Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

SRX Using DHCP on UNTRUST (BRANCH)-- Connected to Static VTI Cisco Router (HQ)

Good morning Gentlemen, I need some advice.  I am primarily a cisco IOS chap, but have recently been delving into some JUNOS action.

 

I cannot find an example on the Juniper Forums/Documentation or the Cisco Forums/Documentation to my specific Issue.

Firstly, I am not interested in Policy Based VPNs.   I do not know if it is possible to use a DHCP assigned public address on remote device with a "static VTI" - when using IKE identities. However as Phase one is up, I think the issue is more to do with Phase2 proposals when not explicitly defining a Tunnel destination.

 

In the scenario I am trying to sort now, I have an SRX-100 device, that gets its public address from a DHCP server.

I have back at the HQ, a cisco router.  

 

The Cisco router has various VTI tunnels out to other branch devices, that are smaller Cisco routers. These VTI tunnels are working fine - note all using static Public IP's 

 

I have my phase1 up fine, (from both sides' perspective) and am sending a local-identity hostname instead of a defining a destination address on the Tunnel on the cisco side.

 

JUNIPER

Index State Initiator cookie Responder cookie Mode Remote Address
5048723 UP 41ee08a4a0fde661 517176fea0f23989 Aggressive 4.4.4.4

 

CISCO

IPv4 Crypto ISAKMP SA
dst src state conn-id status

4.4.4.4 1.1.1.1 QM_IDLE 1110 ACTIVE NICK-SRX-ISAKMP-PROFILE

 

A working VTI tunnel has an SA of : (cisco perspecive)

 

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

 

I have tried sending this as the proxy-id on the Juniper to no avail.

The error is still :

*Jun 6 10:20:07.244: ISAKMP:smileysad:1110):atts are acceptable.

IPSec policy invalidated proposal with error 64
*Jun 6 10:20:07.244: ISAKMP:smileysad:1110): phase 2 SA policy not acceptable!

 

The IPSEC transform-Set attributes are accepted though,

 

transform 0, ESP_3DES
*Jun 6 10:20:07.244: ISAKMP: attributes in transform:
*Jun 6 10:20:07.244: ISAKMP: authenticator is HMAC-SHA
*Jun 6 10:20:07.244: ISAKMP: SA life type in seconds
*Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 
*Jun 6 10:20:07.244: ISAKMP: SA life type in kilobytes
*Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 
*Jun 6 10:20:07.244: ISAKMP: encaps is 1 (Tunnel)
*Jun 6 10:20:07.244: ISAKMP:smileysad:1110):atts are acceptable.

 

So it is something to do with the SA/Proxy ID's being sent.

 

here is the Juniper Config:

 


proposal IKE-SHA-AES128-DH2 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;
}
policy IKE-POLICY-HQ {
mode aggressive;
proposals IKE-SHA-AES128-DH2;
pre-shared-key ascii-text "secretkey";
}
gateway IKE-GATEWAY {
ike-policy IKE-POLICY-HQ;
address 4.4.4.4;
local-identity hostname knuckles.net;
external-interface fe-0/0/0.0;
}

proposal HQ-IPSEC-PROPOSAL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
lifetime-kilobytes 4608000;
}
policy HQ-IPSEC-POLICY {
proposals HQ-IPSEC-PROPOSAL;
}
vpn ROUTE-BASED-VPN-TO-HQ {
bind-interface st0.0;
ike {
gateway IKE-GATEWAY;
ipsec-policy HQ-IPSEC-POLICY;
}
establish-tunnels immediately;
}

 

st0 {
unit 0 {
family inet {
address 10.1.1.2/30;
}
}

 

CISCO SIDE:

 

crypto isakmp policy 2
encr aes
authentication pre-share
group 2

crypto keyring NICK-SRX 
pre-shared-key hostname knuckles.net key secretkey

crypto isakmp profile NICK-SRX-ISAKMP-PROFILE
keyring default
keyring NICK-SRX
match identity host knuckles.net
initiate mode aggressive

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
mode tunnel

crypto ipsec profile NICK-SRX-IPSEC-PROFILE
set transform-set ESP-3DES-SHA 
set isakmp-profile NICK-SRX-ISAKMP-PROFILE

interface Tunnel1
description HQ to NC-SRX
ip address 10.1.1.1 255.255.255.252
tunnel source 4.4.4.4
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile NICK-SRX-IPSEC-PROFILE

 

 

FYI - If I use the Provider given DHCP address on the Cisco Tunnel config, as a destination - the tunnel comes up immediately....So ' thinking this may be a limitation of static VTI. I have not tested the IKE identity on a remote cisco router also using VTI yet. 

 

e.g.

 

interface Tunnel1
description HQ to NC-SRX
ip address 10.1.1.1 255.255.255.252
tunnel source 4.4.4.4
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile NICK-SRX-IPSEC-PROFILE

 

So I guess my question is Is this possible using a static VTI?

What does this comand do - does it turn on dynamic VTI (all that virtual-template business)- or just tell the tunnel to expect and IKE identity?

 

tunnel destination dynamic

 

Does Dynamic VTI work with Different Vendors, and if so how can you control what VRF is assigned to the tunnels - I will need in the future multiple VRF's for each branch device, some using DHCP public addresses.

The VTI design guide does not mention Identity IKE for branch sites without using dynamic VTI.  

 

I would like to avoid using the whole easyVPN / dynamic VTI, as I need to use multiple VRF;s on the endpoints.

 

 

 

 

 

 

Everyone's tags (1)
2 REPLIES
New Member

Perhaps this fellow has

Perhaps this fellow has cracked it - is this the only way ???

https://supportforums.cisco.com/document/58076/dynamic-ip-dynamic-ip-ipsec-vpn-tunnel

 

New Member

Went with EEM as suggested by

Went with EEM as suggested by the chap + IKE Identity, works fine.

291
Views
0
Helpful
2
Replies
CreatePlease to create content