Quantcast
Channel: Juniper ScreenOS – Blog Webernetz.net
Viewing all articles
Browse latest Browse all 36

IPsec Site-to-Site VPN Juniper ScreenOS Cisco ASA

January 28, 2014, 4:21 am
$
0
0

This post describes the steps to configure a Site-to-Site VPN between a Juniper ScreenOS firewall and the Cisco ASA firewall. With the correct IKE and IPsec parameters as well as the correct Proxy IDs on both sides, the VPN establishment works without any problems. And since the Juniper firewall can ping an IPv4 address on the remote side through the tunnel (VPN Monitor), the VPN tunnel is established by the firewalls themselves without the need for initial traffic.

Laboratory

The following figure shows my test laboratory:

S2S VPN Juniper ScreenOS - Cisco ASA Laboratory

The Juniper SSG 5 firewall had version 6.3.0r16.0 installed, while the Cisco ASA 5505 ran on version 9.1(4).

Note that I am not showing the creation of the IKE and IPsec parameter sets since their reference names are self-explanatory, such as “pre-g5-aes256-sha1″ and “g5-esp-aes256-sha1-3600″.

Concerning the automatic tunnel establishment: The Juniper VPN Monitor, which pings the inside interface of the ASA, only works if the “Management Access Interface” on the ASA is set to this specific inside network. Otherwise, the ASA will not reply to these ping requests and will generate log messages such as “Failed to locate egress interface for ICMP from outside: …”. Really bad! Especially if you have more than one inside network.

Juniper ScreenOS SSG

The creation of the VPN on the ScreenOS device requires the following steps: tunnel interface, gateway, AutoKey IKE with Proxy IDs, and static IPv4 route through the tunnel. The following screenshots document these steps:

New unnumbered tunnel interface within a security zone. The "Interface" from the drop-down menu list should be the local tunneled network interface. IKEv1 gateway with the peer IPv4 address. Gateway advanced options with the PSK and the custom phase 1 profile. The AutoKey IKE uses the already configured gateway. On the advanced tab, the customized phase 2 proposals are choosen, the configured tunnel interface is specified, the checkbox "Proxy-ID Check" is enabled and the VPN Monitor for pinging the remote side is set up. Under Autokey IKE -> Proxy ID, the local and the remote network must be specified. It is a best practice to set the service to "Any". Finally, the remote network is routed through the tunnel interface. Note that the gateway IP address is left by 0.0.0.0.

Cisco ASA

On the Cisco ASA, a Group Policy and a Connection Profile must be created. On the following screenshots, I am also showing the created Crypto Map:

Group Policy with IKEv1. Connection Profile with a static peer IPv4 address, the protected networks (= Proxy IDs), Group Policy, PSK, and phase 1 & 2 settings. Under the Crypto Map Entry, a PFS policy of Diffie-Hellman Group 5 must be specified. Just for reference: The Crypto Map. Just for reference: The Crypto Map. Just for reference: The Crypto Map.

Monitoring the VPN Sessions

Due to the VPN Monitor on the Juniper firewall, the tunnel should be established right after all configuration settings are done. The Juniper monitor status will indicate an “Up” link and the logs filtered to the peer IPv4 address will show several success messages:

S2S SSG-ASA - SSG 07 VPN Monitor StatusS2S SSG-ASA - SSG 08 Events searched 172.16.1.3

The same is true for the Cisco ASA, which will reveal the successful VPN tunnel with the chosen security parameters:

S2S SSG-ASA - ASA 07 VPN Session Details

Search
Viewing all articles
Browse latest Browse all 36

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

February 16, 2017, 4:24 pm

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

January 5, 2014, 10:34 pm

Ominde Commission Report and Recommendations – Ominde Report of 1964

March 16, 2015, 5:14 am

Bureau of Internal Revenue: Regional Offices (Directory)

January 9, 2014, 11:06 pm

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

March 26, 2017, 11:23 pm

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

October 17, 2016, 7:20 am

Mp3 Download: Mdu - Kunjenjenjena

December 7, 2017, 8:16 am

How the kill the job , when DTP request running for long hours.

July 26, 2013, 2:41 am

Microsoft Intune から展開しているアプリのアップデートについて

October 17, 2016, 4:11 am

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

September 1, 2017, 10:00 pm

Car crash in Dunton Bassett leaves driver in critical condition

October 7, 2014, 7:51 am

Macky 2, Two Others In Road Accident

March 29, 2015, 5:34 am

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

May 14, 2015, 11:27 pm

Detroit mafia: D’Anna Brothers agree to plea deal

April 21, 2016, 6:56 am

Delivery block field greyed out using VA02

January 26, 2016, 2:52 pm

Muloraki Au

June 22, 2016, 1:44 am

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出w【リベンジポルノ】@PornHub

October 12, 2017, 2:23 pm

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

February 9, 2018, 4:56 am

FIAT 500 B0111 B0112

July 5, 2018, 10:31 am
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>