Knowledge Center Search


 

How to setup a VPN between a Juniper Firewall and a Cisco PIX

  [KB4147] Show KB Properties

  [KB4147] Hide KB Properties

Categories:
Knowledge Base ID: KB4147
Last Updated: 09 Jan 2013
Version: 15.0

Summary:
  • Step by step instructions to setup policy-based VPN between a Juniper Firewall and Cisco PIX.


  • Step by step instructions to setup route-based VPN between a Juniper Firewall and Cisco PIX.

Problem or Goal:
  • How to setup VPN between PIX and Juniper Netscreen Firewall with a single access list.

  • Policy-based VPN is suited for multiple access lists.

  • How to verify the VPN connection.

topology

Juniper firewall/NetScreen configuration:
Untrust zone eth1 IP 1.1.1.1/24
Trust zone eth2 IP 10.1.1.1/24
Phase 1 Proposal pre-g2-des-sha
Phase 2 Proposal nopfs-esp-des-sha
Cisco PIX configuration:
Outside eth1 IP 2.2.2.1/24
Inside eth2 IP 172.16.10.1/24
Phase 1 Proposal pre-g2-des-sha
Phase 2 Proposal nopfs-esp-des-sha

Cause:
 

Solution:
Scenario 1 -- Juniper Netscreen Firewall using Policy-based VPN to Cisco PIX:

In this scenario, the Juniper firewall is setup with a policy-based VPN and the policy matches the Access-list configured on the PIX.


Juniper Firewall Configuration:
  1. VPN Phase 1 Configuration:
    set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
  2. VPN Phase 2 Configuration:
    set vpn "To-Cisco-VPN" gateway "To-Cisco" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
  3. Policy setup:
    set policy id 2 from "Trust" to "Untrust"  "10.1.1.0/24" "172.16.10.0/24" "ANY" tunnel vpn "To-Cisco-VPN" id 2 pair-policy 3
    set policy id 3 from "Untrust" to "Trust"  "172.16.10.0/24" "10.1.1.0/24" "ANY" tunnel vpn "To-Cisco-VPN" id 2 pair-policy 2

PIX Firewall Configuration:
  1. VPN Phase 1 Configuration:
    isakmp enable outside
    isakmp key netscreen address 1.1.1.1 netmask 255.255.255.255 no-xauth
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
  2. VPN Phase 2 Configuration:
    access-list 101 permit ip 172.16.10.0 0.0.0.255 10.1.1.0 0.0.0.255
    crypto ipsec transform-set nsset esp-des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto map nsmap 10 ipsec-isakmp
    crypto map nsmap 10 match address 101
    crypto map nsmap 10 set peer 1.1.1.1
    crypto map nsmap 10 set transform-set nsset
    crypto map nsmap interface outside


Scenario 2 -- Juniper Netscreen Firewall setup Route-based VPN to Cisco Pix

In this scenario, there is no change on the PIX configuration between a Juniper firewall Policy-based and Route-based configuration. These steps document a route-based VPN on the Juniper firewall.

Juniper Firewall Configuration:

  1. 1. VPN Phase 1:
    set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
  2. VPN Phase 2:
    set vpn "To-Cisco-VPN" gateway "To-Cisco" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
  3. Create Tunnel Interface and bind it to the VPN “To-Cisco-VPN"
    set interface "tunnel.1" zone "Trust"
    set interface tunnel.1 ip unnumbered interface ethernet1
    set vpn "To-Cisco-VPN" bind interface tunnel.1
  4. Proxy ID setup, Proxy id has to be matched with the Access-list of the PIX. That is a limitation for a route-based VPN of Juniper Firewall if there is multiple access-list configured on PIX. In multiple access-list scenario, a Policy-based VPN should be considered.
    set vpn "To-Cisco-VPN" proxy-id local-ip 10.1.1.0/24 remote-ip 172.16.10.0/24 "ANY"
  5. Setup static route to route traffic destined to the remote inside network via the tunnel interface created in step 3.
    set route 172.16.10.0/24 interface tunnel.1

PIX Firewall Configuration:
  1. VPN Phase 1 Configuration:
    isakmp enable outside
    isakmp key netscreen address 1.1.1.1 netmask 255.255.255.255 no-xauth
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
  2. VPN Phase 2 Configuration:

    access-list 101 permit ip 172.16.10.0 0.0.0.255 10.1.1.0 0.0.0.255
    crypto ipsec transform-set nsset esp-des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto map nsmap 10 ipsec-isakmp
    crypto map nsmap 10 match address 101
    crypto map nsmap 10 set peer 1.1.1.1
    crypto map nsmap 10 set transform-set nsset
    crypto map nsmap interface outside


 
Useful Commands to verify the VPN connection on the Juniper firewall :

ns-> ping 172.16.10.2 from eth2 Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout is 1 seconds from ethernet2
.!!!!
Success Rate is 80 percent (4/5), round-trip time min/avg/max=3/7/20 ms


ns-> get ike cookie          

Active: 1, Dead: 0, Total 1

80182f/0003, 1.1.1.1:500->2.2.2.1:500, PRESHR/grp2/DES/SHA, xchg(5) (To-Cisco/grp-1/usr-1)
resent-tmr 14306744 lifetime 28800 lt-recv 28800 nxt_rekey 19542 cert-expire 0
initiator, err cnt 0, send dir 0, cond 0x10
nat-traversal map not available
ike heartbeat              : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0

ns-> get sa                  
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000002<         2.2.2.1  500 esp: des/sha1 fdc08459  3589  403M A/-     3 0
00000002>         2.2.2.1  500 esp: des/sha1 82752ea1  3589  403M A/-     2 0


 

Useful Commands to verify the VPN connection on the PIX firewall:
 

pixfirewall# show crypto ipsec sa


interface: outside
    Crypto map tag: nsmap, local addr. 2.2.2.1

   local  ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer: 1.1.1.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 37, #pkts encrypt: 37, #pkts digest 37
    #pkts decaps: 37, #pkts decrypt: 37, #pkts verify 37
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0

     local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 0


Purpose:
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.