Anyone ever create a VPN between Juniper and Cisco?

Discussion in 'Networking' started by cpals, Nov 17, 2012.

  1. cpals

    cpals Diamond Member

    Joined:
    Mar 5, 2001
    Messages:
    4,494
    Likes Received:
    0
    Just looking to ping you guys to see what you think.

    We're in the process of having our old Cisco 6509 replaced, which was doing everything... routing, switching, encryption, vpn, etc. On the recommendation of the vendor we chose, we're moving forward with Juniper 550's for our main VPN at the core of our 'hub and spoke' network.

    We're on a MetroE connection and our HQ branches out to sites that have a Cisco 2821 router on the other side. Before, the 6509 and the 2821's would create an encrypted connection, but now we have to do that with these Junipers.

    They did come with installation, but the vendor is having a ton of issues trying to replicate our setup and get the connection to stay up and be stable. The latest thing is the most encrypted bandwidth they can get out of the boxes is 135Mb/s when it's rated at 1Gb/s at 3DES.

    Thoughts?
     
  2. drebo

    drebo Diamond Member

    Joined:
    Feb 24, 2006
    Messages:
    7,043
    Likes Received:
    1
    If you're using an SSG550, I'm not sure. If you're using an SRX550, then I know that you can do IPSec (or GRE) to a Cisco IOS router. I've done it several times and it works well.

    Before you might have been using DMVPN, which you can't use now, as it's Cisco proprietary. You might be stuck with static tunnels between each site.

    I'm not sure I would have recommended multivendor in an environment like that. I probably would have recommended a Cisco 3900 router or something, depending on how many sites you have.
     
    #2 drebo, Nov 18, 2012
    Last edited: Nov 18, 2012
  3. cpals

    cpals Diamond Member

    Joined:
    Mar 5, 2001
    Messages:
    4,494
    Likes Received:
    0
    They're SRX550 firewalls. Cisco did bid on the project and recommended two Cisco ASR devices but we ended up not going with Cisco.

    I'm not familiar with exactly how we are currently doing it. I know the 6509 has the VPN module in it and I have to create a high and low clan and I then put a /30 ip on one of them. They are connected with some crypto map commands. The same is similar on the other end where the 2821 routers are. They have crypto map commands and that's where the 3Des info is too. I haven't notice a username and password setup like when I think of a typical site VPN setup.


    We are looking at encrypting all traffic. Three main sites are at 1Gb and the other 15 or so are 20 Mb. HQ is 1Gb so we would never need more than that on the firewall unless we increased our MetroE connection.
     
  4. drebo

    drebo Diamond Member

    Joined:
    Feb 24, 2006
    Messages:
    7,043
    Likes Received:
    1
    Any chance you could paste some of your old configs (with PSKs, certs, usernames, and IPs obfuscated) so that we can see how you were working? The important bits are all the crypto commands (except certs) and any Tunnel interface settings you have.

    Do you need mesh connectivity between sites or just hub-and-spoke?
     
  5. cpals

    cpals Diamond Member

    Joined:
    Mar 5, 2001
    Messages:
    4,494
    Likes Received:
    0
    Definitely can do it tomorrow. Right now we use eigrp for our three main sites and those will be converted to ospf. For DR purpose having them connect to the backup site automatically would be beneficial.
     
  6. drebo

    drebo Diamond Member

    Joined:
    Feb 24, 2006
    Messages:
    7,043
    Likes Received:
    1
    So dual-hub-and-spoke. Not a problem to do that with static tunnels.

    I'd recommend using BGP for the actual route distribution, with OSPF maintaining connectivity between loopbacks. It's a lot more straight-forward as far as influencing paths and such. And since you're migrating to a new protocol already, might as well do it right (or, rather, expandable.)

    Try not to obfuscate private IPs, if possible.
     
  7. cpals

    cpals Diamond Member

    Joined:
    Mar 5, 2001
    Messages:
    4,494
    Likes Received:
    0
    Was able to get our configs. From what I can tell, these are all the parts that make the encryption work in our setup. Let me know if there is something I missed.

    6509 Code:
    Code:
    crypto isakmp policy 100
     hash md5
     authentication pre-share
     group 2
    
    crypto isakmp key SITENAME address 192.168.1.14
    
    crypto ipsec transform-set SITENAME esp-3des esp-md5-hmac 
    
    crypto map SITENAME 100 ipsec-isakmp   
     set peer 192.168.1.14
     set transform-set SITENAME 
     match address 112
    
    vlan 61
     name LOW_VLAN_SITE1
    
    vlan 112
     name HIGH_VLAN_SITE2
    
    interface Vlan61
     no ip address
     ip nat inside
     crypto connect vlan 112
    
    interface Vlan112
     ip address 192.168.1.13 255.255.255.252
     ip nat inside
     no mop enabled
     crypto map SITENAME
     crypto engine slot 6
    2821 Example:
    Code:
    crypto isakmp policy 100
     encr 3des
     hash md5
     authentication pre-share
     group 2
    
    crypto isakmp key SITENAME address 192.168.1.13
    
    crypto ipsec transform-set SITENAME esp-3des esp-md5-hmac 
    
    crypto map SITENAME 112 ipsec-isakmp 
     set peer 192.168.1.13
     set transform-set SITENAME 
     match address 112
    
    interface GigabitEthernet0/1.61
     encapsulation dot1Q 61
     ip address 192.168.1.14 255.255.255.252
     ip nat inside
     ip virtual-reassembly
     no snmp trap link-status
     crypto map SITENAME 
     
  8. drebo

    drebo Diamond Member

    Joined:
    Feb 24, 2006
    Messages:
    7,043
    Likes Received:
    1
    In your example, would you mind outputting the ACL 112 on each router?
     
  9. cpals

    cpals Diamond Member

    Joined:
    Mar 5, 2001
    Messages:
    4,494
    Likes Received:
    0
    I forgot to mention that I believe we are currently only encrypting traffic to one location. A subnet that the state uses. In order to be more secure and also since we don't provide our own MetroE the thought was to make the entire link encrypted. Hence the higher encryption requirements (1Gb/s).

    Access List 112:

    access-list 112 permit ip STATEIP 0.0.255.255 SITEIP 0.0.0.255

    For every site setup/configuration there is one access list number that is a one liner and associated to the site's individual crypto maps.
     
    #9 cpals, Nov 19, 2012
    Last edited: Nov 19, 2012
  10. drebo

    drebo Diamond Member

    Joined:
    Feb 24, 2006
    Messages:
    7,043
    Likes Received:
    1
    So from every site (all ~18) to only one other site, you need to encrypt the traffic?

    Or does ALL site-to-site traffic need to be encrypted?
     
  11. drebo

    drebo Diamond Member

    Joined:
    Feb 24, 2006
    Messages:
    7,043
    Likes Received:
    1
    Regarding the VPNs in general, from the SRX to a Cisco IOS router, you'll need to use policy-based IPSec. It's a little wonky, but it makes sense: http://www.juniper.net/us/en/local/pdf/app-notes/3500175-en.pdf

    Here's a slightly more straight-forward example: http://forums.juniper.net/jnet/attachments/jnet/srx/8185/1/policy.txt

    My recommendation would be to encrypt traffic between /32 loopbacks on each router and the use a GRE tunnel, but you don't necessarily have to. Using the above configs would replicate what you have almost identically.
     
  12. cpals

    cpals Diamond Member

    Joined:
    Mar 5, 2001
    Messages:
    4,494
    Likes Received:
    0
    We want all traffic going over the MetroE encrypted. 99% of the time, outside sites will only be talking to servers/equipment at headquarters and almost never to each other.

    I think I found what we're doing since almost every command matches up ( http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml ). Can this easily be converted to a Cisco-Juniper setup or is it truly a Cisco-Cisco setup? Hoping not to have to touch each site physically.
     
  13. drebo

    drebo Diamond Member

    Joined:
    Feb 24, 2006
    Messages:
    7,043
    Likes Received:
    1
    Look at the PDF I linked above...that's how you accomplish the matching config on Junos. It's called transport mode IPSec, as opposed to tunnel mode IPSec.

    For ease of use, though, like I said, I'd encapsulate a GRE tunnel over the IPSec. Makes for simpler/easier routing.
     
Loading...