What you want to do is use VTI on the Cisco side. Search for Cisco VTI (Virtual Tunnel Interface) or "tunnel protection" for more info & config examples.
With tunnel protect, you can create a routable virtual tunnel that uses 0.0.0.0/0.0.0.0/0 as the proxy ID and it interoperates just fine with Juniper route-based VPNs (M, SRX, SSG, even older NetScreens) -- assuming you match on the P1 & P2 proposals. We do it all the time as it lets us: (1) run a routing protocol over the tunnel without the GRE overhead (2) create more granular firewall policies for intra-VPN traffic (3) simpler configuration (4) easier troubleshooting (5) better manage mixed environments -- Nathan -----Original Message----- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Tom Devries Sent: Wednesday, October 27, 2010 11:42 AM To: Morten Isaksen Cc: Juniper-Nsp Subject: Re: [j-nsp] Junos route based vpn with Cisco Indeed, the only issue I see with policy based vpn's is the number of vpn policies required for the amount of networks that have to be encrypted. As someone pointed out on another list, the C device should support null proxy ids if you first deny all other networks and then specify "any any" as interesting. -----Original Message----- From: misak...@gmail.com [mailto:misak...@gmail.com] On Behalf Of Morten Isaksen Sent: October-27-10 1:30 PM To: Tom Devries Cc: Juniper-Nsp Subject: Re: [j-nsp] Junos route based vpn with Cisco I had the same issue. I changed to policy based VPN and it worked out of the box. 2010/10/27 Tom Devries <tom.devr...@rci.rogers.com>: > Thought I would provide some feedback I received from Juniper > regarding this question for the archives. If using a route based vpn, > the proxy ID's in the SA creation will be all 0's by default: > > Local: 0.0.0.0 > Remote: 0.0.0.0 > Service 0 > > so as long as it is unspecified in the config. However if you encrypt > more than one source network (i.e. multiple networks behind the SRX) > and put multiple networks in your proxy-id config (in say, local > network) then that part of the SA will show as 0.0.0.0. I haven't > been able to find a Cisco interop configuration that will be able to > create SAs and establish phase II when receiving a 0.0.0.0/0.0.0.0/0 > proxy id from a peer (if you have one please post it). However one > other way to do it would be to use GRE tunnels. > > So long story short, in the below configuration, proxy id's will all > be 0's unless I specify a proxy-id in the config, and in that case I > can only encrypt one network/service, as configuring more will set the > outgoing proxy id element to be 0's. > > > Thanks, > Tom > > -----Original Message----- > From: Tom Devries > Sent: October-22-10 4:05 PM > To: Juniper-Nsp > Subject: Junos route based vpn with Cisco > > > > Hi all, > > Question regarding JunOS (SRX) route based VPN with Cisco remote end. > In such a route-based configuration, how are the SA's generated with > the Cisco? On the Cisco side you match an ACL as interesting traffic > and the SA's are created based on that. On JunOS route-based vpn, is > it the policy that creates the SA or does the policy simply enforce > the FW rules on the tunnel? If that is the case, can I have many such > rules and specify ports for each rule? In the below configuration I > would like to specify application ports for each rule (rather than the > current "any"), but I am unsure how the remote Cisco would respond > depending on how the Juniper creates the SA (note unnumbered ST interface > used)... > > I used the following tool to generate this config: > > https://www.juniper.net/customers/support/configtools/vpnconfig.html# > > > > > ###Configure interface IP and route for tunnel traffic > > set interfaces st0.0 family inet > set routing-options static route 2.16.68.0/24 next-hop st0.0 set > routing-options static route 2.16.69.0/24 next-hop st0.0 > > ## Configure security zones, assign interfaces to the zones & > host-inbound services for each zone > > set security zones security-zone vpn interfaces st0.0 set security > zones security-zone Vpn host-inbound-traffic system-services bgp > > ## Configure address book entries for each zone > > set security zones security-zone Silver address-book address > net-cfgr_10-25-56-64--26 10.25.56.64/26 set security zones > security-zone Silver address-book address > net-cfgr_10-25-7-96--27 10.25.7.96/27 > set security zones security-zone Silver address-book address > net-cfgr_10-25-194-96--27 10.25.194.96/27 > > ## Configure IKE policy for main mode > > set security ike policy ike-policy-cfgr mode main set security ike > policy ike-policy-cfgr pre-shared-key ascii-text "yaright" > > ## Configure IKE gateway with peer IP address, IKE policy and outgoing > interface > > set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr set > security ike gateway ike-gate-cfgr address 1.1.1.1 set security ike > gateway ike-gate-cfgr external-interface ge-0/0/12.0 > > ## Configure IKE authentication, encryption, DH group, and Lifetime > > set security ike proposal ike-proposal-cfgr authentication-method > pre-shared-keys set security ike policy ike-policy-cfgr proposals > ike-proposal-cfgr set security ike proposal ike-proposal-cfgr > encryption-algorithm 3des-cbc set security ike proposal > ike-proposal-cfgr authentication-algorithm > sha1 > set security ike proposal ike-proposal-cfgr dh-group group2 set > security ike proposal ike-proposal-cfgr lifetime-seconds > > ## Configure IPsec policy > > set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr set > security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr > set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0 > > > ## Configure IPsec authentication and encryption > > set security ipsec proposal ipsec-proposal-cfgr protocol esp set > security ipsec policy ipsec-policy-cfgr proposals ipsec-proposal-cfgr > set security ipsec policy ipsec-policy-cfgr perfect-forward-secrecy > keys > group2 > set security ipsec proposal ipsec-proposal-cfgr encryption-algorithm > 3des-cbc set security ipsec proposal ipsec-proposal-cfgr > authentication-algorithm > hmac-sha1-96 > > ## Configure security policies for tunnel traffic in outbound > direction > > set security policies from-zone Silver to-zone Vpn policy > Silver-Vpn-cfgr match source-address net-cfgr_10-25-56-64--26 set > security policies from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr > match source-address net-cfgr_10-25-7-96--27 set security policies > from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr match > source-address net-cfgr_10-25-194-96--27 set security policies > from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr match application > any set security policies from-zone Silver to-zone Vpn policy > Silver-Vpn-cfgr then permit > > ## Configure security policies for tunnel traffic in inbound direction > > set security policies from-zone Vpn to-zone Silver policy > Vpn-Silver-cfgr match source-address net-cfgr_2-16-68-0--24 set > security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr > match source-address net-cfgr_2-16-69-0--24 set security policies > from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match > destination-address net-cfgr_10-25-56-64--26 set security policies > from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match > destination-address net-cfgr_10-25-7-96--27 set security policies > from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match > destination-address net-cfgr_10-25-194-96--27 set security policies > from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match application > any set security policies from-zone Vpn to-zone Silver policy > Vpn-Silver-cfgr then permit > > Thanks, > Tom > > > This e-mail (and attachment(s)) is confidential, proprietary, may be subject > to copyright and legal privilege and no related rights are waived. If you are > not the intended recipient or its agent, any review, dissemination, > distribution or copying of this e-mail or any of its content is strictly > prohibited and may be unlawful. All messages may be monitored as permitted by > applicable law and regulations and our policies to protect our business. > E-mails are not secure and you are deemed to have accepted any risk if you > communicate with us by e-mail. If received in error, please notify us > immediately and delete the e-mail (and any attachments) from any computer or > any storage medium without printing a copy. > > Ce courriel (ainsi que ses pièces jointes) est confidentiel, exclusif, et > peut faire l'objet de droit d'auteur et de privilège juridique; aucun droit > connexe n'est exclu. Si vous n'êtes pas le destinataire visé ou son > représentant, toute étude, diffusion, transmission ou copie de ce courriel en > tout ou en partie, est strictement interdite et peut être illégale. Tous les > messages peuvent être surveillés, selon les lois et règlements applicables et > les politiques de protection de notre entreprise. Les courriels ne sont pas > sécurisés et vous êtes réputés avoir accepté tous les risques qui y sont liés > si vous choisissez de communiquer avec nous par ce moyen. Si vous avez reçu > ce message par erreur, veuillez nous en aviser immédiatement et supprimer ce > courriel (ainsi que toutes ses pièces jointes) de tout ordinateur ou support > de données sans en imprimer une copie. > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Morten Isaksen _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
