Anyone ever create a VPN between Juniper and Cisco?

[cpals]

Just looking to ping you guys to see what you think.

We're in the process of having our old Cisco 6509 replaced, which was doing everything... routing, switching, encryption, vpn, etc. On the recommendation of the vendor we chose, we're moving forward with Juniper 550's for our main VPN at the core of our 'hub and spoke' network.

We're on a MetroE connection and our HQ branches out to sites that have a Cisco 2821 router on the other side. Before, the 6509 and the 2821's would create an encrypted connection, but now we have to do that with these Junipers.

They did come with installation, but the vendor is having a ton of issues trying to replicate our setup and get the connection to stay up and be stable. The latest thing is the most encrypted bandwidth they can get out of the boxes is 135Mb/s when it's rated at 1Gb/s at 3DES.

Thoughts?

[drebo]

If you're using an SSG550, I'm not sure. If you're using an SRX550, then I know that you can do IPSec (or GRE) to a Cisco IOS router. I've done it several times and it works well.

Before you might have been using DMVPN, which you can't use now, as it's Cisco proprietary. You might be stuck with static tunnels between each site.

I'm not sure I would have recommended multivendor in an environment like that. I probably would have recommended a Cisco 3900 router or something, depending on how many sites you have.

[cpals]

They're SRX550 firewalls. Cisco did bid on the project and recommended two Cisco ASR devices but we ended up not going with Cisco.

I'm not familiar with exactly how we are currently doing it. I know the 6509 has the VPN module in it and I have to create a high and low clan and I then put a /30 ip on one of them. They are connected with some crypto map commands. The same is similar on the other end where the 2821 routers are. They have crypto map commands and that's where the 3Des info is too. I haven't notice a username and password setup like when I think of a typical site VPN setup.


We are looking at encrypting all traffic. Three main sites are at 1Gb and the other 15 or so are 20 Mb. HQ is 1Gb so we would never need more than that on the firewall unless we increased our MetroE connection.

[drebo]

Any chance you could paste some of your old configs (with PSKs, certs, usernames, and IPs obfuscated) so that we can see how you were working? The important bits are all the crypto commands (except certs) and any Tunnel interface settings you have.

Do you need mesh connectivity between sites or just hub-and-spoke?

[cpals]

Definitely can do it tomorrow. Right now we use eigrp for our three main sites and those will be converted to ospf. For DR purpose having them connect to the backup site automatically would be beneficial.

[drebo]

So dual-hub-and-spoke. Not a problem to do that with static tunnels.

I'd recommend using BGP for the actual route distribution, with OSPF maintaining connectivity between loopbacks. It's a lot more straight-forward as far as influencing paths and such. And since you're migrating to a new protocol already, might as well do it right (or, rather, expandable.)

Try not to obfuscate private IPs, if possible.

[cpals]

Was able to get our configs. From what I can tell, these are all the parts that make the encryption work in our setup. Let me know if there is something I missed.

6509 Code:

Code:

crypto isakmp policy 100
 hash md5
 authentication pre-share
 group 2

crypto isakmp key SITENAME address 192.168.1.14

crypto ipsec transform-set SITENAME esp-3des esp-md5-hmac 

crypto map SITENAME 100 ipsec-isakmp   
 set peer 192.168.1.14
 set transform-set SITENAME 
 match address 112

vlan 61
 name LOW_VLAN_SITE1

vlan 112
 name HIGH_VLAN_SITE2

interface Vlan61
 no ip address
 ip nat inside
 crypto connect vlan 112

interface Vlan112
 ip address 192.168.1.13 255.255.255.252
 ip nat inside
 no mop enabled
 crypto map SITENAME
 crypto engine slot 6

2821 Example:

Code:

crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key SITENAME address 192.168.1.13

crypto ipsec transform-set SITENAME esp-3des esp-md5-hmac 

crypto map SITENAME 112 ipsec-isakmp 
 set peer 192.168.1.13
 set transform-set SITENAME 
 match address 112

interface GigabitEthernet0/1.61
 encapsulation dot1Q 61
 ip address 192.168.1.14 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
 crypto map SITENAME

[drebo]

In your example, would you mind outputting the ACL 112 on each router?

[cpals]

I forgot to mention that I believe we are currently only encrypting traffic to one location. A subnet that the state uses. In order to be more secure and also since we don't provide our own MetroE the thought was to make the entire link encrypted. Hence the higher encryption requirements (1Gb/s).

Access List 112:

access-list 112 permit ip STATEIP 0.0.255.255 SITEIP 0.0.0.255

For every site setup/configuration there is one access list number that is a one liner and associated to the site's individual crypto maps.

[drebo]

So from every site (all ~18) to only one other site, you need to encrypt the traffic?

Or does ALL site-to-site traffic need to be encrypted?

[drebo]

Regarding the VPNs in general, from the SRX to a Cisco IOS router, you'll need to use policy-based IPSec. It's a little wonky, but it makes sense: http://www.juniper.net/us/en/local/p...3500175-en.pdf

Here's a slightly more straight-forward example: http://forums.juniper.net/jnet/attac...5/1/policy.txt

My recommendation would be to encrypt traffic between /32 loopbacks on each router and the use a GRE tunnel, but you don't necessarily have to. Using the above configs would replicate what you have almost identically.

[cpals]

Quote:

Originally Posted by drebo

So from every site (all ~18) to only one other site, you need to encrypt the traffic?

Or does ALL site-to-site traffic need to be encrypted?

We want all traffic going over the MetroE encrypted. 99% of the time, outside sites will only be talking to servers/equipment at headquarters and almost never to each other.

I think I found what we're doing since almost every command matches up ( http://www.cisco.com/en/US/tech/tk58...80194650.shtml ). Can this easily be converted to a Cisco-Juniper setup or is it truly a Cisco-Cisco setup? Hoping not to have to touch each site physically.

[drebo]

Look at the PDF I linked above...that's how you accomplish the matching config on Junos. It's called transport mode IPSec, as opposed to tunnel mode IPSec.

For ease of use, though, like I said, I'd encapsulate a GRE tunnel over the IPSec. Makes for simpler/easier routing.