=======Configuration VPN GRE over IPSEC between Juniper SRX and Cisco 1841 =======
 ==== Introduction. ====

We have two networks. Each network has own routing device. The first network has Juniper SRX and second network has Cisco 1841.\\ 
**Task**:\\ configure GRE over VPN for providing availability of OSPF routing.\\

{{:ru:jobs:vpn_juniper_cisco.jpg?500|500}}

 ==== Detail information. ====
 
Juniper SRX cann't to terminate GRE and IPSEC with one interface. We will use lo interface for GRE termination.

**Addressing**\\
Juniper SRX:\\
GLOBAL IP: 217.9.80.22\\
Lo IP: 172.31.254.1\\
Gre IP: 192.168.254.0\\

Cisco 1841:\\
GLOBAL IP:  91.208.39.30\\  
Lo IP: 172.31.254.2\\
Gre IP: 192.168.254.1\\


**IKE policy:**\\
encryption: aes128\\
hash: sha1\\
Diffie-Hellman group: 5
pre shared key: test\\

**IPSEC policy:**\\
encryption: aes128\\
hash: hmac_sha1\\
Diffie-Hellman group: 5

**VPN** - tunnel mode esp

 ==== Configure Juniper. ====

1. Apply lo ip address:\\
  
  {primary:node1}[edit]
  set interfaces lo0 unit 0 family inet address 172.31.254.1/32

2. Create GRE interface:\\
  
  {primary:node1}[edit]
  set interfaces gr-0/0/0 unit 0 description Cisco_link
  set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.1
  set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.2
  set interfaces gr-0/0/0 unit 0 family inet mtu 1476
  set interfaces gr-0/0/0 unit 0 family inet address 192.168.254.0/31

3. Create ST interface:\\
  
  {primary:node1}[edit]
  set interfaces st0 unit 0 description VPN_Cisco_link
  set interfaces st0 unit 0 family inet


4. Configure three security zones on the Juniper:\\
  
  {primary:node1}[edit]
  set security zones security-zone ISPs interfaces reth0.0
  set security zones security-zone Internal interfaces reth1.0
  set security zones security-zone Tunnels gr-0/0/0.0
  set security zones security-zone Tunnels st0.0
  set security zones security-zone Tunnels lo0.0
  
  
5. Configure security policies (for this example I will not configure detail policy.)\\ 
  
  {primary:node1}[edit]
  set security policies default-policy permit-all


6. Configure IKE
  
  {primary:node1}[edit]
  set security ike proposal IKE_PRO_MY_NET description MY_NETWORK_IKE_PROPOSAL
  set security ike proposal IKE_PRO_MY_NET authentication-method pre-shared-keys
  set security ike proposal IKE_PRO_MY_NET dh-group group5
  set security ike proposal IKE_PRO_MY_NET authentication-algorithm sha1
  set security ike proposal IKE_PRO_MY_NET encryption-algorithm aes-128-cbc
  set security ike proposal IKE_PRO_MY_NET lifetime-seconds 28800

  set security ike policy IKE_POL_MY_NET mode aggressive
  set security ike policy IKE_POL_MY_NET proposals IKE_PRO_MY_NET
  set security ike policy IKE_POL_MY_NET pre-shared-key ascii-text test
  
  set security ike gateway IKE_CISCO_1841 ike-policy IKE_POL_MY_NET
  set security ike gateway IKE_CISCO_1841 address 91.208.39.30
  set security ike gateway IKE_CISCO_1841 local-identity inet 217.9.80.22
  set security ike gateway IKE_CISCO_1841 external-interface reth0.0

  
7. Configure IPSEC

  {primary:node1}[edit]
  set security ipsec proposal IPSEC_PRO_MY_NET protocol esp
  set security ipsec proposal IPSEC_PRO_MY_NET authentication-algorithm hmac-sha1-96
  set security ipsec proposal IPSEC_PRO_MY_NET encryption-algorithm aes-128-cbc
  set security ipsec proposal IPSEC_PRO_MY_NET lifetime-seconds 28800
  set security ipsec proposal IPSEC_PRO_MY_NET lifetime-kilobytes 4608000
  
  set security ipsec policy IPSEC_POL_MY_NET perfect-forward-secrecy keys group5
  set security ipsec policy IPSEC_POL_MY_NET proposals IPSEC_PRO_MY_NET

  set security ipsec vpn VPN_CISCO_1841 bind-interface st0.0
  set security ipsec vpn VPN_CISCO_1841 df-bit clear
  set security ipsec vpn VPN_CISCO_1841 ike gateway IKE_CISCO_1841
  set security ipsec vpn VPN_CISCO_1841 ike no-anti-replay
  set security ipsec vpn VPN_CISCO_1841 ike proxy-identity local 172.31.254.1/32
  set security ipsec vpn VPN_CISCO_1841 ike proxy-identity remote 172.31.254.2/32
  set security ipsec vpn VPN_CISCO_1841 ike proxy-identity service junos-gre
  set security ipsec vpn VPN_CISCO_1841 ike ipsec-policy IPSEC_POL_MY_NET
  set security ipsec vpn VPN_CISCO_1841 establish-tunnels immediately

8. Configure routing

  {primary:node1}[edit]
  set routing-options static route 172.31.254.2/32 next-hop st0.0



9. Commit

  {primary:node1}[edit]
  commit
  
 ==== Configure Cisco. ====

1. Apply lo ip address:\\
  
  conf t
  interface Loopback0
  ip address 172.31.254.2 255.255.255.255
  end

2. Create GRE interface:\\
  
  conf t
  interface Tunnel0
  description link1 Cisco_1841 -> Juniper SRX
  ip address 192.168.254.1 255.255.255.254
  ip mtu 1476
  ip ospf network point-to-point
  no clns route-cache
  tunnel source Loopback0
  tunnel destination 172.31.254.2
  end
  

3. Configure IKE
  
  conf t
  crypto isakmp policy 10
  encr aes
  authentication pre-share
  group 5
  lifetime 28800
  exit
  
  crypto isakmp key test address 217.9.80.22
  end

4. Configure access list

  conf t
  ip access-list extended ipsec_Juniper_SRX
  permit ip host 172.31.254.2 host 172.31.254.1
  end 
   
5. Configure IPSEC

  conf t
  crypto ipsec transform-set MY_NET esp-aes esp-sha-hmac
  exit
  
  crypto map my-cmap 10 ipsec-isakmp
  set peer 217.9.80.22
  set security-association lifetime seconds 28800
  set transform-set MY_NET
  set pfs group5
  match address ipsec_Juniper_SRX


6. Apply crypto-map

  conf t
  int fa 0/0
  crypto map my-cmap
  end

 

7. Save configuration

  wr


 ==== About author  ====
[[https://www.linkedin.com/pub/alexey-vyrodov/59/976/16b|Profile]] of the author