08-24-2016 07:39 AM - edited 03-05-2019 04:33 AM
Hi all,
I have an interesting routing issue. I have a VPN connection between a Juniper and Cisco firewall. I have two networks (10.1.x.x and 10.5.x.x) configured for traffic over the VPN. Users coming across the VPN from Cisco to Juniper state that when they are able to access resources on network 10.1.x.x, that aren't able to access resources on 10.5.x.x--and vice-versa. I've checked security parameters (hash, authentication, group, lifetime, and encryption) and they appear to be identical on both sides. Has anyone experienced this issue before?
08-24-2016 09:55 AM
Can you provide some clarification about networks 10.1.x.x and 10.5.x.x? Are they both on one side? If so which side? Or is one on one side and the other on the other side?
It might also be helpful if you would post some details of how you have the VPN configured on the Cisco.
HTH
Rick
08-24-2016 12:54 PM
Hi Richard,
First, I didn't expect to see you respond. I've noticed you've been giving fantastic advice for years over these forums--thanks for replying.
Locally (my site):
I have network 10.1.x.x directly connected to my Juniper FW and 10.5.x.x is one hop away via another Juniper switch. The remote site is connecting to my Juniper FW from their Cisco FW via VPN to reach resources on networks 10.1.x.x and 10.5.x.x.
Remote site:
They have static routes configured on their Cisco FW pointed to both the 10.1.x.x. and 10.5.x.x. that are reachable via my local Juniper FW.
The following is what they have configured on their Cisco FW:
Phase-1:-
IKE Peer: Our Public IP
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 86400
Phase-2:-
transform-set esp-3des esp-sha-hmac
Below is what I have configured on my Juniper:
Phase 1
set security ike proposal <phase 1 name> authentication-method pre-shared-keys
set security ike proposal <phase 1 name> dh-group group2
set security ike proposal <phase 1 name> authentication-algorithm sha1
set security ike proposal <phase 1 name> encryption-algorithm 3des-cbc
set security ike policy <phase 1 name> mode main
Phase 2
set security ipsec proposal <phase 2 name> protocol esp
set security ipsec proposal <phase 2 name> authentication-algorithm hmac-sha1-96
set security ipsec proposal <phase 2 name> encryption-algorithm 3des-cbc
set security ipsec policy <phase 2 name> perfect-forward-secrecy keys group2
08-24-2016 11:38 PM
Hi,
couldn't that be a routing issue?
As you say: "I have network 10.1.x.x directly connected to my Juniper FW and 10.5.x.x is one hop away via another Juniper switch. The remote site is connecting to my Juniper FW from their Cisco FW via VPN..."
Do the devices in 10.5.x.x subnet know how to route back to the remote site? I.e., does the "another Juniper switch" know which remote sites are just connected via VPN and routable via the Juniper FW?
Best regards,
Milan
08-25-2016 12:28 PM
Thanks for the clarifications. Am I understanding correctly that users on the Cisco side are successful in access to 10.1.x.x and not successful in access to 10.5.x.x? And that users in your 10.1.x.x are successful in accessing the Cisco networks but users in 10.5.x.x are not able to access Cisco networks?
If that is the case then the suggestion from Milan is certainly one possible source of the problem. I would also suggest that you and your Cisco colleague check the access lists that identify traffic to be encrypted for the VPN. If one or both sides fail to specify 10.5.x.x in that access list then you would get the kind of symptoms that you are describing.
HTH
Rick
08-25-2016 01:03 AM
Forward Path routing Site C subnet -- IPSEC vpn --> Site A -- GRE tunnel --> Site B
for return Path Routing --> Site B IP subnet --- GRE tunnel -- Site A -- IPsec tunnel --> Site C
So in nut shell Site B subnet should be in encryption domain of vpn between A and C.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: