Route-Based IPsec Between Cisco Router and Juniper SRX

ciscoipsecjuniper-srxtunnel

network experts! Help, please, to understand why there is no ping from source address to destination address over ipsec vpn(here, route-based).

I have such schema:

enter image description here

Phase1 and Phase2 of IPSec are up.

cisco1811:

Router#show crypto session 
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE     
Peer: 1.1.1.2 port 500 
 IKEv1 SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active 
 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
    Active SAs: 2, origin: crypto map

SRX210:

[edit]
root# run show security ike security-associations 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
507742  UP     e4ce17853e784b75  686afe9bad0c6831  Main           1.1.1.1  

[edit]
root# run show security ipsec security-associations 
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:3des/sha1 f7797ad5 3409/  4608000 -  root 500   1.1.1.1         
  >131073 ESP:3des/sha1 f4f78f65 3409/  4608000 -  root 500   1.1.1.1

But there is no connection from cisco loopback 10.10.10.1 to srx fe-0/0/4 dest 20.20.20.1.
Ping faild. To my mind all routing and security zones, policies has configured correct.

But pings failed. ( Ping from tunnel0 to st0.1 failed too).

output cisco1811:

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
memory-size iomem 20
!
!
dot11 syslog
ip source-route
!         
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1811W-AG-A/K9 sn FHK0930507W
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key regata577 address 1.1.1.2
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
!
crypto ipsec profile VPN_P2
 set transform-set TS 
!
!
interface Loopback10
 ip address 10.10.10.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.0.1 255.255.255.252
 ip mtu 1400
 tunnel source 1.1.1.1
 tunnel mode ipsec ipv4
 tunnel destination 1.1.1.2
 tunnel protection ipsec profile VPN_P2
!
interface FastEthernet0
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1
 ip vrf forwarding vrf1
 ip address 5.5.5.1 255.255.255.0
 duplex auto
 speed auto

interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!

!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 20.20.20.0 255.255.255.0 Tunnel0

output srx210:

version 12.1X44-D35.5;
system {
    root-authentication {
        encrypted-password "$1$APbBS19g$N1umrpu1sUcdWCb7RUyLa1"; ## SECRET-DATA
    }
    services {
        ssh;
    }
    syslog {
        file kmd-logs {
            daemon info;
            match KMD;
        }
    }
}
interfaces {                                  
    fe-0/0/4 {
        unit 0 {
            family inet {
                address 20.20.20.1/24;
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family inet {
                address 1.1.1.2/24;
            }
        }
    }
    st0 {
        unit 1 {
            family inet {
                mtu 1400;
                address 172.16.0.2/30;
            }
        }
    }
}
routing-options {
    static {                            
        route 0.0.0.0/0 next-hop 1.1.1.1;
        route 10.10.10.0/24 next-hop st0.1;
    }
}
security {
    ike {
        policy ike_policy {
            mode main;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$.fF/u0IleWTzSevMN-.Pfz9AIEc"; ## SECRET-DATA
        }
        gateway ike_gate {
            ike-policy ike_policy;
            address 1.1.1.1;
            external-interface fe-0/0/5;
        }
    }
    ipsec {
        policy ipsec_policy {
            proposal-set standard;      
        }
        vpn My_VPN {
            bind-interface st0.1;
            ike {
                gateway ike_gate;
                ipsec-policy ipsec_policy;
            }
            establish-tunnels immediately;
        }
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
    policies {
        from-zone Untrust to-zone Trust {
            policy 100 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Trust to-zone Untrust {
            policy 101 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Untrust {
            address-book {              
                address MOSCOW 10.10.10.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/5.0;
                st0.1;
            }
        }
        security-zone Trust {
            address-book {
                address KRASNODAR 20.20.20.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }                       
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/4.0;
            }
        }
    }
}

Best Answer

I have done some changes. Added the router behind srx. Setup bgp. Now it works good. (routing, security ike, ipsec, policies). Here I use crypto map instead VTI on cisco router. ( VTI have tried too. Works good.)

enter image description here

cisco1811:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!         
!
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key regata577 address 172.16.0.2
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
!
crypto ipsec profile IPSECPROFILE
 set transform-set TS 
!
!
crypto map PI-IPSEC 1 ipsec-isakmp 
 description **TEST-IPSEC**
 set peer 172.16.0.2
 set security-association lifetime seconds 28800
 set transform-set TS 
 match address TEST-IPSEC
!
!
!
ip tcp synwait-time 5
!
policy-map FOO
 class class-default
  shape average 128000
!
!
!
!
!
interface Loopback5
 ip address 5.5.5.1 255.255.255.255
!
interface Loopback10
 ip address 10.10.10.1 255.255.255.0
!
interface Loopback33
 description **for IPSEC-PI**
 ip address 33.33.33.33 255.255.255.255
 ip nat outside
 ip virtual-reassembly
 ip policy route-map REROUTE
 crypto map PI-IPSEC
!
interface FastEthernet0/0
 ip address 172.16.0.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 100
 bgp log-neighbor-changes
 neighbor 172.16.0.2 remote-as 200
 !
 address-family ipv4
  redistribute connected
  neighbor 172.16.0.2 activate
  no auto-summary
  no synchronization
 exit-address-family
!
ip local policy route-map REROUTE
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.2
ip route 20.20.20.0 255.255.255.0 Loopback33
!
!
no ip http server
no ip http secure-server
!
ip access-list extended TEST-IPSEC
 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
!
!
!
!
route-map REROUTE permit 6
 description **for IPSEC-PI**
 match ip address REROUTE
 set default interface Loopback33
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

srx:

system {
    root-authentication {
        encrypted-password "$1$XTjfjhv5$vXlOzT/W4kK6nj4fHfxvY/"; ## SECRET-DATA
    }
    login {
        user vlazarev {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$KN2wmboA$co8aH/Q1nZfBQ1oO81HLv0"; ## SECRET-DATA
            }
        }
    }
    services {
        telnet;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 172.16.0.2/30;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.0.2/30;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 131.131.131.100/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 10.10.10.0/24 next-hop st0.0;
    }
    autonomous-system 200;
}
protocols {
    bgp {
        group eBGP {
            type external;
            neighbor 172.16.0.1 {
                export send-direct;
                peer-as 100;
            }
            neighbor 192.168.0.1 {
                export [ send-direct send-static ];
                peer-as 300;
            }
        }
    }
}
policy-options {
    policy-statement send-direct {
        term term1 {
            from protocol direct;
            then accept;
        }
    }
    policy-statement send-static {
        from protocol static;
        then accept;
    }
}
security {
    ike {
        policy ike_policy {
            mode main;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$wP2JD.mT9Cu4anCtpREwY2ajHTz3"; ## SECRET-DATA
        }
        gateway ike_gate {
            ike-policy ike_policy;
            address 33.33.33.33;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        policy ipsec_policy {
            proposal-set compatible;
        }
        vpn IPSEC_VPN {
            bind-interface st0.0;       
            ike {
                gateway ike_gate;
                proxy-identity {
                    local 20.20.20.0/24;
                    remote 10.10.10.0/24;
                    service any;
                }
                ipsec-policy ipsec_policy;
            }
            establish-tunnels immediately;
        }
    }
    policies {
        from-zone Untrust to-zone Trust {
            policy 100 {
                match {
                    source-address MOSCOW;
                    destination-address KRASNODAR;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Trust to-zone Untrust {
            policy 101 {
                match {
                    source-address KRASNODAR;
                    destination-address MOSCOW;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone ACCESS {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {                
                ge-0/0/2.0;
            }
        }
        security-zone Trust {
            address-book {
                address KRASNODAR 20.20.20.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                }
                protocols {
                    bgp;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone Untrust {
            address-book {
                address MOSCOW 10.10.10.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
                st0.0;
            }
        }
    }
}

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Juniper – Troubleshooting Unstable Uplink on SRX240 with VPN

With help from our service provider we've been able to localise the problem. The idea I had in my last comment proved correct: the difference between fast ethernet and gigabit ethernet was the source of the problem.

The reason for dropping connections, undeliverable packets and segmented packets was a mismatch in link mode between the fiber switch and the SRX - they hardcoded their port to 100m full duplex, but the SRX had automatic negotiation, which resolved to 100m half duplex.

The problem was further complicated by Juniper's odd configuration of speed and link mode. Just setting these configuration options wasn't enough:

speed 100m;
link-mode full-duplex;

This configuration was accepted, but when running show interfaces ge-0/0/0, it still showed:

Link-level type: Ethernet, MTU: 1514, Link-mode: Half-duplex, Speed: 100mbps,

Apparently, you have to explicitly disable auto-negotiation:

speed 100m;
link-mode full-duplex;
gigether-options {
    no-auto-negotiation;
}

In the end, I found that this guy had the exact same problem (and the solution!)

Thanks for all your help.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Juniper – Troubleshooting Unstable Uplink on SRX240 with VPN

Related Topic