Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Example – Configuring site-to-site VPNs between SRX and Cisco ASA, with multiple networks behind the SRX and ASA, and full mesh traffic between networks (Route-based VPNs)

0

0

Article ID: KB28833 KB Last Updated: 16 Mar 2020Version: 3.0
Summary:

This article contains a configuration example of site-to-site, route-based VPNs between SRX and Cisco ASA, with multiple networks behind the SRX and ASA, and full mesh traffic between the networks.

For additional configuration examples, see KB28861 - Examples – Configuring site-to-site VPNs between SRX and Cisco ASA.

For related technical documentation, see IPsec VPN Feature Guide for Security Devices.


 
Symptoms:

Problem:
 
VPNs to Cisco peers utilizing full-mesh networks, require proper traffic routing to allow correct VPN tunnel selection

Goal:   
  Configure a site-to-site, route-based VPN between SRX and Cisco ASA, with full-mesh traffic between multiple networks behind SRX and ASA by using Filter Based Forwarding and routing instances.

Network Topology:

Traffic patterns for above topology:
Full-mesh VPN traffic between all four subnets: 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, and 192.168.4.0/24.
 

 

Solution:



Configuration for SRX

Note: Multiple security zones and policies are necessary as st0 interfaces are bound to different routing-instances.   Each time a interface is bound to a routing instance it must reside separate from other security zones, as security zones cannot span routing-instances.  For more information about security zones and its restrictions, refer to KB16556 - SRX Getting Started - Configure Interfaces and Security Zone.

root# show |no-more 
system {
root-authentication {
        encrypted-password “$ABC123"; ## SECRET-DATA
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 100.1.1.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                filter {
                    input ASA_vpn:
                }
                address 192.168.2.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                filter {
                    input ASA_vpn:
                }
                address 192.168.3.1/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
        unit 1 {
            family inet;
        }
        unit 2 {
            family inet;
        }
        unit 3 {
            family inet;
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet group1;
    }
    static {
        route 0.0.0.0/0 next-hop 100.1.1.1;
    }
    rib-groups {
        group1 {
            import-rib [ inet.0 ASA-1.inet.0 ASA-2.inet.0 ];
        }
    }
}
security {
    ike {
        proposal ike-phase1-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ike-phase1-policy {
            mode main;
            proposals ike-phase1-proposal;
            pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
        }
        gateway gw-chicago {
            ike-policy ike-phase1-policy;
            address 100.1.1.1;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal ipsec-phase2-proposal {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm des-cbc;
            lifetime-seconds 28800;
        }
        policy ipsec-phase2-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-phase2-proposal;
        }
        vpn ike-vpn-chicago {
            bind-interface st0.0;
            ike {
                gateway gw-chicago;
                proxy-identity {
                    local 192.168.2.0/24;
                    remote 192.168.1.0/24;
                    service any;
                }
                ipsec-policy ipsec-phase2-policy;
            }
            establish-tunnels immediately;
        }
        vpn ike-vpn-chicago_1 {
            bind-interface st0.1;
            ike {
                gateway gw-chicago;
                proxy-identity {
                    local 192.168.2.0/24;
                    remote 192.168.4.0/24;
                    service any;
                }
                ipsec-policy ipsec-phase2-policy;
            }
            establish-tunnels immediately;
        }
        vpn ike-vpn-chicago_2 {
            bind-interface st0.2;
            ike {
                gateway gw-chicago;
                proxy-identity {
                    local 192.168.3.0/24;
                    remote 192.168.1.0/24;
                    service any;
                }
                ipsec-policy ipsec-phase2-policy;
            }
            establish-tunnels immediately;
        }
        vpn ike-vpn-chicago_3 {
            bind-interface st0.3;
            ike {
                gateway gw-chicago;
                proxy-identity {
                    local 192.168.3.0/24;
                    remote 192.168.4.0/24;
                    service any;
                }
                ipsec-policy ipsec-phase2-policy;
            }
            establish-tunnels immediately;
        }
    }
    policies {
        from-zone trust to-zone untrust_vpn_1 {
            policy vpn_tr_untr_vpn_1a {
                match {
                    source-address sunnyvale;
                    destination-address chicago;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy vpn_tr_untr_vpn_1b {
                match {
                    source-address sunnyvale;
                    destination-address chicago_2;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust_vpn_2 {
            policy vpn_tr_untr_vpn_2a {
                match {
                    source-address sunnyvale_2;
                    destination-address chicago;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy vpn_tr_untr_vpn_2b {
                match {
                    source-address sunnyvale_2;
                    destination-address chicago_2;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust_vpn_1 to-zone trust {
            policy vpn_untr_tr_vpn_1a {
                match {
                    source-address chicago;
                    destination-address sunnyvale;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy vpn_untr_tr_vpn_1b {
                match {
                    source-address chicago_2;
                    destination-address sunnyvale;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust_vpn_2 to-zone trust {
            policy vpn_untr_tr_vpn_2a {
                match {
                    source-address chicago;
                    destination-address sunnyvale_2;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy vpn_untr_tr_vpn_2b {
                match {
                    source-address chicago_2;
                    destination-address sunnyvale_2;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address sunnyvale 192.168.2.0/24;
                address sunnyvale_2 192.168.3.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/2.0;
           }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone untrust_vpn_1 {
            address-book {
                address chicago 192.168.1.0/24;
                address chicago_2 192.168.4.0/24;
            }
            interfaces {
                st0.0;
                st0.1;
            }
        }
        security-zone untrust_vpn_2 {
            address-book {
                address chicago 192.168.1.0/24;
                address chicago_2 192.168.4.0/24;
            }
            interfaces {
                st0.2;
                st0.3;
            }
        }
    }
}
firewall {
    family inet {
        filter ASA_vpn {
            term 1 {
                from {
                    source-address {
                        192.168.2.0/24;
                    }
                    destination-address {
                        192.168.1.0/24;
                        192.168.4.0/24;
                    }
                }
                then {
                    routing-instance ASA-1;
                }
            }
            term 2 {
                from {
                    source-address {
                        192.168.3.0/24;
                    }
                    destination-address {
                        192.168.1.0/24;
                        192.168.4.0/24;
                    }
                }
                then {
                    routing-instance ASA-2;
                }
            term 3 {
                then accept;
            }
        }
    }
}
routing-instances {
    ASA-1 {
        instance-type virtual-router;
        interface st0.0;
        interface st0.1;
        routing-options {
            static {
                route 192.168.1.0/24 next-hop st0.0;
                route 192.168.4.0/24 next-hop st0.1;
            }
        }
    }
    ASA-2 {
        instance-type virtual-router;
        interface st0.2;
        interface st0.3;
        routing-options {
            static {
                route 192.168.1.0/24 next-hop st0.2;
                route 192.168.4.0/24 next-hop st0.3;
            }
        }
    }
}

Configuration for Cisco ASA

(Only VPN related config included)
Interface Configuration: 
--------------------------------------------------------

!
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 

!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 100.1.1.1 255.255.255.0 
!
interface GigabitEthernet2
nameif inside-2
security-level 100
ip address 192.168.4.1 255.255.255.0
!

Policy Configuration :  
---------------------------------------------------------------------------------------------
access-list s2s extended permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list s2s extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list s2s extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list s2s extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 

IPSEC/IKE Configuration :
----------------------------------------------------------------------------------------------
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac 
crypto map outside_map 20 match address s2s
crypto map outside_map 20 set pfs 
crypto map outside_map 20 set peer 100.1.1.2 
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto isakmp identity address 
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400


tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****

SRX:

root>show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
6809471 UP     e0205a738b30309a  6745d4109557d3bf  Main           100.1.1.1  

root>show security ipsec security-associations
Total active tunnels: 4
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  <131073 ESP:des/ md5  3fd2de13 27886/unlim   -   root 500   100.1.1.1       
  >131073 ESP:des/ md5  4bff0b8d 27886/unlim   -   root 500   100.1.1.1       
  <131074 ESP:des/ md5  e149c0c3 28679/unlim   -   root 500   100.1.1.1       
  >131074 ESP:des/ md5  d6a81a5  28679/unlim   -   root 500   100.1.1.1       
  <131075 ESP:des/ md5  c1fc05e7 27946/unlim   -   root 500   100.1.1.1       
  >131075 ESP:des/ md5  52553c18 27946/unlim   -   root 500   100.1.1.1       
  <131076 ESP:des/ md5  d243ace7 28679/unlim   -   root 500   100.1.1.1       
  >131076 ESP:des/ md5  a1b5d1f  28679/unlim   -   root 500   100.1.1.1       

root>show security ipsec security-associations detail | no-more  
  Virtual-system: root
  Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.2.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
  Version: IKEv1
    DF-bit: clear
    Direction: inbound, SPI: 3fd2de13, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 27876 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 27254 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 4bff0b8d, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 27876 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 27254 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

  Virtual-system: root
  Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.3.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
  Version: IKEv1
    DF-bit: clear
    Direction: inbound, SPI: e149c0c3, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28669 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 28029 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: d6a81a5, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28669 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 28029 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

  Virtual-system: root
  Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.2.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.4.0/24)
  Version: IKEv1
    DF-bit: clear
    Direction: inbound, SPI: c1fc05e7, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 27936 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 27313 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 52553c18, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 27936 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 27313 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

  Virtual-system: root
  Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.3.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.4.0/24)
  Version: IKEv1
    DF-bit: clear
    Direction: inbound, SPI: d243ace7, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28669 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 28052 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: a1b5d1f, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28669 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 28052 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

root>show security ipsec statistics
ESP Statistics:
  Encrypted bytes:            20480
  Decrypted bytes:             3944
  Encrypted packets:            150
  Decrypted packets:             46
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

root# run show route 
inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:18:46
                    > to 100.1.1.1 via ge-0/0/0.0
100.1.1.0/24       *[Direct/0] 00:18:46
                    > via ge-0/0/0.0
100.1.1.2/32       *[Local/0] 00:18:55
                      Local via ge-0/0/0.0
192.168.2.0/24     *[Direct/0] 00:18:40
                    > via ge-0/0/1.0
192.168.2.1/32     *[Local/0] 00:18:55
                      Local via ge-0/0/1.0
192.168.3.0/24     *[Direct/0] 00:18:40
                    > via ge-0/0/2.0
192.168.3.1/32     *[Local/0] 00:18:55
                      Local via ge-0/0/2.0

ASA-1.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

100.1.1.0/24       *[Direct/0] 00:18:46
                    > via ge-0/0/0.0
192.168.1.0/24     *[Static/5] 00:02:14
                    > via st0.0
192.168.2.0/24     *[Direct/0] 00:18:40
                    > via ge-0/0/1.0
192.168.3.0/24     *[Direct/0] 00:18:40
                    > via ge-0/0/2.0
192.168.4.0/24     *[Static/5] 00:02:14
                    > via st0.1

ASA-2.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

100.1.1.0/24       *[Direct/0] 00:18:46
                    > via ge-0/0/0.0
192.168.1.0/24     *[Static/5] 00:02:14
                    > via st0.2
192.168.2.0/24     *[Direct/0] 00:18:40
                    > via ge-0/0/1.0
192.168.3.0/24     *[Direct/0] 00:18:40
                    > via ge-0/0/2.0
192.168.4.0/24     *[Static/5] 00:02:14
                    > via st0.3


For VPN troubleshooting on the SRX, refer to the Resolution Guides:
Resolution Guides - SRX-VPN
 

 
Modification History:
2020-02-21: Changed encrypted password to “$ABC123".

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search