Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IPSEC Interface Style Configuration Between Cisco and Juniper (GRE over IPSEC)

0

0

Article ID: KB15627 KB Last Updated: 24 Feb 2020Version: 2.0
Summary:
IPSEC Interface Style Configuration Between Cisco and Juniper (GRE over IPSEC)
Solution:
Configuring IPSEC interface style between Cisco and Juniper and setup GRE over IPSEC


(R1)Cisco-3845(ge0/1)<-----ospf---------->R2<-----------static----->(ge-1/3/0)Juniper-M10i(R3)

Configuration

 

 

Cisco-3845-R1

CISCO-3845# sh run
Building configuration...

Current configuration : 2361 bytes
!
! Last configuration change at 15:29:17 UTC Wed Oct 28 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO-3845
!
boot-start-marker
boot-end-marker
!
!card type command needed for slot 1
!
no aaa new-model
ip cef
!
!
crypto isakmp policy 1 -----------> IKE Configuration
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key juniper address 192.168.1.1
!
!
crypto ipsec transform-set JUNIPER esp-3des esp-md5-hmac
!
crypto map gre 10 ipsec-isakmp ---------------> IPSEC configuration
set peer 192.168.1.1
set security-association lifetime seconds 190
set transform-set JUNIPER
match address 113
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0  ---------------------> GRE Tunnel
ip address 122.30.1.2 255.255.255.252
tunnel source 3.3.3.3
tunnel destination 4.4.4.4
!
!
interface GigabitEthernet0/1
ip address 172.16.1.2 255.255.255.252
crypto map gre  -----------------------> Apply gre here
!
router ospf 10
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 172.16.1.2 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
access-list 113 permit ip host 3.3.3.3 host 4.4.4.4
!
!
!
end

Juniper-M10i-R3

 system { 
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
    login {
        user lab {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$ABC123"; ## SECRET-DATA
            }
        }
    }
    services {
        ftp;
        telnet;
    }
}

interfaces {
    gr-1/2/0 {
        unit 0 {    
            tunnel {
                source 4.4.4.4;
                destination 3.3.3.3;
            }
            family inet {
                address 122.30.1.1/30;
            }
        }
    }
    sp-1/2/0 {
        unit 0 {
            family inet;
        }
        unit 1 {
            family inet;
            service-domain inside;
        }
        unit 2 {
            family inet;
            service-domain outside;
        }
    }
    ge-1/3/0 {      
        vlan-tagging;
        mtu 1500;
        unit 0 {
            vlan-id 100;
            family inet {
                service {
                    input {
                        service-set IPSEC-VPN service-filter INPUT;
                    }
                    output {
                        service-set IPSEC-VPN service-filter OUTPUT;
                    }
                }
                address 192.168.1.1/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 4.4.4.4/32;
            }
        }           
    }
}

routing-options {
    static {
        route 3.3.3.3/32 next-hop 192.168.1.2;
        route 172.16.1.0/30 next-hop 192.168.1.2;
    }
}

protocols {
    ospf {
        area 0.0.0.0 {
            interface gr-1/2/0.0;
        }
    }
}

firewall {
    family inet {
        service-filter INPUT {
            term 1 {
                from {
                    source-address {
                        172.16.1.2/32;
                    }
                    destination-address {
                        192.168.1.1/32;
                    }
                }
                then service;
            }
        }
        service-filter OUTPUT {
            term 1 {
                from {
                    source-address {
                        122.30.1.1/32;
                    }
                    protocol gre;
                }
                then service;
            }
            term 2 {
                from {
                    source-address {
                        4.4.4.4/32;
                    }
                    destination-address {
                        3.3.3.3/32;
                    }
                }
                then service;
            }
            term 3 {
                then skip;
            }
        }
    }
}

services {
    ipsec-vpn {
        rule IPSEC-VPN-RULE {
            term 2 {
                from {
                    source-address {
                        4.4.4.4/32;
                    }
                    destination-address {
                        3.3.3.3/32;
                    }
                }   
                then {
                    remote-gateway 172.16.1.2;
                    dynamic {
                        ike-policy IKE-POLICY;
                        ipsec-policy IPSEC-POLICY;
                    }
                }
            }
            match-direction output;
        }
        ipsec {
            proposal IPSEC-PROPOSAL {
                protocol esp;
                authentication-algorithm hmac-md5-96;
                encryption-algorithm 3des-cbc;
            }
            policy IPSEC-POLICY {
                proposals IPSEC-PROPOSAL;
            }
        }
        ike {
            proposal IKE-PROPOSAL {
                authentication-method pre-shared-keys;
                dh-group group2;
                authentication-algorithm md5;
                encryption-algorithm aes-256-cbc;
            }
            policy IKE-POLICY {
                mode main;
                proposals IKE-PROPOSAL;
                pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
            }
        }
        establish-tunnels immediately;
    }
    service-set IPSEC-VPN {
        ipsec-vpn-options {
            local-gateway 192.168.1.1;
        }
        ipsec-vpn-rules IPSEC-VPN-RULE;
        interface-service {
            service-interface sp-1/2/0.0;
        }
    }
}                   

 

Logs to Check:

Juniper Side:

lab@Juniper-M10i-R3# run show services ipsec-vpn ike security-associations
Remote Address State Initiator cookie Responder cookie Exchange type
172.16.1.2 Matured b6f38a760742b360 3d6015d906d15e23 Main


lab@Juniper-M10i-R3# run show services ipsec-vpn ipsec security-associations
Service set: IPSEC-VPN, IKE Routing-instance: default

Rule: IPSEC-VPN-RULE, Term: 2, Tunnel index: 1
Local gateway: 192.168.1.1, Remote gateway: 172.16.1.2
Tunnel MTU: 1500
Direction SPI AUX-SPI Mode Type Protocol
inbound 846861092 0 tunnel dynamic ESP
outbound 3511528138 0 tunnel dynamic ESP

[edit]
lab@Juniper-M10i-R3# run show services ipsec-vpn ipsec statistics

PIC: sp-1/2/0, Service set: IPSEC-VPN

ESP Statistics:
Encrypted bytes: 1224
Decrypted bytes: 1192
Encrypted packets: 12
Decrypted packets: 10
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

lab@Juniper-M10i-R3# run show ospf neighbor -------------> GRE Neighbor
Address         Interface          State          ID        Pri        Dead
122.30.1.2      gr-1/2/0.0          Full       3.3.3.3       1          32

Cisco side:
IKE Security Association:
CISCO-3845#sh crypto isakmp sa
dst           src        state      conn-id       slot       status
172.16.1.2 192.168.1.1   QM_IDLE      5            0        ACTIVE


IPSEC Security Assiciation:
CISCO-3845#sh crypto ipsec sa

interface: GigabitEthernet0/1
Crypto map tag: gre, local addr 172.16.1.2

protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4683, #pkts encrypt: 4683, #pkts digest: 4683
#pkts decaps: 5909, #pkts decrypt: 5909, #pkts verify: 5909
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4361, #recv errors 80

local crypto endpt.: 172.16.1.2, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x3A4EC4F4(978240756)

inbound esp sas:
spi: 0x6E51CA(7229898)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: Onboard VPN:2, crypto map: gre
sa timing: remaining key lifetime (k/sec): (4450185/112)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0xE463C1A2(3831742882)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: Onboard VPN:4, crypto map: gre
sa timing: remaining key lifetime (k/sec): (4514229/165)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x63C5CAF3(1673906931)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: Onboard VPN:1, crypto map: gre
sa timing: remaining key lifetime (k/sec): (4450185/110)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x3A4EC4F4(978240756)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: Onboard VPN:3, crypto map: gre
sa timing: remaining key lifetime (k/sec): (4514229/161)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.40.3.20/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.66.1.21/255.255.255.255/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.1.2, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:


CISCO-3845#sh ip ospf nei

Neighbor     ID       Pri       State      Dead      Time     Address        Interface
4.4.4.4                0        FULL/ -    00:00:36           122.30.1.1       Tunnel0 -------> GRE neighbor
2.2.2.2               128       FULL/BDR   00:00:39           172.16.1.1       GigabitEthernet0/1
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search