This isn’t necessarily Mozilla related but after spending a month on and off trying to get an IPSEC VPN up between a Cisco IOS router and a Juniper Netscreen SSG5 and finding very little help online, I figured I might as well document it here for others to find (myself, for instance, or, hey Google – index this).
For those interested, read on.
First, as a reference, here’s what my network looks like:
I aggregated Mountain View’s internal networks into 10.250.0.0/16. Specific policy controls are done through firewall ACLs and where appropriate I’ve had to tweak NAT statements (ask me if you need more on that).
Second, these configs work for me and work on the following:
- Cisco 3845 router: Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)
- Juniper Netscreen SSG5: Software Version: 5.4.0r3a.0, Type: Firewall+VPN
Cisco IOS Configuration
crypto isakmp policy 15 encr 3des authentication pre-share group 2 lifetime 28800 crypto isakmp key MY-SECRET-PASSCODE address 220.127.116.11 ! ! crypto ipsec transform-set aes-sha esp-aes esp-md5-hmac ! crypto map ipsec-remoteoffice 11 ipsec-isakmp set peer 18.104.22.168 set transform-set aes-sha set pfs group2 match address 101 access-list 101 permit ip 10.250.0.0 0.0.255.255 10.240.2.0 0.0.0.255 interface GigabitEthernet0/1 description outside_interface ip address 22.214.171.124 255.255.255.252 ip nat outside crypto map ipsec-remoteoffice
Juniper Netscreen Configuration
Much of this configuration was gleamed from here, using the WebUI (mostly the policies). If you follow that guide, you’ll only need to set the Proxy ID and change the p2-proposal (well, add the cisco one and change the Gateway proposal to it).
set interface ethernet0/0 ip 126.96.36.199/29 set address "Trust" "ca-net" 10.240.2.0 255.255.255.0 set address "Untrust" "mv-net" 10.250.0.0 255.255.0.0
set ike p2-proposal "cisco" group2 esp aes128 md5 second 3600 set ike gateway "Mountain View" address 188.8.131.52 Main outgoing-interface "ethernet0/0" preshare "MY-SECRET-PASSCODE" proposal "pre-g2-3des-sha" set vpn "Moco-MV" gateway "Mountain View" replay tunnel idletime 0 proposal "cisco" set vpn "Moco-MV" proxy-id local-ip 10.240.2.0/24 remote-ip 10.250.0.0/16 "ANY"
These two policies were done through the WebUI and made positioned at the top. Like I said, see this site.
set policy id 9 from "Untrust" to "Trust" "mv-net" "ca-net" "ANY" tunnel vpn "Moco-MV" id 1 pair-policy 8 log set policy id 8 from "Trust" to "Untrust" "ca-net" "mv-net" "ANY" tunnel vpn "Moco-MV" id 1 pair-policy 9 log
Important Notes & Thanks
- Netscreen requires setting Proxy-Id
- Need to match lifetime settings – Netscreen defaulted to 28800 seconds and I made IOS match that.
- debug crypto ipsec & debug crypto isakmp are your friends.
I want to acknowledge a couple folks & resources who responded to my plea of help on NANOG:
- Michael K. Smith – after a couple emails he called me and we worked through the configs on both sides until it was up and working.
- Guy Snyder from ICSA Labs who send me a couple URLs that were helpful.