I had the same issue. I changed to policy based VPN and it worked out of the box.
2010/10/27 Tom Devries <tom.devr...@rci.rogers.com>: > Thought I would provide some feedback I received from Juniper regarding > this question for the archives. If using a route based vpn, the proxy > ID's in the SA creation will be all 0's by default: > > Local: 0.0.0.0 > Remote: 0.0.0.0 > Service 0 > > so as long as it is unspecified in the config. However if you encrypt > more than one source network (i.e. multiple networks behind the SRX) and > put multiple networks in your proxy-id config (in say, local network) > then that part of the SA will show as 0.0.0.0. I haven't been able to > find a Cisco interop configuration that will be able to create SAs and > establish phase II when receiving a 0.0.0.0/0.0.0.0/0 proxy id from a > peer (if you have one please post it). However one other way to do it > would be to use GRE tunnels. > > So long story short, in the below configuration, proxy id's will all be > 0's unless I specify a proxy-id in the config, and in that case I can > only encrypt one network/service, as configuring more will set the > outgoing proxy id element to be 0's. > > > Thanks, > Tom > > -----Original Message----- > From: Tom Devries > Sent: October-22-10 4:05 PM > To: Juniper-Nsp > Subject: Junos route based vpn with Cisco > > > > Hi all, > > Question regarding JunOS (SRX) route based VPN with Cisco remote end. > In such a route-based configuration, how are the SA's generated with the > Cisco? On the Cisco side you match an ACL as interesting traffic and > the SA's are created based on that. On JunOS route-based vpn, is it the > policy that creates the SA or does the policy simply enforce the FW > rules on the tunnel? If that is the case, can I have many such rules > and specify ports for each rule? In the below configuration I would > like to specify application ports for each rule (rather than the current > "any"), but I am unsure how the remote Cisco would respond depending on > how the Juniper creates the SA (note unnumbered ST interface used)... > > I used the following tool to generate this config: > > https://www.juniper.net/customers/support/configtools/vpnconfig.html# > > > > > ###Configure interface IP and route for tunnel traffic > > set interfaces st0.0 family inet > set routing-options static route 2.16.68.0/24 next-hop st0.0 > set routing-options static route 2.16.69.0/24 next-hop st0.0 > > ## Configure security zones, assign interfaces to the zones & > host-inbound services for each zone > > set security zones security-zone vpn interfaces st0.0 > set security zones security-zone Vpn host-inbound-traffic > system-services bgp > > ## Configure address book entries for each zone > > set security zones security-zone Silver address-book address > net-cfgr_10-25-56-64--26 10.25.56.64/26 > set security zones security-zone Silver address-book address > net-cfgr_10-25-7-96--27 10.25.7.96/27 > set security zones security-zone Silver address-book address > net-cfgr_10-25-194-96--27 10.25.194.96/27 > > ## Configure IKE policy for main mode > > set security ike policy ike-policy-cfgr mode main > set security ike policy ike-policy-cfgr pre-shared-key ascii-text > "yaright" > > ## Configure IKE gateway with peer IP address, IKE policy and outgoing > interface > > set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr > set security ike gateway ike-gate-cfgr address 1.1.1.1 > set security ike gateway ike-gate-cfgr external-interface ge-0/0/12.0 > > ## Configure IKE authentication, encryption, DH group, and Lifetime > > set security ike proposal ike-proposal-cfgr authentication-method > pre-shared-keys > set security ike policy ike-policy-cfgr proposals ike-proposal-cfgr > set security ike proposal ike-proposal-cfgr encryption-algorithm > 3des-cbc > set security ike proposal ike-proposal-cfgr authentication-algorithm > sha1 > set security ike proposal ike-proposal-cfgr dh-group group2 > set security ike proposal ike-proposal-cfgr lifetime-seconds > > ## Configure IPsec policy > > set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr > set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr > set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0 > > > ## Configure IPsec authentication and encryption > > set security ipsec proposal ipsec-proposal-cfgr protocol esp > set security ipsec policy ipsec-policy-cfgr proposals > ipsec-proposal-cfgr > set security ipsec policy ipsec-policy-cfgr perfect-forward-secrecy keys > group2 > set security ipsec proposal ipsec-proposal-cfgr encryption-algorithm > 3des-cbc > set security ipsec proposal ipsec-proposal-cfgr authentication-algorithm > hmac-sha1-96 > > ## Configure security policies for tunnel traffic in outbound direction > > set security policies from-zone Silver to-zone Vpn policy > Silver-Vpn-cfgr match source-address net-cfgr_10-25-56-64--26 > set security policies from-zone Silver to-zone Vpn policy > Silver-Vpn-cfgr match source-address net-cfgr_10-25-7-96--27 > set security policies from-zone Silver to-zone Vpn policy > Silver-Vpn-cfgr match source-address net-cfgr_10-25-194-96--27 > set security policies from-zone Silver to-zone Vpn policy > Silver-Vpn-cfgr match application any > set security policies from-zone Silver to-zone Vpn policy > Silver-Vpn-cfgr then permit > > ## Configure security policies for tunnel traffic in inbound direction > > set security policies from-zone Vpn to-zone Silver policy > Vpn-Silver-cfgr match source-address net-cfgr_2-16-68-0--24 > set security policies from-zone Vpn to-zone Silver policy > Vpn-Silver-cfgr match source-address net-cfgr_2-16-69-0--24 > set security policies from-zone Vpn to-zone Silver policy > Vpn-Silver-cfgr match destination-address net-cfgr_10-25-56-64--26 > set security policies from-zone Vpn to-zone Silver policy > Vpn-Silver-cfgr match destination-address net-cfgr_10-25-7-96--27 > set security policies from-zone Vpn to-zone Silver policy > Vpn-Silver-cfgr match destination-address net-cfgr_10-25-194-96--27 > set security policies from-zone Vpn to-zone Silver policy > Vpn-Silver-cfgr match application any > set security policies from-zone Vpn to-zone Silver policy > Vpn-Silver-cfgr then permit > > Thanks, > Tom > > > This e-mail (and attachment(s)) is confidential, proprietary, may be subject > to copyright and legal privilege and no related rights are waived. If you are > not the intended recipient or its agent, any review, dissemination, > distribution or copying of this e-mail or any of its content is strictly > prohibited and may be unlawful. All messages may be monitored as permitted by > applicable law and regulations and our policies to protect our business. > E-mails are not secure and you are deemed to have accepted any risk if you > communicate with us by e-mail. If received in error, please notify us > immediately and delete the e-mail (and any attachments) from any computer or > any storage medium without printing a copy. > > Ce courriel (ainsi que ses pièces jointes) est confidentiel, exclusif, et > peut faire l’objet de droit d’auteur et de privilège juridique; aucun droit > connexe n’est exclu. Si vous n’êtes pas le destinataire visé ou son > représentant, toute étude, diffusion, transmission ou copie de ce courriel en > tout ou en partie, est strictement interdite et peut être illégale. Tous les > messages peuvent être surveillés, selon les lois et règlements applicables et > les politiques de protection de notre entreprise. Les courriels ne sont pas > sécurisés et vous êtes réputés avoir accepté tous les risques qui y sont liés > si vous choisissez de communiquer avec nous par ce moyen. Si vous avez reçu > ce message par erreur, veuillez nous en aviser immédiatement et supprimer ce > courriel (ainsi que toutes ses pièces jointes) de tout ordinateur ou support > de données sans en imprimer une copie. > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Morten Isaksen _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
