Cisco - Juniper VPN problem



  • Hi all,

    Can anyone help me please to correct VPN configuration between Juniper ISG 1000 and Cisco PIX 506E sit-to-site:

    My Juniper:
    set vrouter trust-vr sharable
    set vrouter “trust-vr”

    set interface “tunnel.1” zone “Untrust”

    set interface ethernet1/1 ip 10.1.100.1/24
    set interface ethernet1/3.102 ip 1.1.1.1/27
    set interface ethernet1/3.102 nat
    set interface tunnel.1 ip unnumbered interface ethernet1/3.102
    set interface “ethernet1/1” pmtu ipv4
    set interface “ethernet1/2” pmtu ipv4
    set interface “ethernet1/3” pmtu ipv4
    set interface ethernet1/3.102 proxy dns
    set interface ethernet1/3.102 monitor threshold 5
    set interface ethernet1/3.101 monitor interface ethernet1/3.102 weight 10
    unset flow no-tcp-seq-check
    set flow tcp-syn-check
    unset flow tcp-syn-bit-check
    set flow reverse-route clear-text prefer
    set flow reverse-route tunnel always
    set pki authority default cert-status revocation-check crl best-effort
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set ike gateway “To-Cisco” address 2.2.2.2 Main outgoing-interface “ethernet1/3.102” preshare “tRMHPMwJN1WIHlsJB8CmJqNJIBn/417hyA==” proposal "pre-g2-des-sha"
    set ike respond-bad-spi 1
    set ike ikev2 ike-sa-soft-lifetime 60
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set vpn “To-Cisco-VPN” gateway “To-Cisco” replay tunnel idletime 0 proposal "g2-esp-des-sha"
    set vpn “To-Cisco-VPN” monitor
    set vpn “To-Cisco-VPN” id 0x7 bind interface tunnel.1
    set vrouter "untrust-vr"
    set protocol nhrp
    set protocol nhrp retry-interval 30
    set protocol nhrp max-query 12
    exit
    set vrouter "trust-vr"
    set protocol nhrp
    set protocol nhrp retry-interval 30
    set protocol nhrp max-query 12
    exit
    set vpn “To-Cisco-VPN” proxy-id local-ip 10.1.10.0/24 remote-ip 10.100.1.0/24 "ANY"
    set policy id 144 name “test” from “Untrust” to “Trust”  “10.100.1.0/24” “10.1.10.0/24” “ANY” permit log
    set policy id 144
    set log session-init
    exit
    set policy id 142 name “Test-VPN” from “Trust” to “Untrust”  “10.1.10.0/24” “10.100.1.0/24” “ANY” permit log
    set policy id 142
    set log session-init
    exit
    set route 10.100.1.0/24 interface tunnel.1 permanent
    set route 10.100.1.0/24 interface tunnel.1 gateway 10.100.1.1 preference 3
    set interface ethernet1/1 protocol ospf area 0.0.0.0
    set interface ethernet1/1 protocol ospf enable
    set interface ethernet1/1 protocol ospf priority 0
    set interface ethernet1/2.7 protocol ospf area 0.0.0.0
    set interface ethernet1/2.7 protocol ospf enable
    set interface ethernet1/2.7 protocol ospf priority 0
    set interface ethernet1/2.7 protocol ospf cost 1
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit

    #####################################################################################3

    get ike cookies

    IKEv1 SA – Active: 1, Dead: 0, Total 1

    80182f/0003, 1.1.1.1:500->2.2.2.2:500, PRESHR/grp2/DES/SHA, xchg(5) (To-Cisco/grp-1/usr-1)
    resent-tmr 0 lifetime 28800 lt-recv 28800 nxt_rekey 27658 cert-expire 0
    initiator, err cnt 0, send dir 0, cond 0x90
    nat-traversal map not available
    ike heartbeat              : disabled
    ike heartbeat last rcv time: 0
    ike heartbeat last snd time: 0
    XAUTH status: 0
    DPD seq local 0, peer 0

    IKEv2 SA – Active: 0, Dead: 0, Total 0

    ########################################################################################

    get sa
    total configured sa: 1
    HEX ID    Gateway        Port Algorithm    SPI      Life:sec kb Sta  PID vsys
    00000007<    2.2.2.2  500 esp: des/sha1 493891b2  2394 4095M A/D    -1 0
    00000007>    2.2.2.2  500 esp: des/sha1 270794ee  2394 4095M A/D    -1 0

    ########################################################################################

    get db stream

    2010-02-18 21:46:21 : NHTB entry search not found: vpn none tif tunnel.1 nexthop 10.100.1.0

    2010-02-18 21:46:21 : NHTB entry search not found: vpn none tif tunnel.1 nexthop 10.100.1.0

    2010-02-18 21:46:22 : IKE<2.2.2.2> re-trans timer expired, msg retry (3) (80180f/2)

    2010-02-18 21:46:22 : IKE<2.2.2.2> Initiator sending IPv4 IP 2.2.2.2/port 500

    2010-02-18 21:46:22 : IKE<2.2.2.2> Send Phase 1 packet (len=68)

    2010-02-18 21:46:22 : ms 1811514005 rt-timer callback

    2010-02-18 21:46:22 : IKE<2.2.2.2> nhtb_list_update_status: vpn OLD-site

    2010-02-18 21:46:22 : IKE<2.2.2.2>  ** link ready return 8

    2010-02-18 21:46:22 : IKE<2.2.2.2> sa_link_status_for_tunl_ifp: saidx 0, preliminary status 8

    2010-02-18 21:46:22 : ms 1811514013 rt-timer callback

    2010-02-18 21:46:23 : ms 1811515013 rt-timer callback

    2010-02-18 21:46:23 : ms 1811515018 rt-timer callback

    2010-02-18 21:46:24 : ms 1811516004 rt-timer callback

    2010-02-18 21:46:24 : ms 1811516015 rt-timer callback

    2010-02-18 21:46:25 : ms 1811517014 rt-timer callback

    2010-02-18 21:46:25 : ms 1811517020 rt-timer callback

    2010-02-18 21:46:26 : IKE<2.2.2.2> re-trans timer expired, msg retry (4) (80180f/2)

    2010-02-18 21:46:26 : IKE<2.2.2.2> Initiator sending IPv4 IP 2.2.2.2/port 500

    2010-02-18 21:46:26 : IKE<2.2.2.2> Send Phase 1 packet (len=68)

    2010-02-18 21:46:26 : ms 1811518005 rt-timer callback

    2010-02-18 21:46:26 : ms 1811518014 rt-timer callback

    2010-02-18 21:46:26 : NHTB entry search not found: vpn none tif tunnel.1 nexthop 10.100.1.0

    2010-02-18 21:46:26 : NHTB entry search not found: vpn none tif tunnel.1 nexthop 10.100.1.0

    2010-02-18 21:46:27 : ms 1811519012 rt-timer callback

    2010-02-18 21:46:27 : ms 1811519017 rt-timer callback

    2010-02-18 21:46:28 : ms 1811520005 rt-timer callback

    2010-02-18 21:46:28 : ms 1811520017 rt-timer callback

    2010-02-18 21:46:29 : ms 1811521016 rt-timer callback

    2010-02-18 21:46:29 : ms 1811521021 rt-timer callback

    2010-02-18 21:46:30 : IKE<2.2.2.2> re-trans timer expired, msg retry (5) (80180f/2)

    2010-02-18 21:46:30 : IKE<2.2.2.2> Initiator sending IPv4 IP 2.2.2.2/port 500

    2010-02-18 21:46:30 : IKE<2.2.2.2> Send Phase 1 packet (len=68)

    2010-02-18 21:46:30 : ms 1811522005 rt-timer callback

    ################################################################################
    CISCO PIX  605E

    ################################################################################

    (config)# show run

    : Saved

    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password RLPMUQ26KL4blgFN encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname Fort-Old-Site
    domain-name ABC
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 5 permit ip any any
    access-list 101 permit ip 10.100.1.0 255.255.255.0 10.1.10.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 2.2.2.2 255.255.255.224
    ip address inside 10.100.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list 101
    nat (inside) 10 10.100.1.0 255.255.255.0 0 0
    access-group 5 in interface outside
    route outside 0.0.0.0 0.0.0.0 2.2.2.5 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    crypto ipsec transform-set nsset esp-des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto map nsmap 10 ipsec-isakmp
    crypto map nsmap 10 match address 101
    crypto map nsmap 10 set pfs group2
    crypto map nsmap 10 set peer 1.1.1.1
    crypto map nsmap 10 set transform-set nsset
    crypto map nsmap interface outside
    isakmp enable outside
    isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:a39ad07c1easgr6cb5d223f6f06cc488
    : end

    Regards,

    Wish Bird
    :?



  • Have some queries can you answer them: -

    set interface “tunnel.1” zone "Untrust"
    set interface ethernet1/3.102 ip 1.1.1.1/27
    set interface ethernet1/3.102 nat
    set interface tunnel.1 ip unnumbered interface ethernet1/3.102

    What is eth1/3.102 interface is that your external interface and to which zone have you bound this interface, if yes then why have you put it in NAT mode ?

    Also if we check your routing.

    set route 10.100.1.0/24 interface tunnel.1 permanent
    set route 10.100.1.0/24 interface tunnel.1 gateway 10.100.1.1 preference 3

    First route is fine, why have you added a NHTB route, when you are configuring only one VPN using one tunnel interface ?

    set route 10.100.1.0/24 interface tunnel.1 gateway 10.100.1.1 preference 3


 

39
Online

38.4k
Users

12.7k
Topics

44.5k
Posts