Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to setup a VPN between a Juniper Firewall and a Cisco PIX

0

0

Article ID: KB4147 KB Last Updated: 09 Jan 2013Version: 15.0
Summary:
  • Step by step instructions to setup policy-based VPN between a Juniper Firewall and Cisco PIX.


  • Step by step instructions to setup route-based VPN between a Juniper Firewall and Cisco PIX.
Symptoms:
  • How to setup VPN between PIX and Juniper Netscreen Firewall with a single access list.

  • Policy-based VPN is suited for multiple access lists.

  • How to verify the VPN connection.

topology

Juniper firewall/NetScreen configuration:
Untrust zone eth1 IP 1.1.1.1/24
Trust zone eth2 IP 10.1.1.1/24
Phase 1 Proposal pre-g2-des-sha
Phase 2 Proposal nopfs-esp-des-sha
Cisco PIX configuration:
Outside eth1 IP 2.2.2.1/24
Inside eth2 IP 172.16.10.1/24
Phase 1 Proposal pre-g2-des-sha
Phase 2 Proposal nopfs-esp-des-sha

Cause:
 
Solution:
Scenario 1 -- Juniper Netscreen Firewall using Policy-based VPN to Cisco PIX:

In this scenario, the Juniper firewall is setup with a policy-based VPN and the policy matches the Access-list configured on the PIX.


Juniper Firewall Configuration:
  1. VPN Phase 1 Configuration:
    set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
  2. VPN Phase 2 Configuration:
    set vpn "To-Cisco-VPN" gateway "To-Cisco" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
  3. Policy setup:
    set policy id 2 from "Trust" to "Untrust"  "10.1.1.0/24" "172.16.10.0/24" "ANY" tunnel vpn "To-Cisco-VPN" id 2 pair-policy 3
    set policy id 3 from "Untrust" to "Trust"  "172.16.10.0/24" "10.1.1.0/24" "ANY" tunnel vpn "To-Cisco-VPN" id 2 pair-policy 2

PIX Firewall Configuration:
  1. VPN Phase 1 Configuration:
    isakmp enable outside
    isakmp key netscreen address 1.1.1.1 netmask 255.255.255.255 no-xauth
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
  2. VPN Phase 2 Configuration:
    access-list 101 permit ip 172.16.10.0 0.0.0.255 10.1.1.0 0.0.0.255
    crypto ipsec transform-set nsset esp-des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto map nsmap 10 ipsec-isakmp
    crypto map nsmap 10 match address 101
    crypto map nsmap 10 set peer 1.1.1.1
    crypto map nsmap 10 set transform-set nsset
    crypto map nsmap interface outside


Scenario 2 -- Juniper Netscreen Firewall setup Route-based VPN to Cisco Pix

In this scenario, there is no change on the PIX configuration between a Juniper firewall Policy-based and Route-based configuration. These steps document a route-based VPN on the Juniper firewall.

Juniper Firewall Configuration:

  1. 1. VPN Phase 1:
    set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
  2. VPN Phase 2:
    set vpn "To-Cisco-VPN" gateway "To-Cisco" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
  3. Create Tunnel Interface and bind it to the VPN “To-Cisco-VPN"
    set interface "tunnel.1" zone "Trust"
    set interface tunnel.1 ip unnumbered interface ethernet1
    set vpn "To-Cisco-VPN" bind interface tunnel.1
  4. Proxy ID setup, Proxy id has to be matched with the Access-list of the PIX. That is a limitation for a route-based VPN of Juniper Firewall if there is multiple access-list configured on PIX. In multiple access-list scenario, a Policy-based VPN should be considered.
    set vpn "To-Cisco-VPN" proxy-id local-ip 10.1.1.0/24 remote-ip 172.16.10.0/24 "ANY"
  5. Setup static route to route traffic destined to the remote inside network via the tunnel interface created in step 3.
    set route 172.16.10.0/24 interface tunnel.1

PIX Firewall Configuration:
  1. VPN Phase 1 Configuration:
    isakmp enable outside
    isakmp key netscreen address 1.1.1.1 netmask 255.255.255.255 no-xauth
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
  2. VPN Phase 2 Configuration:

    access-list 101 permit ip 172.16.10.0 0.0.0.255 10.1.1.0 0.0.0.255
    crypto ipsec transform-set nsset esp-des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto map nsmap 10 ipsec-isakmp
    crypto map nsmap 10 match address 101
    crypto map nsmap 10 set peer 1.1.1.1
    crypto map nsmap 10 set transform-set nsset
    crypto map nsmap interface outside


 
Useful Commands to verify the VPN connection on the Juniper firewall :

ns-> ping 172.16.10.2 from eth2 Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout is 1 seconds from ethernet2
.!!!!
Success Rate is 80 percent (4/5), round-trip time min/avg/max=3/7/20 ms


ns-> get ike cookie          

Active: 1, Dead: 0, Total 1

80182f/0003, 1.1.1.1:500->2.2.2.1:500, PRESHR/grp2/DES/SHA, xchg(5) (To-Cisco/grp-1/usr-1)
resent-tmr 14306744 lifetime 28800 lt-recv 28800 nxt_rekey 19542 cert-expire 0
initiator, err cnt 0, send dir 0, cond 0x10
nat-traversal map not available
ike heartbeat              : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0

ns-> get sa                  
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000002<         2.2.2.1  500 esp: des/sha1 fdc08459  3589  403M A/-     3 0
00000002>         2.2.2.1  500 esp: des/sha1 82752ea1  3589  403M A/-     2 0


 

Useful Commands to verify the VPN connection on the PIX firewall:
 

pixfirewall# show crypto ipsec sa


interface: outside
    Crypto map tag: nsmap, local addr. 2.2.2.1

   local  ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer: 1.1.1.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 37, #pkts encrypt: 37, #pkts digest 37
    #pkts decaps: 37, #pkts decrypt: 37, #pkts verify 37
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0

     local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 0


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search