Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Example – Configuring site-to-site VPNs between SRX and Cisco ASA, with multiple networks behind the SRX and ASA (Route-based VPNs)

0

0

Article ID: KB28199 KB Last Updated: 21 Feb 2020Version: 3.0
Summary:

This article contains a configuration example of site-to-site, route-based VPNs between SRX and Cisco ASA, with multiple networks behind the SRX and ASA.

For additional configuration examples, see KB28861 - Examples – Configuring site-to-site VPNs between SRX and Cisco ASA.

For related technical documentation, see IPsec VPN Feature Guide for Security Devices.


 
Symptoms:

Goal:

Configure a site-to-site, route-based VPN between SRX and Cisco ASA, with multiple networks behind the SRX and ASA.
 

Network Topology:

Traffic patterns for above topology

  Bidirectional VPN traffic between 192.168.4.0/24 & 192.168.3.0/24
  Bidirectional VPN traffic between 192.168.1.0/24 & 192.168.2.0/24
 

Solution:

 



Configuration for SRX

root# show |no-more 
system {
root-authentication {
        encrypted-password “$ABC123"; ## SECRET-DATA
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 100.1.1.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
           family inet {
                address 192.168.2.1/24;
            }
        }
    }
   ge-0/0/2 {
       unit 0 {
         family inet {
               address 192.168.3.1/24;
         }
       }
   }
   st0 {
        unit 0 {
          family inet;
       }
        unit 1 {
          family inet;
       }
     }
 }
routing-options {
      static {
        route 0.0.0.0/0 next-hop 100.1.1.1;
        route 192.168.1.0/24 next-hop st0.0;
        route 192.168.4.0/24 next-hop st0.1;
    }
}

security {
   ike { 
       proposal ike-phase1-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ike-phase1-policy {
            mode main;
            proposals ike-phase1-proposal;
            pre-shared-key ascii-text "$9$6qsMAtOrlMXNbp0MX"; ## SECRET-DATA
        }
        gateway gw-chicago {
            ike-policy ike-phase1-policy;
            address 100.1.1.1;
            external-interface ge-0/0/0.0;
        }

    }
    ipsec {
        proposal ipsec-phase2-proposal {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm des-cbc;
            lifetime-seconds 28800;
        }
        policy ipsec-phase2-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-phase2-proposal;
        }
        vpn ike-vpn-chicago_1 {
            bind-interface st0.0;
            proxy-identity {
               local 192.168.2.0/24;
               remote 192.168.1.0/24;
               service any;
            }
            ike {
                gateway gw-chicago;
                ipsec-policy ipsec-phase2-policy;
            }
            establish-tunnels immediately;
        }
        vpn ike-vpn-chicago_2 {
            bind-interface st0.1;
            proxy-identity {
               local 192.168.3.0/24;
               remote 192.168.4.0/24;
               service any;
            }
            ike {
                gateway gw-chicago;
                ipsec-policy ipsec-phase2-policy;
            }
            establish-tunnels immediately;
        }
    }

    policies {
        from-zone trust to-zone untrust {
           policy vpn-tr-untr {
                match {
                    source-address sunnyvale;
                    destination-address chicago;
                    application any;
                }
                then {
                     permit;
                }           
           }
           policy vpn-tr-untr_2 {
                match {
                    source-address sunnyvale_2;
                    destination-address chicago_2;
                    application any;
                }
                then {
                     permit;
                }
           }
        }
        from-zone untrust to-zone trust {
            policy vpn-untr-tr {
                match {
                    source-address chicago;
                    destination-address sunnyvale;
                    application any;
                }
                then {
                      permit;
                }
            }
            policy vpn-untr_2-tr {
                match {
                    source-address chicago_2;
                    destination-address sunnyvale_2;
                    application any;
                }
                then {
                      permit;
                }
            }
        }
    }

    zones {
        security-zone trust {
            address-book {
                address sunnyvale 192.168.2.0/24;
                address sunnyvale_2 192.168.3.0/24;
           }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/2.0
            }
        }
        security-zone untrust {
            address-book {
                address chicago 192.168.1.0/24;
                address chicago_2 192.168.4.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
                st0.0;
                st0.1;
            }
        }
    }



Configuration for Cisco ASA

(Only VPN related config included)
Interface Configuration: 
--------------------------------------------------------

!
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 

!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 100.1.1.1 255.255.255.0 
!
interface Ethernet0/2
nameif inside-2
security-level 100
ip address 192.168.4.1 255.255.255.0
!

Policy Configuration :  
---------------------------------------------------------------------------------------------
access-list 1to2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 4to3 extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0

IPSEC/IKE Configuration :
----------------------------------------------------------------------------------------------
crypto ipsec transform-set CISCO esp-des esp-md5-hmac
crypto ipsec transform-set NEWCISCO esp-des esp-md5-hmac
crypto map mymap 10 match address 1to2
crypto map mymap 10 set pfs
crypto map mymap 10 set peer 100.1.1.2
crypto map mymap 10 set transform-set CISCO
crypto map mymap 10 set security-association lifetime seconds 28800
crypto map mymap 20 match address 4to3
crypto map mymap 20 set pfs
crypto map mymap 20 set peer 100.1.1.2
crypto map mymap 20 set transform-set NEWCISCO
crypto map mymap 20 set security-association lifetime seconds 28800
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****

SRX:

root>show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
1800391 UP cc5a3fb9efaf4c72 23ef4f2760d7654e Main 100.1.1.1

root>show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:des/ md5 5745f7ff 27100/ 4608000 - root 500 100.1.1.1
>131073 ESP:des/ md5 7fb20e04 27100/ 4608000 - root 500 100.1.1.1
<131074 ESP:des/ md5 c03b1274 26959/ 4608000 - root 500 100.1.1.1
>131074 ESP:des/ md5 62d1a204 26959/ 4608000 - root 500 100.1.1.1

root>show security ipsec security-associations detail | no-more
Virtual-system: root
Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
Local Identity: ipv4_subnet(any:0,[0..7]=192.168.2.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
DF-bit: clear
Direction: inbound, SPI: 5745f7ff, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 27097 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 26516 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 7fb20e04, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 27097 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 26516 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Virtual-system: root
Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
Local Identity: ipv4_subnet(any:0,[0..7]=192.168.3.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.4.0/24)
DF-bit: clear
Direction: inbound, SPI: c03b1274, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 26956 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 26383 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 62d1a204, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 26956 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 26383 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64

root>show security ipsec statistics
ESP Statistics:
Encrypted bytes: 100384
Decrypted bytes: 43240
Encrypted packets: 677
Decrypted packets: 507
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0



For VPN troubleshooting on the SRX, refer to the Resolution Guides:
Resolution Guides - SRX-VPN
 

 
Modification History:
2020-02-21: Changed encrypted password to “$ABC123".

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search