VPN between Cisco Router and Juniper Firewall using Dynamic IKE

vironet · ‎05-16-2012

Hi.

I have to establish a vpn between cisco router and juniper firewall, but the juniper firewall is getting his Public IP dynamically, the juniper administrator wants to setup using Dynamic IKE peer with ID (local@domain.com) instead of FQDN, i search for that kind of configuration in CCO, but didn´t find anything.

[router cisco] ----static IP -----> [internet] ---------- Dynamic IP -------> [FW juniper]

Any recommedentions will be helpful.

Regards

Herbert Baerten · ‎05-29-2012

Hi Victor,

you can use an isakmp profile to match on the peer's identity. Some references:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd8034bd59.html

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

In the latter example, you would replace "match identiy address 0.0.0.0" with "match identity user local@domain.com".

hth

Herbert

vironet · ‎06-04-2012

Thanks Herbert, i tried to contact the person with the juniper firewall to do somw test, i´ll let you know the results

vironet · ‎06-06-2012

Hello Herbert.

í make the configuration and it seems to work, but maybe i need to do more config, the last step is asking for AUTH.

Any idea,

Thanks

Jun 6 16:08:07.200: ISAKMP: local port 500, remote port 500
Jun 6 16:08:07.200: ISAKMP:(0):insert sa successfully sa = 64773BAC
Jun 6 16:08:07.204: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 6 16:08:07.204: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Jun 6 16:08:07.204: ISAKMP:(0): processing SA payload. message ID = 0
Jun 6 16:08:07.204: ISAKMP:(0): processing vendor id payload
Jun 6 16:08:07.204: ISAKMP:(0): vendor ID seems Unity/DPD but major 19 mismatch
Jun 6 16:08:07.204: ISAKMP:(0): processing vendor id payload
Jun 6 16:08:07.204: ISAKMP:(0): vendor ID is DPD
Jun 6 16:08:07.204: ISAKMP:(0): processing vendor id payload
Jun 6 16:08:07.204: ISAKMP:(0): processing IKE frag vendor id payload
Jun 6 16:08:07.204: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 6 16:08:07.204: ISAKMP:(0):found peer pre-shared key matching 187.194.2.59
Jun 6 16:08:07.204: ISAKMP:(0): local preshared key found
Jun 6 16:08:07.204: ISAKMP:(0): Authentication by xauth preshared
Jun 6 16:08:07.204: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
Jun 6 16:08:07.204: ISAKMP:      encryption 3DES-CBC
Jun 6 16:08:07.204: ISAKMP:      hash SHA
Jun 6 16:08:07.204: ISAKMP:      default group 2
Jun 6 16:08:07.204: ISAKMP:      auth pre-share
Jun 6 16:08:07.204: ISAKMP:      life type in seconds
Jun 6 16:08:07.204: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
Jun 6 16:08:07.204: ISAKMP:(0):atts are acceptable. Next payload is 0
Jun 6 16:08:07.204: ISAKMP:(0):Acceptable atts:actual life: 0
Jun 6 16:08:07.204: ISAKMP:(0):Acceptable atts:life: 0
Jun 6 16:08:07.208: ISAKMP:(0):Fill atts in sa vpi_length:4
Jun 6 16:08:07.208: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jun 6 16:08:07.208: ISAKMP:(0):Returning Actual lifetime: 86400
Jun 6 16:08:07.208: ISAKMP:(0)::Started lifetime timer: 86400.

Jun 6 16:08:07.208: ISAKMP:(0): processing vendor id payload
Jun 6 16:08:07.208: ISAKMP:(0): vendor ID seems Unity/DPD but major 19 mismatch
Jun 6 16:08:07.208: ISAKMP:(0): processing vendor id payload
Jun 6 16:08:07.208: ISAKMP:(0): vendor ID is DPD
Jun 6 16:08:07.208: ISAKMP:(0): processing vendor id payload
Jun 6 16:08:07.208: ISAKMP:(0): processing IKE frag vendor id payload
Jun 6 16:08:07.208: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 6 16:08:07.208: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 6 16:08:07.208: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Jun 6 16:08:07.208: ISAKMP:(0): sending packet to 187.194.2.59 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jun 6 16:08:07.208: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 6 16:08:07.208: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 6 16:08:07.208: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Jun 6 16:08:07.308: ISAKMP (0): received packet from 187.194.2.59 dport 500 sport 500 Global (R) MM_SA_SETUP
Jun 6 16:08:07.312: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 6 16:08:07.312: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Jun 6 16:08:07.312: ISAKMP:(0): processing KE payload. message ID = 0
Jun 6 16:08:07.384: ISAKMP:(0): processing NONCE payload. message ID = 0
Jun 6 16:08:07.384: ISAKMP:(0):found peer pre-shared key matching 187.194.2.59
Jun 6 16:08:07.388: ISAKMP:(1159):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 6 16:08:07.388: ISAKMP:(1159):Old State = IKE_R_MM3 New State = IKE_R_MM3

Jun 6 16:08:07.388: ISAKMP:(1159): sending packet to 187.194.2.59 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jun 6 16:08:07.388: ISAKMP:(1159):Sending an IKE IPv4 Packet.
Jun 6 16:08:07.388: ISAKMP:(1159):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 6 16:08:07.388: ISAKMP:(1159):Old State = IKE_R_MM3 New State = IKE_R_MM4

Jun 6 16:08:07.520: ISAKMP (1159): received packet from 187.194.2.59 dport 500 sport 500 Global (R) MM_KEY_EXCH
Jun 6 16:08:07.520: ISAKMP:(1159):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 6 16:08:07.520: ISAKMP:(1159):Old State = IKE_R_MM4 New State = IKE_R_MM5

Jun 6 16:08:07.520: ISAKMP:(1159): processing ID payload. message ID = 0
Jun 6 16:08:07.520: ISAKMP (1159): ID payload
        next-payload : 8
        type         : 3
        USER FQDN    : goba@barrilito.com.mx
        protocol     : 17
        port         : 500
        length       : 29
Jun 6 16:08:07.520: ISAKMP:(1159):Found ADDRESS key in keyring goba
Jun 6 16:08:07.520: ISAKMP:(1159): processing HASH payload. message ID = 0
Jun 6 16:08:07.520: ISAKMP:(1159):SA authentication status:
        authenticated
Jun 6 16:08:07.520: ISAKMP:(1159):SA has been authenticated with 187.194.2.59
Jun 6 16:08:07.520: ISAKMP:(1159):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 6 16:08:07.520: ISAKMP:(1159):Old State = IKE_R_MM5 New State = IKE_R_MM5

Jun 6 16:08:07.524: ISAKMP:(1159):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun 6 16:08:07.524: ISAKMP (1159): ID payload
        next-payload : 8
        type         : 1
        address      : 201.131.109.20
        protocol     : 17
        port         : 500
        length       : 12
Jun 6 16:08:07.524: ISAKMP:(1159):Total payload length: 12
Jun 6 16:08:07.524: ISAKMP:(1159): sending packet to 187.194.2.59 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jun 6 16:08:07.524: ISAKMP:(1159):Sending an IKE IPv4 Packet.
Jun 6 16:08:07.524: ISAKMP:(1159):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 6 16:08:07.524: ISAKMP:(1159):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Jun 6 16:08:07.524: ISAKMP:(1159):Need XAUTH
Jun 6 16:08:07.524: ISAKMP: set new node -1918634711 to CONF_XAUTH
Jun 6 16:08:07.528: ISAKMP/xauth: request attribute XAUTH_TYPE
Jun 6 16:08:07.528: ISAKMP/xauth: request attribute XAUTH_USER_NAME
Jun 6 16:08:07.528: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
Jun 6 16:08:07.528: ISAKMP:(1159): initiating peer config to 187.194.2.59. ID = -1918634711
Jun 6 16:08:07.528: ISAKMP:(1159): sending packet to 187.194.2.59 my_port 500 peer_port 500 (R) CONF_XAUTH
Jun 6 16:08:07.528: ISAKMP:(1159):Sending an IKE IPv4 Packet.
Jun 6 16:08:07.528: ISAKMP:(1159):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 6 16:08:07.528: ISAKMP:(1159):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT

Jun 6 16:08:07.728: ISAKMP (1159): received packet from 187.194.2.59 dport 500 sport 500 Global (R) CONF_XAUTH
Jun 6 16:08:12.032: ISAKMP (1159): received packet from 187.194.2.59 dport 500 sport 500 Global (R) CONF_XAUTH
Jun 6 16:08:15.908: ISAKMP (1159): received packet from 187.194.2.59 dport 500 sport 500 Global (R) CONF_XAUTH
Jun 6 16:08:19.912: ISAKMP (1159): received packet from 187.194.2.59 dport 500 sport 500 Global (R) CONF_XAUTH
Jun 6 16:08:22.528: ISAKMP:(1159): retransmitting phase 2 CONF_XAUTH -1918634711 ...
Jun 6 16:08:22.528: ISAKMP (1159): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
Jun 6 16:08:22.528: ISAKMP (1159): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
Jun 6 16:08:22.528: ISAKMP:(1159): retransmitting phase 2 -1918634711 CONF_XAUTH
Jun 6 16:08:22.528: ISAKMP:(1159): sending packet to 187.194.2.59 my_port 500 peer_port 500 (R) CONF_XAUTH
Jun 6 16:08:22.528: ISAKMP:(1159):Sending an IKE IPv4 Packet.
Jun 6 16:08:23.908: ISAKMP (1159): received packet from 187.194.2.59 dport 500 sport 500 Global (R) CONF_XAUTH
Jun 6 16:08:27.909: ISAKMP (1159): received packet from 187.194.2.59 dport 500 sport 500 Global (R) CONF_XAUTH
Jun 6 16:08:31.909: ISAKMP (1159): received packet from 187.194.2.59 dport 500 sport 500 Global (R) CONF_XAUTH
Jun 6 16:08:35.913: ISAKMP (1159): received packet from 187.194.2.59 dport 500 sport 500 Global (R) CONF_XAUTH
Jun 6 16:08:37.529: ISAKMP:(1159): retransmitting phase 2 CONF_XAUTH -1918634711 ...
Jun 6 16:08:37.529: ISAKMP (1159): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
Jun 6 16:08:37.529: ISAKMP (1159): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
Jun 6 16:08:37.529: ISAKMP:(1159): retransmitting phase 2 -1918634711 CONF_XAUTH
Jun 6 16:08:37.529: ISAKMP:(1159): sending packet to 187.194.2.59 my_port 500 peer_port 500 (R) CONF_XAUTH
Jun 6 16:08:37.529: ISAKMP:(1159):Sending an IKE IPv4 Packet.

vironet · ‎06-06-2012