Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3270
Views
0
Helpful
7
Replies

IPSEC Site to Site VPN between Cicso and Juniper Device

vyas.2020
Level 1
Level 1

‎07-04-2021 12:08 AM - edited ‎07-04-2021 12:22 AM

I am having cisco router C841M-4X/K9 

License Information for 'c800m'
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices

I am configuring site to site IPSEC VPN with my ISP (MY ISP is not available at my branch location so I am establishing tunnel with my ISP using local ILL link). ISP is having juniper router and am using Cisco router. I have configgure all the parameter given by ISP but still my tunnel is not coming up. I contacted with ISP but he is not helping me saying your side have wrong config and it is your responsibility to config correctly. 

 I am giving you ISP as well as my side config detail. kindly check and let me know what mistak is my side or what else I can configure which match to ISP configuration.

 

Configuration ISP END (According to config look like Juniper Device)

Phase 1:
**********
# sh vpn ipsec phase1-interface "ALL-BYE"
config vpn ipsec phase1-interface
edit "ALL-BYE"
set type dynamic
set interface "ALL-INT-834"
set local-gw 220.37.74.241
set keylife 28800
set peertype any
set proposal 3des-md5
set dpd on-idle
set dhgrp 5
set net-device enable
set psksecret ENC M0hQ1rPZQCxPTsKCfvkMXyOzkpfi70guPM4Q5MwBQdD5DqcUCtEvx+2ttcyvlUfy0akwX
set distance 1
set dpd-retryinterval 5
next
end



Phase 2:
************
# sh vpn ipsec phase2-interface | grep -f 4874660218
config vpn ipsec phase2-interface
edit "4874660218" <---
set phase1name "ALL-BYE"
set proposal 3des-sha1
set pfs disable
set keylifeseconds 1800
set dst-subnet 10.103.35.0 255.255.255.0
next
edit "4874660218-L" <---
set phase1name "ALL-BYE"
set proposal 3des-sha1
set pfs disable
set keylifeseconds 1800
set dst-subnet 10.106.36.0 255.255.255.0
next
end


Preshared key:
*********************
CoMe@RFT

=====================================================================================

My End IPSEC config on Cisco Router

 

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
lifetime 28800
crypto isakmp key CoMe@RFT address 220.37.74.241
!
!
crypto ipsec transform-set ALL-BYE esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map ALL-BYE 1 ipsec-isakmp
description ###Sify IPSEC###
set peer 220.37.74.241
set transform-set ALL-BYE
match address 105
!
!
interface GigabitEthernet0/1
ip address 105.66.20.2 255.255.255.224
crypto map ALL-BYE

!

access-list 105 permit ip 10.103.35.0 0.0.0.255 any
access-list 105 permit ip 10.103.36.0 0.0.0.255 any

 

Please find attachment for Below command outputshow crypto isakmp sa
show crypto ipsec sa
show crypto engine connection active
show crypto isakmp policy
show crypto map
sh crypto ipsec sa | i pkts

sh crypto session

 

 

Labels:
Preview file
5 KB
0 Helpful
7 Replies 7

marce1000
VIP
VIP

‎07-04-2021 12:33 AM

 

 - Check this example configuration , you may find hints :

              https://www.networkstraining.com/site-to-site-ipsec-vpn-between-cisco-router-and-juniper-security-gateway/

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

vyas.2020
Level 1
Level 1
In response to marce1000

‎07-04-2021 12:49 AM

Thankyou Marce but already I have reffered this document but no luck. Thats why I have given ISP configuration and my end Config

0 Helpful

Rob Ingram
VIP
VIP

‎07-04-2021 12:36 AM

@vyas.2020 

Are you sure your crypto ACL (105) is correct? You've not specified the specific destination networks, unless your intention is to tunnel "any" traffic via the Juniper. If your ACLs are mismatched, then you'll fail to establish a tunnel.

 

Turn on isakmp debugs, generate traffic and provide the debug outputs here for review.

0 Helpful

vyas.2020
Level 1
Level 1
In response to Rob Ingram

‎07-04-2021 01:33 AM - edited ‎07-04-2021 01:49 AM

Thank You Rob for quicj responce.

 

Thanks you Rob, You mean to say my ACL should match with ACL configured at ISP end or it should be like specific IP like as below

access-list 108 permit ip 10.103.35.0 0.0.0.255 host 220.37.74.241
access-list 108 permit ip 10.103.36.0 0.0.0.255 host 220.37.74.241

 

There is no loggenerating by debug command.

 

Cisco_Router#debug crypto ipsec
Crypto IPSEC debugging is on
Cisco_Router#debug crypto is
Cisco_Router#debug crypto isakmp
Crypto ISAKMP debugging is on

0 Helpful

Rob Ingram
VIP
VIP
In response to vyas.2020

‎07-04-2021 01:48 AM

@vyas.2020 Your ACL needs to mirror the ACL on the ISP Juniper firewall. The ACL is used to define the interesting traffic that should be encrypted and sent over the VPN tunnel, if they are mismatched the VPN will fail to establish.

 

You need to generate traffic from the source network defined in the ACL, only then willl debugs be generated.

0 Helpful

vyas.2020
Level 1
Level 1
In response to Rob Ingram

‎07-04-2021 01:58 AM

Ok Rob, I got your point. I will contact to ISP and verify with my ACL.

 

I will update result here once done

0 Helpful

Sheraz.Salim
VIP
VIP

‎07-04-2021 02:40 AM

Just looking into your configuration you should not be using the Phase 1 and Phase 2 with 3DES. these vaules are legacy and shoule stay away from using them. have a look at this link 

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents