Multiple Proxy-ID’s on a route based VPN

Juniper has released Junos verison 12.1X46 which finally supports multiple Proxy-ID’s on route based VPN. In essence Proxy-ID is used in phase2 of IKE VPN negotiations. Firewall agrees with it’s peers which traffic is permitted based on specified pair of local and remote networks.

Functionality is named traffic selector and can be found under section: security -> ipsec -> vpn -> VPNName -> traffic-selector

I will use example from previous post route based site-to-site VPN between Juniper SRX and Cisco ASA and extend it for the purpose of showing how to configure traffic selector.

NETWORK DIAGRAM

IPSecVPN-TS

VPN Settings on Cisco ASA and Juniper SRX
Parameters\Device Cisco ASA Juniper SRX
Phase1(IKE) authentication sha1 sha1
encryption aes128 aes128
dh-group group2 group2
lifetime(seconds) 86400 86400
Mode main main
pre-shared-key Bingo1 Bingo1
Phase2(IPSec) protocol esp esp
authentication sha1 sha1
encription aes128 aes128
lifetime-seconds 3600 3600
lifetime-kilobytes 46000 46000
JUNIPER SRX CONFIGURATION
edit interfaces st0 
set unit 0 family inet

edit security ike proposal Proposal-Cisco
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
set lifetime-seconds 86400

edit security ike policy IKE-Policy-Cisco 
set mode main
set proposals Proposal-Cisco
set pre-shared-key ascii-text "Bingo1"

edit security ike gateway IKE-GW1-Cisco
set ike-policy IKE-Policy-Cisco
set address 1.1.1.1
set external-interface ge-0/0/0

edit security ipsec proposal Cisco-Proposal-IPSec
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc
set lifetime-seconds 3600
set lifetime-kilobytes 46000

edit security ipsec policy Cisco-Policy-IPSec 
set proposals Cisco-Proposal-IPSec

edit security ipsec vpn VPN1-Cisco
set bind-interface st0.0
set ike gateway IKE-GW1-Cisco
set ike ipsec-policy Cisco-Policy-IPSec
set traffic-selector TS1 local-ip 172.30.1.0/24
set traffic-selector TS1 remote-ip 192.168.1.0/24
set traffic-selector TS2 local-ip 172.50.1.0/24
set traffic-selector TS2 remote-ip 192.168.1.0/24

edit routing-options
set static route 192.168.1.0/24 next-hop st0.0

edit security zones security-zone VPN
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces st0.0

edit security zones security-zone LOCAL
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces ge-0/0/1.0

edit security policies from-zone LOCAL to-zone VPN
set policy LOCAL-to-VPN match source-address any
set policy LOCAL-to-VPN match destination-address any
set policy LOCAL-to-VPN match application any
set policy LOCAL-to-VPN then permit

edit security policies from-zone VPN to-zone LOCAL
set policy VPN-to-LOCAL match source-address any
set policy VPN-to-LOCAL match destination-address any
set policy VPN-to-LOCAL match application any
set policy VPN-to-LOCAL then permit
CISCO ASA CONFIGURATION
object network Nat_Site-A
 subnet 192.168.1.0 255.255.255.0

object-group network SiteB-Juniper
 network-object 172.30.1.0 255.255.255.0
 network-object 172.50.1.0 255.255.255.0

object-group network Site-A
 network-object 192.168.1.0 255.255.255.0

object-group network Nat0
 group-object SiteB-Juniper

access-list VPN-SiteB-Juniper-10000 extended permit ip object-group Site-A object-group SiteB-Juniper
nat (inside,outside) source static Site-A Site-A destination static Nat0 Nat0 no-proxy-arp route-lookup

object network Nat_Site-A
 nat (inside,outside) dynamic interface

crypto ipsec ikev1 transform-set ASET-SHA esp-aes esp-sha-hmac

crypto map VPNMap 10000 match address VPN-SiteB-Juniper-10000
crypto map VPNMap 10000 set peer 2.2.2.2
crypto map VPNMap 10000 set ikev1 transform-set ASET-SHA
crypto map VPNMap 10000 set security-association lifetime seconds 3600
crypto map VPNMap 10000 set security-association lifetime kilobytes 46000

crypto map VPNMap interface outside

crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev1 pre-shared-key Bingo1