The subject line specifies that you want route-based VPNs on the Juniper side, but with all of this discussion of proxy IDs, I should point out that using policy-based VPNs may work much better in that respect.
On 10/27/2010 at 8:44 AM, Ivan Ivanov <ivanov.i...@gmail.com> wrote: > Hi Tom, > > You have to use proxy-id when peering with Cisco. Unfortunately SRX supports > only on network like remote and one like local. You have to summarize if it > is possible. > > Or to use any any in the access-list on Cisco. > > HTH > > 2010/10/27 Tom Devries <tom.devr...@rci.rogers.com> > >> Thought I would provide some feedback I received from Juniper regarding >> this question for the archives. If using a route based vpn, the proxy >> ID's in the SA creation will be all 0's by default: >> >> Local: 0.0.0.0 >> Remote: 0.0.0.0 >> Service 0 >> >> so as long as it is unspecified in the config. However if you encrypt >> more than one source network (i.e. multiple networks behind the SRX) and >> put multiple networks in your proxy-id config (in say, local network) >> then that part of the SA will show as 0.0.0.0. I haven't been able to >> find a Cisco interop configuration that will be able to create SAs and >> establish phase II when receiving a 0.0.0.0/0.0.0.0/0 proxy id from a >> peer (if you have one please post it). However one other way to do it >> would be to use GRE tunnels. >> >> So long story short, in the below configuration, proxy id's will all be >> 0's unless I specify a proxy-id in the config, and in that case I can >> only encrypt one network/service, as configuring more will set the >> outgoing proxy id element to be 0's. >> >> >> Thanks, >> Tom >> >> -----Original Message----- >> From: Tom Devries >> Sent: October-22-10 4:05 PM >> To: Juniper-Nsp >> Subject: Junos route based vpn with Cisco >> >> >> >> Hi all, >> >> Question regarding JunOS (SRX) route based VPN with Cisco remote end. >> In such a route-based configuration, how are the SA's generated with the >> Cisco? On the Cisco side you match an ACL as interesting traffic and >> the SA's are created based on that. On JunOS route-based vpn, is it the >> policy that creates the SA or does the policy simply enforce the FW >> rules on the tunnel? If that is the case, can I have many such rules >> and specify ports for each rule? In the below configuration I would >> like to specify application ports for each rule (rather than the current >> "any"), but I am unsure how the remote Cisco would respond depending on >> how the Juniper creates the SA (note unnumbered ST interface used)... >> >> I used the following tool to generate this config: >> >> https://www.juniper.net/customers/support/configtools/vpnconfig.html# >> >> >> >> >> ###Configure interface IP and route for tunnel traffic >> >> set interfaces st0.0 family inet >> set routing-options static route 2.16.68.0/24 next-hop st0.0 >> set routing-options static route 2.16.69.0/24 next-hop st0.0 >> >> ## Configure security zones, assign interfaces to the zones & >> host-inbound services for each zone >> >> set security zones security-zone vpn interfaces st0.0 >> set security zones security-zone Vpn host-inbound-traffic >> system-services bgp >> >> ## Configure address book entries for each zone >> >> set security zones security-zone Silver address-book address >> net-cfgr_10-25-56-64--26 10.25.56.64/26 >> set security zones security-zone Silver address-book address >> net-cfgr_10-25-7-96--27 10.25.7.96/27 >> set security zones security-zone Silver address-book address >> net-cfgr_10-25-194-96--27 10.25.194.96/27 >> >> ## Configure IKE policy for main mode >> >> set security ike policy ike-policy-cfgr mode main >> set security ike policy ike-policy-cfgr pre-shared-key ascii-text >> "yaright" >> >> ## Configure IKE gateway with peer IP address, IKE policy and outgoing >> interface >> >> set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr >> set security ike gateway ike-gate-cfgr address 1.1.1.1 >> set security ike gateway ike-gate-cfgr external-interface ge-0/0/12.0 >> >> ## Configure IKE authentication, encryption, DH group, and Lifetime >> >> set security ike proposal ike-proposal-cfgr authentication-method >> pre-shared-keys >> set security ike policy ike-policy-cfgr proposals ike-proposal-cfgr >> set security ike proposal ike-proposal-cfgr encryption-algorithm >> 3des-cbc >> set security ike proposal ike-proposal-cfgr authentication-algorithm >> sha1 >> set security ike proposal ike-proposal-cfgr dh-group group2 >> set security ike proposal ike-proposal-cfgr lifetime-seconds >> >> ## Configure IPsec policy >> >> set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr >> set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr >> set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0 >> >> >> ## Configure IPsec authentication and encryption >> >> set security ipsec proposal ipsec-proposal-cfgr protocol esp >> set security ipsec policy ipsec-policy-cfgr proposals >> ipsec-proposal-cfgr >> set security ipsec policy ipsec-policy-cfgr perfect-forward-secrecy keys >> group2 >> set security ipsec proposal ipsec-proposal-cfgr encryption-algorithm >> 3des-cbc >> set security ipsec proposal ipsec-proposal-cfgr authentication-algorithm >> hmac-sha1-96 >> >> ## Configure security policies for tunnel traffic in outbound direction >> >> set security policies from-zone Silver to-zone Vpn policy >> Silver-Vpn-cfgr match source-address net-cfgr_10-25-56-64--26 >> set security policies from-zone Silver to-zone Vpn policy >> Silver-Vpn-cfgr match source-address net-cfgr_10-25-7-96--27 >> set security policies from-zone Silver to-zone Vpn policy >> Silver-Vpn-cfgr match source-address net-cfgr_10-25-194-96--27 >> set security policies from-zone Silver to-zone Vpn policy >> Silver-Vpn-cfgr match application any >> set security policies from-zone Silver to-zone Vpn policy >> Silver-Vpn-cfgr then permit >> >> ## Configure security policies for tunnel traffic in inbound direction >> >> set security policies from-zone Vpn to-zone Silver policy >> Vpn-Silver-cfgr match source-address net-cfgr_2-16-68-0--24 >> set security policies from-zone Vpn to-zone Silver policy >> Vpn-Silver-cfgr match source-address net-cfgr_2-16-69-0--24 >> set security policies from-zone Vpn to-zone Silver policy >> Vpn-Silver-cfgr match destination-address net-cfgr_10-25-56-64--26 >> set security policies from-zone Vpn to-zone Silver policy >> Vpn-Silver-cfgr match destination-address net-cfgr_10-25-7-96--27 >> set security policies from-zone Vpn to-zone Silver policy >> Vpn-Silver-cfgr match destination-address net-cfgr_10-25-194-96--27 >> set security policies from-zone Vpn to-zone Silver policy >> Vpn-Silver-cfgr match application any >> set security policies from-zone Vpn to-zone Silver policy >> Vpn-Silver-cfgr then permit >> >> Thanks, >> Tom >> >> >> This e-mail (and attachment(s)) is confidential, proprietary, may be >> subject to copyright and legal privilege and no related rights are waived. >> If you are not the intended recipient or its agent, any review, >> dissemination, distribution or copying of this e-mail or any of its content >> is strictly prohibited and may be unlawful. All messages may be monitored as >> permitted by applicable law and regulations and our policies to protect our >> business. E-mails are not secure and you are deemed to have accepted any >> risk if you communicate with us by e-mail. If received in error, please >> notify us immediately and delete the e-mail (and any attachments) from any >> computer or any storage medium without printing a copy. >> >> Ce courriel (ainsi que ses pièces jointes) est confidentiel, exclusif, et >> peut faire l’objet de droit d’auteur et de privilège juridique; aucun droit >> connexe n’est exclu. Si vous n’êtes pas le destinataire visé ou son >> représentant, toute étude, diffusion, transmission ou copie de ce courriel >> en tout ou en partie, est strictement interdite et peut être illégale. Tous >> les messages peuvent être surveillés, selon les lois et règlements >> applicables et les politiques de protection de notre entreprise. Les >> courriels ne sont pas sécurisés et vous êtes réputés avoir accepté tous les >> risques qui y sont liés si vous choisissez de communiquer avec nous par ce >> moyen. Si vous avez reçu ce message par erreur, veuillez nous en aviser >> immédiatement et supprimer ce courriel (ainsi que toutes ses pièces jointes) >> de tout ordinateur ou support de données sans en imprimer une copie. >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > -- Crist Clark Network Security Specialist, Information Systems Globalstar 408 933 4387 _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp