Go Back   AnandTech Forums > Hardware and Technology > Networking

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2013
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 11-17-2012, 09:18 PM   #1
cpals
Diamond Member
 
cpals's Avatar
 
Join Date: Mar 2001
Posts: 4,494
Default Anyone ever create a VPN between Juniper and Cisco?

Just looking to ping you guys to see what you think.

We're in the process of having our old Cisco 6509 replaced, which was doing everything... routing, switching, encryption, vpn, etc. On the recommendation of the vendor we chose, we're moving forward with Juniper 550's for our main VPN at the core of our 'hub and spoke' network.

We're on a MetroE connection and our HQ branches out to sites that have a Cisco 2821 router on the other side. Before, the 6509 and the 2821's would create an encrypted connection, but now we have to do that with these Junipers.

They did come with installation, but the vendor is having a ton of issues trying to replicate our setup and get the connection to stay up and be stable. The latest thing is the most encrypted bandwidth they can get out of the boxes is 135Mb/s when it's rated at 1Gb/s at 3DES.

Thoughts?
cpals is offline   Reply With Quote
Old 11-17-2012, 11:29 PM   #2
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,500
Default

If you're using an SSG550, I'm not sure. If you're using an SRX550, then I know that you can do IPSec (or GRE) to a Cisco IOS router. I've done it several times and it works well.

Before you might have been using DMVPN, which you can't use now, as it's Cisco proprietary. You might be stuck with static tunnels between each site.

I'm not sure I would have recommended multivendor in an environment like that. I probably would have recommended a Cisco 3900 router or something, depending on how many sites you have.
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco

Last edited by drebo; 11-17-2012 at 11:34 PM.
drebo is online now   Reply With Quote
Old 11-18-2012, 10:55 AM   #3
cpals
Diamond Member
 
cpals's Avatar
 
Join Date: Mar 2001
Posts: 4,494
Default

They're SRX550 firewalls. Cisco did bid on the project and recommended two Cisco ASR devices but we ended up not going with Cisco.

I'm not familiar with exactly how we are currently doing it. I know the 6509 has the VPN module in it and I have to create a high and low clan and I then put a /30 ip on one of them. They are connected with some crypto map commands. The same is similar on the other end where the 2821 routers are. They have crypto map commands and that's where the 3Des info is too. I haven't notice a username and password setup like when I think of a typical site VPN setup.


We are looking at encrypting all traffic. Three main sites are at 1Gb and the other 15 or so are 20 Mb. HQ is 1Gb so we would never need more than that on the firewall unless we increased our MetroE connection.
cpals is offline   Reply With Quote
Old 11-18-2012, 11:11 AM   #4
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,500
Default

Any chance you could paste some of your old configs (with PSKs, certs, usernames, and IPs obfuscated) so that we can see how you were working? The important bits are all the crypto commands (except certs) and any Tunnel interface settings you have.

Do you need mesh connectivity between sites or just hub-and-spoke?
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco
drebo is online now   Reply With Quote
Old 11-18-2012, 11:55 AM   #5
cpals
Diamond Member
 
cpals's Avatar
 
Join Date: Mar 2001
Posts: 4,494
Default

Definitely can do it tomorrow. Right now we use eigrp for our three main sites and those will be converted to ospf. For DR purpose having them connect to the backup site automatically would be beneficial.
cpals is offline   Reply With Quote
Old 11-18-2012, 12:12 PM   #6
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,500
Default

So dual-hub-and-spoke. Not a problem to do that with static tunnels.

I'd recommend using BGP for the actual route distribution, with OSPF maintaining connectivity between loopbacks. It's a lot more straight-forward as far as influencing paths and such. And since you're migrating to a new protocol already, might as well do it right (or, rather, expandable.)

Try not to obfuscate private IPs, if possible.
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco
drebo is online now   Reply With Quote
Old 11-18-2012, 07:14 PM   #7
cpals
Diamond Member
 
cpals's Avatar
 
Join Date: Mar 2001
Posts: 4,494
Default

Was able to get our configs. From what I can tell, these are all the parts that make the encryption work in our setup. Let me know if there is something I missed.

6509 Code:
Code:
crypto isakmp policy 100
 hash md5
 authentication pre-share
 group 2

crypto isakmp key SITENAME address 192.168.1.14

crypto ipsec transform-set SITENAME esp-3des esp-md5-hmac 

crypto map SITENAME 100 ipsec-isakmp   
 set peer 192.168.1.14
 set transform-set SITENAME 
 match address 112

vlan 61
 name LOW_VLAN_SITE1

vlan 112
 name HIGH_VLAN_SITE2

interface Vlan61
 no ip address
 ip nat inside
 crypto connect vlan 112

interface Vlan112
 ip address 192.168.1.13 255.255.255.252
 ip nat inside
 no mop enabled
 crypto map SITENAME
 crypto engine slot 6
2821 Example:
Code:
crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key SITENAME address 192.168.1.13

crypto ipsec transform-set SITENAME esp-3des esp-md5-hmac 

crypto map SITENAME 112 ipsec-isakmp 
 set peer 192.168.1.13
 set transform-set SITENAME 
 match address 112

interface GigabitEthernet0/1.61
 encapsulation dot1Q 61
 ip address 192.168.1.14 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
 crypto map SITENAME
cpals is offline   Reply With Quote
Old 11-19-2012, 12:09 AM   #8
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,500
Default

In your example, would you mind outputting the ACL 112 on each router?
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco
drebo is online now   Reply With Quote
Old 11-19-2012, 04:11 AM   #9
cpals
Diamond Member
 
cpals's Avatar
 
Join Date: Mar 2001
Posts: 4,494
Default

I forgot to mention that I believe we are currently only encrypting traffic to one location. A subnet that the state uses. In order to be more secure and also since we don't provide our own MetroE the thought was to make the entire link encrypted. Hence the higher encryption requirements (1Gb/s).

Access List 112:

access-list 112 permit ip STATEIP 0.0.255.255 SITEIP 0.0.0.255

For every site setup/configuration there is one access list number that is a one liner and associated to the site's individual crypto maps.

Last edited by cpals; 11-19-2012 at 07:11 AM.
cpals is offline   Reply With Quote
Old 11-19-2012, 11:00 AM   #10
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,500
Default

So from every site (all ~18) to only one other site, you need to encrypt the traffic?

Or does ALL site-to-site traffic need to be encrypted?
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco
drebo is online now   Reply With Quote
Old 11-19-2012, 11:17 AM   #11
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,500
Default

Regarding the VPNs in general, from the SRX to a Cisco IOS router, you'll need to use policy-based IPSec. It's a little wonky, but it makes sense: http://www.juniper.net/us/en/local/p...3500175-en.pdf

Here's a slightly more straight-forward example: http://forums.juniper.net/jnet/attac...5/1/policy.txt

My recommendation would be to encrypt traffic between /32 loopbacks on each router and the use a GRE tunnel, but you don't necessarily have to. Using the above configs would replicate what you have almost identically.
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco
drebo is online now   Reply With Quote
Old 11-19-2012, 12:09 PM   #12
cpals
Diamond Member
 
cpals's Avatar
 
Join Date: Mar 2001
Posts: 4,494
Default

Quote:
Originally Posted by drebo View Post
So from every site (all ~18) to only one other site, you need to encrypt the traffic?

Or does ALL site-to-site traffic need to be encrypted?
We want all traffic going over the MetroE encrypted. 99% of the time, outside sites will only be talking to servers/equipment at headquarters and almost never to each other.

I think I found what we're doing since almost every command matches up ( http://www.cisco.com/en/US/tech/tk58...80194650.shtml ). Can this easily be converted to a Cisco-Juniper setup or is it truly a Cisco-Cisco setup? Hoping not to have to touch each site physically.
cpals is offline   Reply With Quote
Old 11-19-2012, 12:42 PM   #13
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,500
Default

Look at the PDF I linked above...that's how you accomplish the matching config on Junos. It's called transport mode IPSec, as opposed to tunnel mode IPSec.

For ease of use, though, like I said, I'd encapsulate a GRE tunnel over the IPSec. Makes for simpler/easier routing.
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco
drebo is online now   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 09:11 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.