IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco ASA

This post describes the steps to configure a Site-to-Site VPN between a Juniper ScreenOS firewall and the Cisco ASA firewall. With the correct IKE and IPsec parameters as well as the correct Proxy IDs on both sides, the VPN establishment works without any problems. And since the Juniper firewall can ping an IPv4 address on the remote side through the tunnel (VPN Monitor), the VPN tunnel is established by the firewalls themselves without the need for initial traffic.

[This is one of many VPN tutorials on my blog. Please look here find the appropriate one.]

Laboratory

The following figure shows my test laboratory:

S2S VPN Juniper ScreenOS - Cisco ASA Laboratory

The Juniper SSG 5 firewall had version 6.3.0r16.0 installed, while the Cisco ASA 5505 ran on version 9.1(4).

Note that I am not showing the creation of the IKE and IPsec parameter sets since their reference names are self-explanatory, such as “pre-g5-aes256-sha1” and “g5-esp-aes256-sha1-3600”.

Concerning the automatic tunnel establishment: The Juniper VPN Monitor, which pings the inside interface of the ASA, only works if the “Management Access Interface” on the ASA is set to this specific inside network. Otherwise, the ASA will not reply to these ping requests and will generate log messages such as “Failed to locate egress interface for ICMP from outside: …”. Really bad! Especially if you have more than one inside network.

Juniper ScreenOS SSG

The creation of the VPN on the ScreenOS device requires the following steps: tunnel interface, gateway, AutoKey IKE with Proxy IDs, and static IPv4 route through the tunnel. The following screenshots document these steps:

Cisco ASA

On the Cisco ASA, a Group Policy and a Connection Profile must be created. On the following screenshots, I am also showing the created Crypto Map:

Monitoring the VPN Sessions

Due to the VPN Monitor on the Juniper firewall, the tunnel should be established right after all configuration settings are done. The Juniper monitor status will indicate an “Up” link and the logs filtered to the peer IPv4 address will show several success messages:

S2S SSG-ASA - SSG 07 VPN Monitor StatusS2S SSG-ASA - SSG 08 Events searched 172.16.1.3

The same is true for the Cisco ASA, which will reveal the successful VPN tunnel with the chosen security parameters:

S2S SSG-ASA - ASA 07 VPN Session Details

Leave a Reply

Your email address will not be published. Required fields are marked *