Thanks Jon, Your config pointed something out to me and I have managed to get it working. I knew it was something simple and noobie, and it was :-)
I had defined PFS and DH group 5 in my Juniper IPSec policy stanza, but there was nothing matching on the Cisco side I guess. FWIW here are my two configs in case anyone needs something similar in the future: Cisco behind NAT ================ crypto isakmp policy 1 encr aes 256 hash sha384 authentication pre-share group 5 ! crypto isakmp peer address 1.2.3.4 set aggressive-mode password SuperSecretPassword set aggressive-mode client-endpoint fqdn router.router ! crypto ipsec transform-set ESP_AES256 esp-aes 256 esp-sha256-hmac ! crypto ipsec profile c2j-1 set transform-set ESP_AES256 ! interface Tunnel0 ip address 10.0.0.2 255.255.255.254 tunnel source FastEthernet0/0 tunnel mode ipsec ipv4 tunnel destination 1.2.3.4 tunnel protection ipsec profile c2j-1 ! Juniper SRX =========== interfaces { st0 { unit 0 { family inet { address 10.0.0.1/31; } } } } security { ike { proposal ike-proposal-c2j-1 { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha-384; encryption-algorithm aes-256-cbc; lifetime-seconds 28800; } policy ike-policy-c2j-1 { mode aggressive; proposals ike-proposal-c2j-1; pre-shared-key ascii-text "SuperSecretPassword"; ## SECRET-DATA } gateway ike-gateway-c2j-1 { ike-policy ike-policy-c2j-1; dynamic hostname router.router; external-interface at-1/0/0.0; } } ipsec { proposal ipsec-proposal-c2j-1 { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-256-cbc; lifetime-seconds 3600; } policy ipsec-policy-c2j-1 { proposals ipsec-proposal-c2j-1; } vpn ipsec-vpn-c2j-1 { bind-interface st0.0; ike { gateway ike-gateway-c2j-1; proxy-identity { local 0.0.0.0/0; remote 0.0.0.0/0; } ipsec-policy ipsec-policy-c2j-1; } establish-tunnels immediately; } } } Now to get IPv6 working over the tunnel. Managed to get IPv6 and IPv4 working side by side on a tunnel between two Junipers, but no such luck so far Cisco<>Juniper. Thanks! On 21 November 2014 18:10, Paulhamus, Jon <jpaulha...@iu17.org> wrote: > Here is a working config from an SRX connecting to a Cisco 2911 behind NAT > - GRE over IPSec. Some things removed - snipped out. IP's changed etc. > > > > ------------------------------------------- > > set interfaces ge-0/0/0 description ***INSIDE*** > set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.254/24 > set interfaces ge-0/0/0 description ***TUNNEL*** > set interfaces gr-0/0/0 unit 0 tunnel source 10.250.1.2 > set interfaces gr-0/0/0 unit 0 tunnel destination 10.250.1.1 > set interfaces gr-0/0/0 unit 0 family inet address 192.168.25.2/30 > set interfaces fe-0/0/7 description ***OUTSIDE*** > set interfaces fe-0/0/7 unit 0 family inet address 1.2.3.4/30 > set interfaces lo0 unit 0 family inet address 127.0.0.1/32 > set interfaces lo0 unit 0 family inet address 10.250.1.2/32 > set interfaces st0 unit 0 family inet > set routing-options static route 10.250.1.1/32 next-hop st0.0 > set routing-options static route 10.250.1.1/32 no-readvertise > set protocols ospf area 0.0.0.1 interface gr-0/0/0.0 interface-type p2p > set protocols ospf area 0.0.0.1 interface ge-0/0/0.0 > set security ike proposal IKE-PROPOSAL authentication-method > pre-shared-keys > set security ike proposal IKE-PROPOSAL dh-group group2 > set security ike proposal IKE-PROPOSAL authentication-algorithm sha1 > set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc > set security ike proposal IKE-PROPOSAL lifetime-seconds 86400 > set security ike policy IKE-POLICY proposals IKE-PROPOSAL > set security ike policy IKE-POLICY pre-shared-key ascii-text "PRESHAREDKEY" > set security ike gateway GATEWAY ike-policy IKE-POLICY > set security ike gateway GATEWAY address 5.6.7.8 > set security ike gateway GATEWAY external-interface fe-0/0/7.0 > set security ike gateway GATEWAY general-ikeid > set security ipsec proposal IPSEC-PROPOSAL protocol esp > set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm > hmac-md5-96 > set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc > set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 3600 > set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL > set security ipsec vpn COMPANY bind-interface st0.0 > set security ipsec vpn COMPANY ike gateway GATEWAY > set security ipsec vpn COMPANY ike proxy-identity local 10.250.1.2/32 > set security ipsec vpn COMPANY ike proxy-identity remote 10.250.1.1/32 > set security ipsec vpn COMPANY ike ipsec-policy IPSEC-POLICY > set security ipsec vpn COMPANY establish-tunnels immediately > set security policies from-zone INSIDE to-zone INSIDE policy > default-permit match source-address any > set security policies from-zone INSIDE to-zone INSIDE policy > default-permit match destination-address any > set security policies from-zone INSIDE to-zone INSIDE policy > default-permit match application any > set security policies from-zone INSIDE to-zone INSIDE policy > default-permit then permit > set security policies from-zone INSIDE to-zone OUTSIDE policy > default-permit match source-address any > set security policies from-zone INSIDE to-zone OUTSIDE policy > default-permit match destination-address any > set security policies from-zone INSIDE to-zone OUTSIDE policy > default-permit match application any > set security policies from-zone INSIDE to-zone OUTSIDE policy > default-permit then permit > set security zones security-zone OUTSIDE interfaces fe-0/0/7.0 > host-inbound-traffic system-services dhcp > set security zones security-zone OUTSIDE interfaces fe-0/0/7.0 > host-inbound-traffic system-services ping > set security zones security-zone OUTSIDE interfaces fe-0/0/7.0 > host-inbound-traffic system-services ike > set security zones security-zone OUTSIDE interfaces fe-0/0/7.0 > host-inbound-traffic system-services ssh > set security zones security-zone INSIDE host-inbound-traffic > system-services all > set security zones security-zone INSIDE host-inbound-traffic protocols all > set security zones security-zone INSIDE interfaces ge-0/0/0.0 > set security zones security-zone INSIDE interfaces lo0.0 > set security zones security-zone INSIDE interfaces st0.0 > set security zones security-zone INSIDE interfaces gr-0/0/0.0 > > > > ------------------------------------------------- > > > > > > > > -----Original Message----- > From: Tom Storey [mailto:t...@snnap.net] > Sent: Friday, November 21, 2014 9:00 AM > To: cisco-nsp; juniper-nsp@puck.nether.net > Subject: [j-nsp] Cisco to Juniper, route based IPSec VPN > > Hi everyone. > > Im trying to set up a route based VPN between a Cisco IOS router (1841) > and a Juniper SRX, where the Cisco is sitting behind NAT and the Juniper is > out on the public Internet. > > My tunnel interfaces arent coming up at either end, but I feel like Im > teetering on the edge of success. > > Phase 1 seems to be ok (up in agressive mode), but phase 2 is a little > dubious. "debug crypto ipsec" on the Cisco isnt really giving up much in > the way of error messages. The Juniper reports "SA not initialised" and the > Cisco seems to be sending SA requests... > > I feel like Im making a really noobie mistake but I cant figure out what. > Ive trawled the Internet for sample configs and from what I can see my > only difference is the specifics for my particular setup (IPs, leys, > proposals/transforms.) > > Does anyone have a sample config I can review, or would you be willing to > review my current configs? > > Thanks in advance. > Tom > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp