IPSEC VPN between Cisco IOS & Netscreen – solved !

9

This isn’t necessarily Mozilla related but after spending a month on and off trying to get an IPSEC VPN up between a Cisco IOS router and a Juniper Netscreen SSG5 and finding very little help online, I figured I might as well document it here for others to find (myself, for instance, or, hey Google – index this).

For those interested, read on.

First, as a reference, here’s what my network looks like:

VPN Diagram

I aggregated Mountain View’s internal networks into 10.250.0.0/16. Specific policy controls are done through firewall ACLs and where appropriate I’ve had to tweak NAT statements (ask me if you need more on that).

Second, these configs work for me and work on the following:

  • Cisco 3845 router: Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)
  • Juniper Netscreen SSG5: Software Version: 5.4.0r3a.0, Type: Firewall+VPN

Cisco IOS Configuration

crypto isakmp policy 15
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key MY-SECRET-PASSCODE address 223.225.122.226
!
!
crypto ipsec transform-set aes-sha esp-aes esp-md5-hmac
!
crypto map ipsec-remoteoffice 11 ipsec-isakmp
 set peer 223.225.122.226
 set transform-set aes-sha
 set pfs group2
 match address 101

access-list 101 permit ip 10.250.0.0 0.0.255.255 10.240.2.0 0.0.0.255

interface GigabitEthernet0/1
 description outside_interface
 ip address 123.245.208.46 255.255.255.252
 ip nat outside
 crypto map ipsec-remoteoffice

Juniper Netscreen Configuration
Much of this configuration was gleamed from here, using the WebUI (mostly the policies). If you follow that guide, you’ll only need to set the Proxy ID and change the p2-proposal (well, add the cisco one and change the Gateway proposal to it).

set interface ethernet0/0 ip 223.225.122.226/29
set address "Trust" "ca-net" 10.240.2.0 255.255.255.0
set address "Untrust" "mv-net" 10.250.0.0 255.255.0.0
set ike p2-proposal "cisco" group2 esp aes128 md5 second 3600
set ike gateway "Mountain View" address 123.245.208.46 Main outgoing-interface "ethernet0/0" preshare "MY-SECRET-PASSCODE" proposal "pre-g2-3des-sha"
set vpn "Moco-MV" gateway "Mountain View" replay tunnel idletime 0 proposal "cisco"
set vpn "Moco-MV" proxy-id local-ip 10.240.2.0/24 remote-ip 10.250.0.0/16 "ANY"

These two policies were done through the WebUI and made positioned at the top. Like I said, see this site.

set policy id 9 from "Untrust" to "Trust"  "mv-net" "ca-net" "ANY" tunnel vpn "Moco-MV" id 1 pair-policy 8 log
set policy id 8 from "Trust" to "Untrust"  "ca-net" "mv-net" "ANY" tunnel vpn "Moco-MV" id 1 pair-policy 9 log

Important Notes & Thanks

  1. Netscreen requires setting Proxy-Id
  2. Need to match lifetime settings – Netscreen defaulted to 28800 seconds and I made IOS match that.
  3. debug crypto ipsec & debug crypto isakmp are your friends.

I want to acknowledge a couple folks & resources who responded to my plea of help on NANOG:

  1. Michael K. Smith – after a couple emails he called me and we worked through the configs on both sides until it was up and working.
  2. Guy Snyder from ICSA Labs who send me a couple URLs that were helpful.
    1. Cisco IOS
    2. Juniper Netscreen

Thanks guys!

Categories: Networking

9 responses

  1. c0d3r wrote on :

    https://petersblog.dyndns.org:8899/Lists/Posts/Post.aspx?ID=34

  2. c0d33r wrote on :

    For a more generic writeup on IPSec VPN’s with Netscreen, visit
    https://petersblog.dyndns.org:8899/Lists/Posts/Post.aspx?ID=64

  3. vpn service wrote on :

    Thank you. Very usefull for me. Bookmarked

  4. c0d3r wrote on :

    update : Website moved, so URL’s have changed to

    Cisco-Netscreen VPN :
    http://www.corelan.be:8800/index.php/2007/11/17/juniper-setting-up-an-ipsec-vpn-tunnel-between-a-juniper-netscreen-firewallvpn-device-and-a-cisco-vpn-device/

    Generic IPSec with Juniper :
    http://www.corelan.be:8800/index.php/2008/06/25/building-ipsec-vpn-with-juniper-netscreen-screenos-cjfv/

    Other Juniper stuff :
    http://www.corelan.be:8800/index.php/category/juniper/

  5. alexeymurkaev wrote on :

    Hello! Thank you :) your config example helped me a lot. Now i have got one question. How can i configure IPsec using subinterface or secondary IP on juniper?

  6. Admin wrote on :

    I believe those who use vpn site and server users can help me. How the bypass proxies work with various browsers?

  7. vpn wrote on :

    Hotspot Shield was the Virtual Private Network
    that everyone was talking about. Mainly because it offered free access to
    their network albeit with limited bandwidth usage before they cut you off.
    could be a viable alternative to watch Hulu or listen to
    Pandora from outside the United States.

  8. Shivanand wrote on :

    I am in need of Complete Cisco VPN Configuration Guide is there any way i can download it.

  9. Ehssan wrote on :

    Hi,

    Can you please post more details about tweaking NAT statements.

    Thanks