Re: Juniper (dynamic IP) to PIX (Static IP) VPN

aalsaadi1 · ‎10-26-2009

We require assistance in configuring site2site vpn (Juniper-NS5GT-ADSL-WLAN in a branch office with ADSL connection (dynamic IP) and the pix 515e OS version 8.0 in the head office with a fixed IP

Patrick0711 · ‎10-26-2009

The Juniper device with the dynamic IP will always have to initiate the IKE negotiation.

You will configure a normal static site-to-site from the Juniper to PIX.

On the PIX, you'll use NAT-exempt access-lists, a dynamic crypto-map, and the DefaultL2L group.

The PIX Configuration would reference the 'Lion' peer in the following example.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

aalsaadi1 · ‎10-27-2009

Thanks Patrick

We tried the above scenario but still unfortunately getting errors

Below id the PIX configuration:

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 3

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto isakmp policy 4

authentication pre-share

encryption des

hash sha

group 2

lifetime 28800

crypto isakmp policy 5

authentication pre-share

encryption des

hash md5

group 2

lifetime 28800

crypto isakmp policy 6

authentication pre-share

encryption aes

hash md5

group 2

lifetime 28800

crypto ipsec transform-set JuniperInDXBset esp-3des esp-md5-hmac

ccess-list NoNat line 5 extended permit ip 10.200.2.0 255.255.255.0 10.200.13.0

255.255.255.0

nat (inside) 0 access-list NoNat

crypto dynamic-map JuniperInDXBMap 1 match address juniper

crypto dynamic-map JuniperInDXBMap 1 set pfs

crypto dynamic-map JuniperInDXBMap 1 set transform-set JuniperInDXBset

crypto dynamic-map JuniperInDXBMap 1 set security-association lifetime seconds 3

600

crypto dynamic-map JuniperInDXBMap 1 set reverse-route

crypto map AirarabiaMAP 3 ipsec-isakmp dynamic JuniperInDXBMap

crypto map AirarabiaMAP interface outside

crypto isakmp enable outside

Patrick0711 · ‎10-27-2009

You do not need the following:

'crypto dynamic-map JuniperInDXBMap 1 match address juniper'

The NAT exempt access-list will govern dynamic tunnel's encryption domain.

Are you running OSPF on the device? If not, you don't really need the following:

crypto dynamic-map JuniperInDXBMap 1 set reverse-route.

Please also ensure that the pre-shared key is configured in the DefaultL2LGroup on the PIX.

aalsaadi1 · ‎10-28-2009

Hi Patrick

removing the above message didnot work. I suspect the Juniper config below is causing the problem

set interface trust ip 10.200.13.1/24

set interface trust nat

set interface wireless2 ip 192.168.2.1/24

set interface wireless2 route

set interface adsl1 ip 217.165.237.86/32

set interface adsl1 route

set interface tunnel.1 ip unnumbered interface trust

set interface wireless1 mtu 1500

set interface tunnel.1 mtu 1500

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

set interface trust ip manageable

set interface wireless2 ip manageable

set interface adsl1 ip manageable

set interface trust dhcp server service

set interface wireless2 dhcp server service

set interface trust dhcp server auto

set interface wireless2 dhcp server auto

set interface trust dhcp server option gateway 192.168.1.1

set interface trust dhcp server option netmask 255.255.255.0

set interface wireless2 dhcp server option gateway 192.168.2.1

set interface wireless2 dhcp server option netmask 255.255.255.0

set interface trust dhcp server ip 192.168.1.33 to 192.168.1.126

set interface wireless2 dhcp server ip 192.168.2.33 to 192.168.2.126

set flow tcp-mss

unset flow no-tcp-seq-check

set flow tcp-syn-check

set hostname ns5gt-adsl-wlan

set pki authority default scep mode "auto"

set pki x509 default cert-path partial

set address Trust "10.200.13.0/24" 10.200.13.0 255.255.255.0

set address Untrust "10.200.2.0/24" 10.200.2.0 255.255.255.0

set ike p1-proposal "pre-g2-3des-sha-43200" preshare group2 esp 3des sha-1 second 43200

set ike gateway "Airarabia Firewall" address a.b.c.d Aggr outgoing-interface "adsl1" preshare "r1yj20rrN7C2YNstgUCrUDUDBZnGj8ktHw==" proposal "pre-g2-3des-sha"

set ike gateway "Airarabia Firewall" cert peer-ca all

set ike gateway "Airarabia Firewall" nat-traversal

unset ike gateway "Airarabia Firewall" nat-traversal udp-checksum

set ike gateway "Airarabia Firewall" nat-traversal keepalive-frequency 0

set ike respond-bad-spi 1

unset ipsec access-session enable

set ipsec access-session maximum 5000

set ipsec access-session upper-threshold 0

set ipsec access-session lower-threshold 0

set ipsec access-session dead-p2-sa-timeout 0

unset ipsec access-session log-error

unset ipsec access-session info-exch-connected

unset ipsec access-session use-error-log

set vpn "VPN-to-Airarabia HO" gateway "Airarabia Firewall" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5" "g2-esp-3des-sha"

set vpn "VPN-to-Airarabia HO" monitor optimized

set vpn "VPN-to-Airarabia HO" id 1 bind interface tunnel.1

set url protocol sc-cpa

set vpn "VPN-to-HO" proxy-id local-ip 10.200.13.0/24 remote-ip 10.200.2.0/24 "ANY"

set policy id 2 name "out-in" from "Untrust" to "Trust" "10.200.2.0/24" "10.200.13.0/24" "ANY" permit log

set policy id 2

set policy id 1 name "in-out" from "Trust" to "Untrust" "10.200.13.0/24" "10.200.2.0/24" "ANY" permit log

set policy id 1

set pppoa name "ADSL connection to Etisalat" username "abs05" password "iMSM+w8MNLOkWEsvqnCqZ8mDP+no0qEOgQ=="

set pppoa name "ADSL connection to Etisalat" interface adsl1

unset pppoa name "ADSL connection to Etisalat" update-dhcpserver

set global-pro policy-manager primary outgoing-interface adsl1

set global-pro policy-manager secondary outgoing-interface adsl1

set nsmgmt bulkcli reboot-timeout 60

set ssh version v2

set config lock timeout 5

set modem speed 115200

set modem retry 3

set modem interval 10

set modem idle-time 10

set wlan country-code AE

set wlan channel auto

set ssid name Netscreen

set ssid Netscreen authentication wpa-psk passphrase r8aEjJpANhtt7rsR8YCMyAdWD/n+xk/Y2A== encryption auto

set ssid Netscreen interface wireless2

set snmp port listen 161

set snmp port trap 162

set vrouter "untrust-vr"

set vrouter "trust-vr"

unset add-default-route

set route 10.200.0.0/16 interface tunnel.1 preference 20

set vrouter "untrust-vr"

set vrouter "trust-vr"

aalsaadi1 · ‎10-29-2009

Hello Patrick,

Actually I managed to get the Tunnel up, it was a mis configuration from both side, however after the tunnel is up still I'm not able to pass traffic between both sites.

Appreciate your help on below configuration:

PIX IOS 8.0(2) Config:

---------------------------

access-list NoNat extended permit ip 10.200.2.0 255.255.255.0 10.200.13.0 255.255.255.0

nat (inside) 0 access-list NoNat

crypto ipsec transform-set JuniperInDXBset esp-des esp-sha-hmac

crypto dynamic-map JuniperInDXBMap 1 set transform-set JuniperInDXBset

crypto dynamic-map JuniperInDXBMap 1 set security-association lifetime seconds 3600

crypto map AirarabiaMAP 3 ipsec-isakmp dynamic JuniperInDXBMap

crypto map AirarabiaMAP interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash sha

group 2

lifetime 28800

******tunnel-group DefaultL2LGroup ipsec-attributes********

pre-shared-key 12345

Juniper 5GT config:

---------------------------

set ike gateway "AirarabiaFirewall" address a.b.c.d ****main***** outgoing-interface "adsl1" preshare "12345" proposal "pre-g2-des-sha"

set vpn "AirarabiaVPN" gateway "AirarabiaFirewall" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha" "nopfs-esp-3des-md5" "nopfs-esp-3des-md5"

set interface "tunnel.1" zone "Trust"

set interface tunnel.1 ip unnumbered interface adsl1

set vpn "AirarabiaVPN" bind interface tunnel.1

set vpn "AirarabiaVPN" proxy-id local-ip 10.200.13.0/24 remote-ip 10.200.2.0/24 "ANY"

set route 10.200.2.0/24 interface tunnel.1

****indicates the change I've done to make work.