Wednesday, August 23, 2017

Route based IPSEC Multiple site to site VPN Configuration with two Junipers SRX340 & CISCO 2900 Routers


-----------------------------------------------------------------------------------------------------------
IPSEC Multiple site to site VPN Configuration with two Junipers & CISCO Routers:
-----------------------------------------------------------------------------------------------------------

SRX340-HQ   : Untrust IP- 1.1.1.1/30, Trust IP-10.1.1.1/24, st0.0 IP: 172.16.0.1/30
                          Untrust IP- 2.2.2.1/30,                                    st0.1 IP: 172.16.1.1/30

SRX340-West : Untrust IP- 2.2.2.2/30, Trust IP-10.3.3.1/24, st0.0 IP: 172.16.1.2/30
CISCO-East    : Untrust IP- 1.1.1.2/30, Trust IP-10.2.2.1/24, tunnel 0 IP:172.16.0.2/30

----------------------
##Juniper HQ:
----------------------
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/30
set interfaces ge-0/0/1 unit 0 family inet address 2.2.2.1/30
set interfaces ge-0/0/3 unit 0 family inet address 10.1.1.1/24
set interfaces st0 unit 0 family inet address 172.16.0.1/30
set interfaces st0 unit 0 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.1/30
set interfaces st0 unit 1 family inet mtu 1400

set security zones security-zone trust interfaces st0.0
set security zones security-zone trust interfaces st0.1
set security zones security-zone trust interfaces ge-0/0/3.0

set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/1.0

Phase 01 for Site "A":
----------------------
## IKE proposal
set security ike proposal IKE-Proposal lifetime-seconds 28800
set security ike proposal IKE-Proposal authentication-method pre-shared-keys
set security ike proposal IKE-Proposal authentication-algorithm sha1
set security ike proposal IKE-Proposal encryption-algorithm aes-128-cbc
set security ike proposal IKE-Proposal dh-group group2

## IKE policy
set security ike policy IKE-Poly mode main
set security ike policy IKE-Poly proposals IKE-Proposal
set security ike policy IKE-Poly pre-shared-key ascii-text tawfique

##(For cisco-East)IKE gateway with peer IP address, IKE policy and outgoing interfac
set security ike gateway IKE-GW ike-policy IKE-Poly
set security ike gateway IKE-GW address 1.1.1.2
set security ike gateway IKE-GW external-interface ge-0/0/0.0

##(For SRX340-west)IKE gateway with peer IP address, IKE policy and outgoing interfac
set security ike gateway IKE-GW2 ike-policy IKE-Poly
set security ike gateway IKE-GW2 address 2.2.2.2
set security ike gateway IKE-GW2 external-interface ge-0/0/1.0


## Security zones, assign interfaces to the zones & host-inbound services for each zone
set security zones security-zone Untrust host-inbound-traffic system-services ike


Phase 02 for Site "A":
----------------------
## IPSec proposal
set security ipsec proposal IPSEC-Proposal lifetime-seconds 3600
set security ipsec proposal IPSEC-Proposal protocol esp
set security ipsec proposal IPSEC-Proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-Proposal encryption-algorithm aes-128-cbc

## IPSec Policy
set security ipsec policy IPSEC-Poly proposals IPSEC-Proposal

##(For cisco-East) IPSec VPN
set security ipsec vpn IPSEC-VPN bind-interface st0.0
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-Poly
set security ipsec vpn IPSEC-VPN ike gateway IKE-GW
set security ipsec vpn IPSEC-VPN establish-tunnels immediately

##(For SRX340-west) IPSec VPN
set security ipsec vpn IPSEC-VPN2 bind-interface st0.1
set security ipsec vpn IPSEC-VPN2 ike ipsec-policy IPSEC-Poly
set security ipsec vpn IPSEC-VPN2 ike gateway IKE-GW2
set security ipsec vpn IPSEC-VPN2 establish-tunnels immediately


#Routing Option(For cisco-East)
set routing-options static route 10.2.2.0/24 next-hop st0.0

#Routing Option(For SRX340-west)
set routing-options static route 10.3.3.0/24 next-hop st0.1

-------------------------
####CISCO East:
-------------------------

Router(config)#interface GigabitEthernet0/0
Router(config-if)#ip add 1.1.1.2 255.255.255.252
Router(config-if)#no sh

Router(config)#interface GigabitEthernet0/1
Router(config-if)#ip add 10.2.2.1 255.255.255.0
Router(config-if)#no sh

Phase 01(IKE isakmp configuration)
----------------------------------
Router(config)#crypto isakmp policy 1
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#encryption aes 128
Router(config-isakmp)#hash sha
Router(config-isakmp)#lifetime 28800
Router(config-isakmp)#group 2
Router(config-isakmp)#exit
Router(config)#crypto isakmp key tawfique address 1.1.1.1


Phase 02(IPsec VPN configuration)
----------------------------------
Router(config)#crypto ipsec transform-set MY-VPN esp-aes 128 esp-sha-hmac
Router(cfg-crypto-trans)# mode transport

#create IPsec profile
Router(config)#crypto ipsec profile VPNPROFILE
Router(ipsec-profile)# set transform-set MY-VPN

#create tunnel interface with IP and give IPsec protection
Router(config)#interface tunnel 0
Router(config-if)#ip add 172.16.0.2 255.255.255.252
Router(config-if)#tunnel source 1.1.1.2
Router(config-if)#tunnel destinations 1.1.1.1
Router(config-if)#tunnel mode ipsec ipv4
Router(config-if)#tunnel protection ipsec profile VPNPROFILE
Router(config-if)#ip mtu 1400

#create static route
Router(config)#ip route 10.1.1.0 255.255.255.0 tunnel 0

----------------------
##Juniper West:
----------------------

set interfaces ge-0/0/0 unit 0 family inet address 2.2.2.2/30
set interfaces ge-0/0/3 unit 0 family inet address 10.3.3.1/24
set interfaces st0 unit 0 family inet address 172.16.1.2/30
set interfaces st0 unit 0 family inet mtu 1400


set security zones security-zone trust interfaces st0.0
set security zones security-zone trust interfaces ge-0/0/3.0

set security zones security-zone untrust interfaces ge-0/0/0.0


Phase 01 for Site "A":
----------------------
## IKE proposal
set security ike proposal IKE-Proposal lifetime-seconds 28800
set security ike proposal IKE-Proposal authentication-method pre-shared-keys
set security ike proposal IKE-Proposal authentication-algorithm sha1
set security ike proposal IKE-Proposal encryption-algorithm aes-128-cbc
set security ike proposal IKE-Proposal dh-group group2

## IKE policy
set security ike policy IKE-Poly mode main
set security ike policy IKE-Poly proposals IKE-Proposal
set security ike policy IKE-Poly pre-shared-key ascii-text tawfique

##(For SRX340-HQ)IKE gateway with peer IP address, IKE policy and outgoing interfac
set security ike gateway IKE-GW ike-policy IKE-Poly
set security ike gateway IKE-GW address 2.2.2.1
set security ike gateway IKE-GW external-interface ge-0/0/0.0




## Security zones, assign interfaces to the zones & host-inbound services for each zone
set security zones security-zone Untrust host-inbound-traffic system-services ike


Phase 02 for Site "A":
----------------------
## IPSec proposal
set security ipsec proposal IPSEC-Proposal lifetime-seconds 3600
set security ipsec proposal IPSEC-Proposal protocol esp
set security ipsec proposal IPSEC-Proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-Proposal encryption-algorithm aes-128-cbc

## IPSec Policy
set security ipsec policy IPSEC-Poly proposals IPSEC-Proposal

##(For SRX340-HQ) IPSec VPN
set security ipsec vpn IPSEC-VPN bind-interface st0.0
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-Poly
set security ipsec vpn IPSEC-VPN ike gateway IKE-GW
set security ipsec vpn IPSEC-VPN establish-tunnels immediately


#Routing Option(For SRX340-HQ)
set routing-options static route 10.1.1.0/24 next-hop st0.0


 ------------------------------------------
#Verifying the VPN for Juniper:
------------------------------------------
1) show security ike security-associations
2) show security ipsec security-associations
3) show security ipsec statistics
4) show route

------------------------------------------
#Verifying the VPN for Cisco:
------------------------------------------
1) show crypto isakmp sa
2) show crypto ipsec sa
3) show crypto ipsec statistics
4) show route
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)