cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
290
Views
0
Helpful
5
Replies

VPN Routing issue

LarryT2012
Level 1
Level 1

Hi all,

I have an interesting routing issue.  I have a VPN connection between a Juniper and Cisco firewall.  I have two networks (10.1.x.x and 10.5.x.x) configured for traffic over the VPN.  Users coming across the VPN from Cisco to Juniper state that when they are able to access resources on network 10.1.x.x, that aren't able to access resources on 10.5.x.x--and vice-versa.  I've checked security parameters (hash, authentication, group, lifetime, and encryption) and they appear to be identical on both sides.  Has anyone experienced this issue before?

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Can you provide some clarification about networks 10.1.x.x and 10.5.x.x? Are they both on one side? If so which side? Or is one on one side and the other on the other side?

It might also be helpful if you would post some details of how you have the VPN configured on the Cisco.

HTH

Rick

HTH

Rick

Hi Richard,

First, I didn't expect to see you respond.  I've noticed you've been giving fantastic advice for years over these forums--thanks for replying.

Locally (my site):

I have network 10.1.x.x directly connected to my Juniper FW and 10.5.x.x is one hop away via another Juniper switch.  The remote site is connecting to my Juniper FW from their Cisco FW via VPN to reach resources on networks 10.1.x.x and 10.5.x.x.

Remote site:

They have static routes configured on their Cisco FW pointed to both the 10.1.x.x. and 10.5.x.x. that are reachable via my local Juniper FW.

The following is what they have configured on their Cisco FW:

Phase-1:-

 

    IKE Peer: Our Public IP

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

    Encrypt : 3des            Hash    : SHA

    Auth    : preshared       Lifetime: 86400

 

Phase-2:-

 transform-set esp-3des esp-sha-hmac 

Below is what I have configured on my Juniper:

Phase 1

set security ike proposal <phase 1 name> authentication-method pre-shared-keys

set security ike proposal <phase 1 name> dh-group group2

set security ike proposal <phase 1 name> authentication-algorithm sha1

set security ike proposal <phase 1 name> encryption-algorithm 3des-cbc

set security ike policy <phase 1 name> mode main

 

Phase 2

set security ipsec proposal <phase 2 name> protocol esp

set security ipsec proposal <phase 2 name> authentication-algorithm hmac-sha1-96

set security ipsec proposal <phase 2 name> encryption-algorithm 3des-cbc

set security ipsec policy <phase 2 name> perfect-forward-secrecy keys group2

 

Hi,

couldn't that be a routing issue?

As you say: "I have network 10.1.x.x directly connected to my Juniper FW and 10.5.x.x is one hop away via another Juniper switch.  The remote site is connecting to my Juniper FW from their Cisco FW via VPN..."

Do the devices in 10.5.x.x subnet know how to route back to the remote site? I.e., does the "another Juniper switch" know which remote sites are just connected via VPN and routable via the Juniper FW?

Best regards,

Milan

Thanks for the clarifications. Am I understanding correctly that users on the Cisco side are successful in access to 10.1.x.x and not successful in access to 10.5.x.x? And that users in your 10.1.x.x are successful in accessing the Cisco networks but users in 10.5.x.x are not able to access Cisco networks?

If that is the case then the suggestion from Milan is certainly one possible source of the problem. I would also suggest that you and your Cisco colleague check the access lists that identify traffic to be encrypted for the VPN. If one or both sides fail to specify 10.5.x.x in that access list then you would get the kind of symptoms that you are describing.

HTH

Rick

HTH

Rick

Pawan Raut
Level 4
Level 4

Forward Path routing Site C subnet -- IPSEC vpn --> Site A -- GRE tunnel --> Site B

for return Path Routing --> Site B IP subnet --- GRE tunnel -- Site A -- IPsec tunnel --> Site C

So in nut shell Site B subnet should be in encryption domain of vpn between A and C.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco