This article describes how to create a Site to Site IPSec VPN from a site running a Juniper SRX firewall to another site running a Cisco ASA firewall. You can use this article as a quick reference while creating similar VPN setup. VPN troubleshooting will be covered in a separate article.
Let’s say that you have a request to create site-to-site IPSec VPN between Juniper SRX and Cisco ASA firewalls. You would automatically assume that you have to use policy based VPN on SRX as Cisco ASA supports only policy-based VPNs. Well, you can, but there is another option. You can use route based VPN on the Juniper SRX firewall and Policy based VPN on the Cisco ASA firewall. Here is how you can do that using traffic selector on the Juniper SRX firewall.
As of Junos version 12.1X46, Juniper SRX finally supports multiple Proxy-ID’s on the route based VPN using traffic-selectors. A traffic selector (also known as a proxy ID in IKEv1), is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. Only traffic that conforms to a traffic selector is permitted through the associated IPsec SA.
In this article, I am demonstrating the VPN configuration for following requirements between Juniper SRX and Cisco ASA firewalls. Refer to the above-mentioned diagram as well to determine segments behind the firewalls. For this example, I am using Juniper vSRX running the Junos OS 15.1X49-D60 and Cisco ASA running 9.4(1) software code.
Phase 1 parameters: Pre-shared-keys, DH-group2, Sha1, Aes-128, 86400 sec, Main mode. Phase 2 parameters: ESP, Hmac-sha1, Aes-128, 3600 sec
Juniper SRX VPN Configuration
Interface and Zone configuration
edit interfaces st0 set unit 0 family inet ! edit security zones security-zone VPN-REMOTE-ASA set interfaces st0.0 ! edit security zones security-zone OUTSIDE set host-inbound-traffic system-services ike
NOTE: When you create the virtual st0 interface for this type of VPN, it has to be unnumbered, meaning it should not have an IP address assigned just like we do with other route-based VPNs.
IKE Phase 1 configuration
edit security ike proposal pre-gr2-sha1-aes128 set authentication-method pre-shared-keys set dh-group group2 set authentication-algorithm sha1 set encryption-algorithm aes-128-cbc ! edit security ike policy ike-pol-vpn-REMOTE-ASA set mode main set proposals pre-gr2-sha1-aes128 set pre-shared-key ascii-text 395psksecr3t ! edit security ike gateway gw-vpn-REMOTE-ASA set external-interface reth0.0 set ike-policy ike-pol-vpn-REMOTE-ASA set address 184.108.40.206
NOTE: There is an order of operation for this configuration; IKE gateway requires an IKE policy. IKE policy requires an IKE proposal .
IKE Phase 2 configuration
edit security ipsec proposal esp-hmac-sha-aes128 set protocol esp set authentication-algorithm hmac-sha1-96 set encryption-algorithm aes-128-cbc ! edit security ipsec policy ipsec-pol-vpn-REMOTE-ASA set proposals esp-hmac-sha-aes128 set perfect-forward-secrecy keys group2 ! edit security ipsec vpn vpn-REMOTE-ASA set ike gateway gw-vpn-REMOTE-ASA set ike ipsec-policy ipsec-pol-vpn-REMOTE-ASA set bind-interface st0.0 ! set traffic-selector TS1-DMZ-VPN-REMOTE-ASA local-ip 192.168.50.0/24 set traffic-selector TS1-DMZ-VPN-REMOTE-ASA remote-ip 172.16.50.0/24 set traffic-selector TS1-INSIDE-VPN-REMOTE-ASA local-ip 192.168.60.0/24 set traffic-selector TS1-INSIDE-VPN-REMOTE-ASA remote-ip 172.16.50.0/24
NOTE: There is an order of operation for this configuration; IPSec gateway requires an IPSec policy. IPSec policy requires an IPSec proposal .
Security Policies configuration
edit security address-book global set address 192.168.50.0/24 192.168.50.0/24 set address 172.16.50.0/24 172.16.50.0/24 set address-set VPN-REMOTE-ASA-REMOTE address 172.16.50.0/24 ! edit security policies from-zone DMZ to-zone VPN-REMOTE-ASA set policy VPN-DMZ-REMOTE-ASA match source-address 192.168.50.0/24 set policy VPN-DMZ-REMOTE-ASA match destination-address VPN-REMOTE-ASA-REMOTE set policy VPN-DMZ-REMOTE-ASA match application any set policy VPN-DMZ-REMOTE-ASA then permit ! edit security policies from-zone VPN-REMOTE-ASA to-zone DMZ set policy VPN-REMOTE-ASA-DMZ match source-address VPN-REMOTE-ASA-REMOTE set policy VPN-REMOTE-ASA-DMZ match destination-address 192.168.50.0/24 set policy VPN-REMOTE-ASA-DMZ match application any set policy VPN-REMOTE-ASA-DMZ then permit ! edit security policies from-zone INSIDE to-zone VPN-REMOTE-ASA set policy VPN-INSIDE-REMOTE-ASA match source-address 192.168.60.0/24 set policy VPN-INSIDE-REMOTE-ASA match destination-address VPN-REMOTE-ASA-REMOTE set policy VPN-INSIDE-REMOTE-ASA match application any set policy VPN-INSIDE-REMOTE-ASA then permit ! edit security policies from-zone VPN-REMOTE-ASA to-zone DMZ set policy VPN-REMOTE-ASA-INSIDE match source-address VPN-REMOTE-ASA-REMOTE set policy VPN-REMOTE-ASA-INSIDE match destination-address 192.168.60.0/24 set policy VPN-REMOTE-ASA-INSIDE match application any set policy VPN-REMOTE-ASA-INSIDE then permit
Cisco ASA VPN configuration
ASA VPN configuration is very straight forward just like any regular IKEv1 site 2 site VPN configuration.
crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400 ! crypto isakmp identity address ! tunnel-group 220.127.116.11 type ipsec-l2l tunnel-group 18.104.22.168 ipsec-attributes ikev1 pre-shared-key 395psksecr3t ! object-group network VPN-INSIDE-NET network-object 172.16.50.0 255.255.255.0 ! object-group network VPN-REMOTE-NET network-object 192.168.50.0 255.255.255.0 network-object 192.168.60.0 255.255.255.0 ! access-list VPN2SRX permit ip object-group VPN-INSIDE-NET object-group VPN-REMOTE-NET ! nat (any,OUTSIDE) source static VPN-INSIDE-NET VPN-INSIDE-NET destination static VPN-REMOTE-NET VPN-REMOTE-NET ! crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac ! crypto map S2S-VPN-CMAP 11 match address VPN2SRX crypto map S2S-VPN-CMAP 11 set peer 22.214.171.124 crypto map S2S-VPN-CMAP 11 set transform-set ESP-AES-SHA ! crypto map S2S-VPN-CMAP interface OUTSIDE ! crypto ikev1 enable OUTSIDE ! access-list INSIDE-OUT permit ip object-group VPN-INSIDE-NET object-group VPN-REMOTE-NET
I hope you enjoyed this article. Please feel free to leave a comment or feedback.