16.69.0/24 next-hop st0.0 ## Configure security zones, assign interfaces to the zones & host-inbound services for each zone set security zones security-zone vpn interfaces st0.0 set security zones security-zone Vpn host-inbound-traffic system-services bgp ## Configure address book entries for each zone set security zones security-zone Silver address-book address net-cfgr_10-25-56-64--26 10.25.56.64/26 set security zones security-zone Silver address-book address net-cfgr_10-25-7-96--27 10.25.7.96/27 set security zones security-zone Silver address-book address net-cfgr_10-25-194-96--27 10.25.194.96/27 ## Configure IKE policy for main mode set security ike policy ike-policy-cfgr mode main set security ike policy ike-policy-cfgr pre-shared-key ascii-text "yaright" ## Configure IKE gateway with peer IP address, IKE policy and outgoing interface set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr set security ike gateway ike-gate-cfgr address 1.1.1.1 set security ike gateway ike-gate-cfgr external-interface ge-0/0/12.0 ## Configure IKE authentication, encryption, DH group, and Lifetime set security ike proposal ike-proposal-cfgr authentication-method pre-shared-keys set security ike policy ike-policy-cfgr proposals ike-proposal-cfgr set security ike proposal ike-proposal-cfgr encryption-algorithm 3des-cbc set security ike proposal ike-proposal-cfgr authentication-algorithm sha1 set security ike proposal ike-proposal-cfgr dh-group group2 set security ike proposal ike-proposal-cfgr lifetime-seconds ## Configure IPsec policy set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0 ## Configure IPsec authentication and encryption set security ipsec proposal ipsec-proposal-cfgr protocol esp set security ipsec policy ipsec-policy-cfgr proposals ipsec-proposal-cfgr set security ipsec policy ipsec-policy-cfgr perfect-forward-secrecy keys group2 set security ipsec proposal ipsec-proposal-cfgr encryption-algorithm 3des-cbc set security ipsec proposal ipsec-proposal-cfgr authentication-algorithm hmac-sha1-96 ## Configure security policies for tunnel traffic in outbound direction set security policies from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr match source-address net-cfgr_10-25-56-64--26 set security policies from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr match source-address net-cfgr_10-25-7-96--27 set security policies from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr match source-address net-cfgr_10-25-194-96--27 set security policies from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr match application any set security policies from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr then permit ## Configure security policies for tunnel traffic in inbound direction set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match source-address net-cfgr_2-16-68-0--24 set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match source-address net-cfgr_2-16-69-0--24 set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match destination-address net-cfgr_10-25-56-64--26 set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match destination-address net-cfgr_10-25-7-96--27 set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match destination-address net-cfgr_10-25-194-96--27 set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match application any set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr then permit Thanks, Tom
This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy. Ce courriel (ainsi que ses pièces jointes) est confidentiel, exclusif, et peut faire l’objet de droit d’auteur et de privilège juridique; aucun droit connexe n’est exclu. Si vous n’êtes pas le destinataire visé ou son représentant, toute étude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut être illégale. Tous les messages peuvent être surveillés, selon les lois et règlements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas sécurisés et vous êtes réputés avoir accepté tous les risques qui y sont liés si vous choisissez de communiquer avec nous par ce moyen. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et supprimer ce courriel (ainsi que toutes ses pièces jointes) de tout ordinateur ou support de données sans en imprimer une copie.
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
