Let’s say that you got a request to create site-to-site IPSec VPN between Juniper SRX and Cisco ASA firewalls. You would automatically assume that you have to use policy based VPN on SRX as Cisco ASA supports only policy based VPNs. Well, you can, but there is another option. You can use route based VPN.
Before we continue, I would like to stress out, that it is really important, that you have VPN settings identical on both sides or VPN tunnel will not come up or it will be unstable.
VPN Settings on Cisco ASA and Juniper SRX
|Parameters\Device||Cisco ASA||Juniper SRX|
I would like to point out two things on which you have to pay attention, when you will be configuring route based IPSec VPN between SRX and ASA:
- on SRX when you are creating virtual st0 interface, it has to be unnumbered
example: edit interfaces st0 set unit 0 family inet
- on SRX under section security -> ipsec -> vpn -> VPNName -> ike you have to configure proxy-identity. This will essentially tell SRX which networks it has to use for creating IPSec SA.
example: edit security ipsec vpn VPN1-Cisco set ike proxy-identity local 172.30.1.0/24 set ike proxy-identity remote 192.168.1.0/24
Juniper SRX configuration
edit interfaces st0 set unit 0 family inet edit security ike proposal Proposal-Cisco set authentication-method pre-shared-keys set dh-group group2 set authentication-algorithm sha1 set encryption-algorithm aes-128-cbc set lifetime-seconds 86400 edit security ike policy IKE-Policy-Cisco set mode main set proposals Proposal-Cisco set pre-shared-key ascii-text "Bingo1" edit security ike gateway IKE-GW1-Cisco set ike-policy IKE-Policy-Cisco set address 188.8.131.52 set external-interface ge-0/0/0 edit security ipsec proposal Cisco-Proposal-IPSec set protocol esp set authentication-algorithm hmac-sha1-96 set encryption-algorithm aes-128-cbc set lifetime-seconds 3600 set lifetime-kilobytes 46000 edit security ipsec policy Cisco-Policy-IPSec set proposals Cisco-Proposal-IPSec edit security ipsec vpn VPN1-Cisco set bind-interface st0.0 set ike gateway IKE-GW1-Cisco set ike proxy-identity local 172.30.1.0/24 set ike proxy-identity remote 192.168.1.0/24 set ike ipsec-policy Cisco-Policy-IPSec edit routing-options set static route 192.168.1.0/24 next-hop st0.0 edit security zones security-zone VPN set host-inbound-traffic system-services all set host-inbound-traffic protocols all set interfaces st0.0 edit security zones security-zone LOCAL set host-inbound-traffic system-services all set host-inbound-traffic protocols all set interfaces ge-0/0/1.0 edit security policies from-zone LOCAL to-zone VPN set policy LOCAL-to-VPN match source-address any set policy LOCAL-to-VPN match destination-address any set policy LOCAL-to-VPN match application any set policy LOCAL-to-VPN then permit edit security policies from-zone VPN to-zone LOCAL set policy VPN-to-LOCAL match source-address any set policy VPN-to-LOCAL match destination-address any set policy VPN-to-LOCAL match application any set policy VPN-to-LOCAL then permit
Cisco ASA Configuration
object network Nat_Site-A subnet 192.168.1.0 255.255.255.0 object-group network SiteB-Juniper network-object 172.30.1.0 255.255.255.0 object-group network Site-A network-object 192.168.1.0 255.255.255.0 object-group network Nat0 group-object SiteB-Juniper access-list VPN-SiteB-Juniper-10000 extended permit ip object-group Site-A object-group SiteB-Juniper nat (inside,outside) source static Site-A Site-A destination static Nat0 Nat0 no-proxy-arp route-lookup object network Nat_Site-A nat (inside,outside) dynamic interface crypto ipsec ikev1 transform-set ASET-SHA esp-aes esp-sha-hmac crypto map VPNMap 10000 match address VPN-SiteB-Juniper-10000 crypto map VPNMap 10000 set peer 184.108.40.206 crypto map VPNMap 10000 set ikev1 transform-set ASET-SHA crypto map VPNMap 10000 set security-association lifetime seconds 3600 crypto map VPNMap 10000 set security-association lifetime kilobytes 46000 crypto map VPNMap interface outside crypto isakmp identity address crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 86400 tunnel-group 220.127.116.11 type ipsec-l2l tunnel-group 18.104.22.168 ipsec-attributes ikev1 pre-shared-key Bingo1