IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco Router

Similar to all my other site-to-site VPN articles, here are the configurations for a VPN tunnel between a Juniper ScreenOS SSG firewall and a Cisco IOS router. Due to the VPN Monitor of the SSG firewall, the tunnel is established directly after the configuration and stays active all the time without the need of “real” traffic.

I am using the policy-based VPN solution on the Cisco router and not the virtual tunnel interface (VTI) approach. That is: No route is needed on the router while the Proxy IDs must be set on the Juniper firewall. (However, I also documented the route-based VPN solution between a ScreenOS firewall and a Cisco router here.)

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–

Laboratory

This figure shows my lab:

S2S VPN Juniper ScreenOS - Cisco Router Laboratory

My Juniper SSG 5 firewall ran at version 6.3.0r17.0. The (old) Cisco router 2621 had IOS 12.3(26) installed (c2600-ik9o3s3-mz.123-26.bin).

Juniper ScreenOS SSG

The configuration steps on the SSG are the following:

  1. P1 and P2 Proposals, e.g., PFS group 5, AES256, SHA1, 28800/3600 sec.
  2. Gateway with Preshared Key and P1 Proposal.
  3. Unnumbered Tunnel Interface.
  4. AutoKey IKE profile which points to the just created gateway, P2 proposal and tunnel interface. The checkmark “Proxy-ID Check” is mandatory here. Furthermore, the VPN Monitor can be set to automatically build the tunnel.
  5. Proxy ID(s) corresponding to the tunneled networks.
  6. Specific route through the tunnel interface.

Here are my configuration screenshots:

Cisco Router

The listing below shows all relevant commands for the VPN tunnel. Of course, the isakmp policy and the ipsec transform-set is identical to the ones I configured on the Juniper firewall. Note that I also configured the “hash sha” command inside the “crypto isakmp policy 10” submenu. However, this is not shown since it seems to be the default value. Same on the “set security-association lifetime seconds 3600” command inside the “crypto map map01 2 ipsec-isakmp” submenu.

It’s running :)

As the Monitor Status of the Juniper reveals:

S2S SSG-IOS - SSG 10 Monitor Status

The Cisco router can be queried with the following commands:

 

Leave a Reply

Your email address will not be published. Required fields are marked *