SUMMARY:

Step by step instructions to setup policy-based VPN between Juniper Firewall and Cisco PIX Step by step instructions to setup route-based VPN between Juniper Firewall and Cisco PIX

PROBLEM OR GOAL:

How to setup VPN between PIX and Juniper Netscreen Firewall with a single access list Policy-based VPN is suited for multiple access lists How to verify the VPN connection

Juniper firewall/NetScreen configuration: Untrust zone eth1 IP 1.1.1.1/24 Trust zone eth2 IP 10.1.1.1/24 Phase 1 Proposal pre-g2-des-sha Phase 2 Proposal nopfs-esp-des-sha Cisco PIX configuration: Outside eth1 IP 2.2.2.1/24 Inside eth2 IP 172.16.10.1/24 Phase 1 Proposal pre-g2-des-sha Phase 2 Proposal nopfs-esp-des-sha

SOLUTION:
Scenario 1 -- Juniper Netscreen Firewall using Policy-based VPN to Cisco PIX In this scenario, the Juniper firewall is setup with a policy-based VPN, and the policy matches the Access-list configured on the PIX.

Juniper Firewall Configuration 1. VPN Phase 1 Configuration

set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
2. VPN Phase 2 Configuration

set vpn "To-Cisco-VPN" gateway "To-Cisco" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
3. Policy setup

set policy id 2 from "Trust" to "Untrust"

"10.1.1.0/24" "172.16.10.0/24"

"ANY" tunnel vpn "To-Cisco-VPN" id 2 pair-policy 3 set policy id 3 from "Untrust" to "Trust" "172.16.10.0/24" "10.1.1.0/24" "ANY" tunnel vpn "To-Cisco-VPN" id 2 pair-policy 2

PIX Firewall Configuration 1. VPN Phase 1 Configuration

isakmp isakmp isakmp isakmp isakmp isakmp isakmp

enable outside key netscreen address 1.1.1.1 netmask 255.255.255.255 no-xauth policy 10 authentication pre-share policy 10 encryption des policy 10 hash sha policy 10 group 2 policy 10 lifetime 86400

2. VPN Phase 2 Configuration

access-list 101 permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0 crypto ipsec transform-set nsset esp-des esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto map nsmap 10 ipsec-isakmp crypto map nsmap 10 match address 101 crypto map nsmap 10 set peer 1.1.1.1 crypto map nsmap 10 set transform-set nsset crypto map nsmap interface outside

Scenario 2 -- Juniper Netscreen Firewall setup Route-based VPN to Cisco Pix In this scenario, there is no change on the PIX configuration between a Juniper firewall Policy-based and Routebased configuration. These steps document a route-based VPN on the Juniper firewall. Juniper Firewall Configuration 1. VPN Phase 1

set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
2. VPN Phase 2

set vpn "To-Cisco-VPN" gateway "To-Cisco" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
3. Create Tunnel Interface and bind it to the VPN To-Cisco-VPN"

set interface "tunnel.1" zone "Trust" set interface tunnel.1 ip unnumbered interface ethernet1 set vpn "To-Cisco-VPN" bind interface tunnel.1
4. Proxy ID setup, Proxy id has to be matched with the Access-list of the PIX. That is a limitation for a route-based VPN of Juniper Firewall if there is multiple access-list configured on PIX. In multiple access-list scenario, a Policybased VPN should be considered.

set vpn "To-Cisco-VPN" proxy-id local-ip 10.1.1.0/24 remote-ip 172.16.10.0/24

"ANY"
5. Setup static route to route traffic destined to the remote inside network via the tunnel interface created in step 3.

set route 172.16.10.0/24 interface tunnel.1

PIX Firewall Configuration 1. VPN Phase 1 Configuration

isakmp isakmp isakmp isakmp isakmp isakmp isakmp

enable outside key netscreen address 1.1.1.1 netmask 255.255.255.255 no-xauth policy 10 authentication pre-share policy 10 encryption des policy 10 hash sha policy 10 group 2 policy 10 lifetime 86400

2. VPN Phase 2 Configuration

access-list 101 permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0 crypto ipsec transform-set nsset esp-des esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto map nsmap 10 ipsec-isakmp crypto map nsmap 10 match address 101 crypto map nsmap 10 set peer 1.1.1.1 crypto map nsmap 10 set transform-set nsset crypto map nsmap interface outside

Useful Commands to verify the VPN connection on the Juniper firewall :

ns-> ping 172.16.10.2 from eth2 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout is 1 seconds from ethernet2 .!!!! Success Rate is 80 percent (4/5), round-trip time min/avg/max=3/7/20 ms ns-> get ike cookie Active: 1, Dead: 0, Total 1 80182f/0003, 1.1.1.1:500->2.2.2.1:500, PRESHR/grp2/DES/SHA, xchg(5) (ToCisco/grp-1/usr-1) resent-tmr 14306744 lifetime 28800 lt-recv 28800 nxt_rekey 19542 cert-expire 0 initiator, err cnt 0, send dir 0, cond 0x10 nat-traversal map not available ike heartbeat : disabled ike heartbeat last rcv time: 0 ike heartbeat last snd time: 0

XAUTH status: 0 DPD seq local 0, peer 0 ns-> get sa total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta vsys 00000002< 2.2.2.1 500 esp: des/sha1 fdc08459 3589 403M A/00000002> 2.2.2.1 500 esp: des/sha1 82752ea1 3589 403M A/-

PID 3 0 2 0

Useful Commands to verify the VPN connection on the PIX firewall :

pixfirewall# show crypto ipsec sa interface: outside Crypto map tag: nsmap, local addr. 2.2.2.1 local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) current_peer: 1.1.1.1:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 37, #pkts encrypt: 37, #pkts digest 37 #pkts decaps: 37, #pkts decrypt: 37, #pkts verify 37 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 12, #recv errors 0 local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1 path mtu 1500, ipsec overhead 56, media mtu 1500 current outbound spi: 0