IPSEC Interface Style Configuration Between Cisco and Juniper (GRE over IPSEC)
IPSEC Interface Style Configuration Between Cisco and Juniper (GRE over IPSEC)
Solution:
Configuring IPSEC interface style between Cisco and Juniper and setup GRE over IPSEC
Cisco side:
Purpose:(R1)Cisco-3845(ge0/1)<-----ospf---------->R2<-----------static----->(ge-1/3/0)Juniper-M10i(R3)Configuration
Cisco-3845-R1
CISCO-3845# sh run
Building configuration...
Current configuration : 2361 bytes
!
! Last configuration change at 15:29:17 UTC Wed Oct 28 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO-3845
!
boot-start-marker
boot-end-marker
!
!card type command needed for slot 1
!
no aaa new-model
ip cef
!
!
crypto isakmp policy 1 -----------> IKE Configuration
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key juniper address 192.168.1.1
!
!
crypto ipsec transform-set JUNIPER esp-3des esp-md5-hmac
!
crypto map gre 10 ipsec-isakmp ---------------> IPSEC configuration
set peer 192.168.1.1
set security-association lifetime seconds 190
set transform-set JUNIPER
match address 113
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0 ---------------------> GRE Tunnel
ip address 122.30.1.2 255.255.255.252
tunnel source 3.3.3.3
tunnel destination 4.4.4.4
!
!
interface GigabitEthernet0/1
ip address 172.16.1.2 255.255.255.252
crypto map gre -----------------------> Apply gre here
!
router ospf 10
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 172.16.1.2 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
access-list 113 permit ip host 3.3.3.3 host 4.4.4.4
!
!
!
end
Juniper-M10i-R3
system {
root-authentication {
encrypted-password "$1$fTdeotTy$ARQ9l0sQmFaCkLuHyz/Mj/"; ## SECRET-DATA
}
login {
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$wbTQ8PZ9$IjiXT4iGvLsWJodbCjHvm0"; ## SECRET-DATA
}
}
}
services {
ftp;
telnet;
}
}
interfaces {
gr-1/2/0 {
unit 0 {
tunnel {
source 4.4.4.4;
destination 3.3.3.3;
}
family inet {
address 122.30.1.1/30;
}
}
}
sp-1/2/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
ge-1/3/0 {
vlan-tagging;
mtu 1500;
unit 0 {
vlan-id 100;
family inet {
service {
input {
service-set IPSEC-VPN service-filter INPUT;
}
output {
service-set IPSEC-VPN service-filter OUTPUT;
}
}
address 192.168.1.1/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 4.4.4.4/32;
}
}
}
}
routing-options {
static {
route 3.3.3.3/32 next-hop 192.168.1.2;
route 172.16.1.0/30 next-hop 192.168.1.2;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface gr-1/2/0.0;
}
}
}
firewall {
family inet {
service-filter INPUT {
term 1 {
from {
source-address {
172.16.1.2/32;
}
destination-address {
192.168.1.1/32;
}
}
then service;
}
}
service-filter OUTPUT {
term 1 {
from {
source-address {
122.30.1.1/32;
}
protocol gre;
}
then service;
}
term 2 {
from {
source-address {
4.4.4.4/32;
}
destination-address {
3.3.3.3/32;
}
}
then service;
}
term 3 {
then skip;
}
}
}
}
services {
ipsec-vpn {
rule IPSEC-VPN-RULE {
term 2 {
from {
source-address {
4.4.4.4/32;
}
destination-address {
3.3.3.3/32;
}
}
then {
remote-gateway 172.16.1.2;
dynamic {
ike-policy IKE-POLICY;
ipsec-policy IPSEC-POLICY;
}
}
}
match-direction output;
}
ipsec {
proposal IPSEC-PROPOSAL {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
}
policy IPSEC-POLICY {
proposals IPSEC-PROPOSAL;
}
}
ike {
proposal IKE-PROPOSAL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm aes-256-cbc;
}
policy IKE-POLICY {
mode main;
proposals IKE-PROPOSAL;
pre-shared-key ascii-text "$9$9k8mt0IylMNdsEcds24DjCtu"; ## SECRET-DATA
}
}
establish-tunnels immediately;
}
service-set IPSEC-VPN {
ipsec-vpn-options {
local-gateway 192.168.1.1;
}
ipsec-vpn-rules IPSEC-VPN-RULE;
interface-service {
service-interface sp-1/2/0.0;
}
}
}
Logs to Check:
Juniper Side:
lab@Juniper-M10i-R3# run show services ipsec-vpn ike security-associations
Remote Address State Initiator cookie Responder cookie Exchange type
172.16.1.2 Matured b6f38a760742b360 3d6015d906d15e23 Main
lab@Juniper-M10i-R3# run show services ipsec-vpn ipsec security-associations
Service set: IPSEC-VPN, IKE Routing-instance: default
Rule: IPSEC-VPN-RULE, Term: 2, Tunnel index: 1
Local gateway: 192.168.1.1, Remote gateway: 172.16.1.2
Tunnel MTU: 1500
Direction SPI AUX-SPI Mode Type Protocol
inbound 846861092 0 tunnel dynamic ESP
outbound 3511528138 0 tunnel dynamic ESP
[edit]
lab@Juniper-M10i-R3# run show services ipsec-vpn ipsec statistics
PIC: sp-1/2/0, Service set: IPSEC-VPN
ESP Statistics:
Encrypted bytes: 1224
Decrypted bytes: 1192
Encrypted packets: 12
Decrypted packets: 10
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
lab@Juniper-M10i-R3# run show ospf neighbor -------------> GRE Neighbor
Address Interface State ID Pri Dead
122.30.1.2 gr-1/2/0.0 Full 3.3.3.3 1 32
Cisco side:
IKE Security Association:CISCO-3845#sh crypto isakmp sa
dst src state conn-id slot status
172.16.1.2 192.168.1.1 QM_IDLE 5 0 ACTIVE
IPSEC Security Assiciation:CISCO-3845#sh crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: gre, local addr 172.16.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4683, #pkts encrypt: 4683, #pkts digest: 4683
#pkts decaps: 5909, #pkts decrypt: 5909, #pkts verify: 5909
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4361, #recv errors 80
local crypto endpt.: 172.16.1.2, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x3A4EC4F4(978240756)
inbound esp sas:
spi: 0x6E51CA(7229898)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: Onboard VPN:2, crypto map: gre
sa timing: remaining key lifetime (k/sec): (4450185/112)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0xE463C1A2(3831742882)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: Onboard VPN:4, crypto map: gre
sa timing: remaining key lifetime (k/sec): (4514229/165)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x63C5CAF3(1673906931)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: Onboard VPN:1, crypto map: gre
sa timing: remaining key lifetime (k/sec): (4450185/110)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x3A4EC4F4(978240756)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: Onboard VPN:3, crypto map: gre
sa timing: remaining key lifetime (k/sec): (4514229/161)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.40.3.20/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.66.1.21/255.255.255.255/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.2, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
CISCO-3845#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
4.4.4.4 0 FULL/ - 00:00:36 122.30.1.1 Tunnel0 -------> GRE neighbor
2.2.2.2 128 FULL/BDR 00:00:39 172.16.1.1 GigabitEthernet0/1
Implementation
