ASA to SRX Route-based IPSec VPN (part 2)

ASA to SRX Topology

If you’ve been following from Page 1 we’re now ready to set up the VPN between the two sites.

ASA IKE, IPSEC, and VTI

First we create our IKE Policy and finally our IPSec Policy and Proposal.

crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

crypto ipsec ikev1 transform-set PHASE-TWO-PROPOSAL esp-aes-256 esp-sha-hmac

crypto ipsec profile TO-SRX
 set ikev1 transform-set PHASE-TWO-PROPOSAL
 set pfs group1
 set security-association lifetime seconds 86399

interface Tunnel100
 nameif ASA-SRX-TUNNEL
 ip address 10.255.255.1 255.255.255.252
 tunnel source interface OUTSIDE
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TO-SRX

Finally on the ASA we create a tunnel-group that specifies what type of tunnel to create and our pre-shared-keys to be used for local and remote authentication.

tunnel-group 203.0.113.1 type ipsec-l2l
tunnel-group 203.0.113.1 ipsec-attributes
 ikev1 pre-shared-key TheCatInFranceSlept

With that, we are done with the configuration on the ASA. Now we can move on to the SRX

SRX IKE, IPSEC, and STo.0

Same as above: IKE Policy and Proposal followed with the IPSec Policy and Proposal.

set security ike proposal ASA-PHASE-ONE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal ASA-PHASE-ONE-PROPOSAL dh-group group5
set security ike proposal ASA-PHASE-ONE-PROPOSAL authentication-algorithm sha1
set security ike proposal ASA-PHASE-ONE-PROPOSAL encryption-algorithm aes-256-cbc

set security ike policy ASA-IKE-POLICY mode main
set security ike policy ASA-IKE-POLICY proposals ASA-PHASE-ONE-PROPOSAL
set security ike policy ASA-IKE-POLICY pre-shared-key ascii-text TheCatInFranceSlept

set security ipsec proposal ASA-IPSEC-PROPOSAL protocol esp
set security ipsec proposal ASA-IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal ASA-IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec proposal ASA-IPSEC-PROPOSAL lifetime-seconds 86399

set security ipsec policy ASA-IPSEC-POLICY perfect-forward-secrecy keys group1
set security ipsec policy ASA-IPSEC-POLICY proposals ASA-IPSEC-PROPOSAL

In addition on the SRX we’ll need to create an IKE Gateway, VPN and an ST0 interface. (St0 is similar to a VTI)

set security ike gateway ASA-GATEWAY ike-policy ASA-IKE-POLICY
set security ike gateway ASA-GATEWAY address 198.51.100.1
set security ike gateway ASA-GATEWAY external-interface ge-0/0/0
set security ike gateway ASA-GATEWAY version v1-only

set security ipsec vpn ASA-VPN bind-interface st0.0
set security ipsec vpn ASA-VPN ike gateway ASA-GATEWAY
set security ipsec vpn ASA-VPN ike ipsec-policy ASA-IPSEC-POLICY

set interfaces st0 unit 0 family inet address 10.255.255.2/30
set security zones security-zone SRX-TO-ASA interfaces st0.0

Adding the final Security Policies

The final part is to add two final security policies on the SRX to allow traffic to flow to and from the TRUST zone over the tunnel.

set security policies from-zone TRUST to-zone SRX-TO-ASA policy ALLOW-EGRESS match source-address any
set security policies from-zone TRUST to-zone SRX-TO-ASA policy ALLOW-EGRESS match destination-address any
set security policies from-zone TRUST to-zone SRX-TO-ASA policy ALLOW-EGRESS match application any
set security policies from-zone TRUST to-zone SRX-TO-ASA policy ALLOW-EGRESS then permit

set security policies from-zone SRX-TO-ASA to-zone TRUST policy ALLOW-INGRESS match source-address any
set security policies from-zone SRX-TO-ASA to-zone TRUST policy ALLOW-INGRESS match destination-address any
set security policies from-zone SRX-TO-ASA to-zone TRUST policy ALLOW-INGRESS match application any
set security policies from-zone SRX-TO-ASA to-zone TRUST policy ALLOW-INGRESS then permit

Last part of the configuration: the routes

ASA

route ASA-SRX-TUNNEL 192.168.50.0 255.255.255.0 10.255.255.2 1

SRX

set routing-options static route 172.16.100.0/24 next-hop 10.255.255.1

Verifying and Testing

ASA

First we verify our phase one and then our phase two

ASAv# show crypto isakmp sa detail

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: ASA-TO-SRX
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : aes-256         Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 86362

ASAv# show crypto ipsec sa detail
interface: ASA-SRX-TUNNEL
    Crypto map tag: __vti-crypto-map-4-0-100, seq num: 65280, local addr: 198.51.100.1

      access-list __vti-def-acl-0 extended permit ip any any
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: ASA-TO-SRX


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (rcv): 0,
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 198.51.100.1/0, remote crypto endpt.: ASA-TO-SRX/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: F4423134
      current inbound spi : CAD09FA2

    inbound esp sas:
      spi: 0xCAD09FA2 (3402669986)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, IKEv1, VTI, }
         slot: 0, conn_id: 1228800, crypto-map: __vti-crypto-map-4-0-100
         sa timing: remaining key lifetime (kB/sec): (3915000/86285)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xF4423134 (4097978676)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, IKEv1, VTI, }
         slot: 0, conn_id: 1228800, crypto-map: __vti-crypto-map-4-0-100
         sa timing: remaining key lifetime (kB/sec): (3915000/86284)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

ASAv#

Look at all those 0’s. As we can see, both phase one and phase two are up however we haven’t sent any data through the tunnel. Lets do that now!

WestPC> ping 192.168.50.2

84 bytes from 192.168.50.2 icmp_seq=1 ttl=63 time=9.671 ms
84 bytes from 192.168.50.2 icmp_seq=2 ttl=63 time=2.579 ms
84 bytes from 192.168.50.2 icmp_seq=3 ttl=63 time=3.505 ms
84 bytes from 192.168.50.2 icmp_seq=4 ttl=63 time=2.653 ms
84 bytes from 192.168.50.2 icmp_seq=5 ttl=63 time=2.493 ms

ASAv# show crypto ipsec sa detail | i encaps:|decaps:
      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

ASAv# show route 192.168.50.0

Routing entry for 192.168.50.0 255.255.255.0
  Known via "static", distance 1, metric 0
  Routing Descriptor Blocks:
  * 10.255.255.2, via ASA-SRX-TUNNEL
      Route metric is 0, traffic share count is 1

SRX

root@vSRX-1> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-cbc-256/sha1 f4423134 86394/ 4608000 - root 500 198.51.100.1
  >131073 ESP:aes-cbc-256/sha1 cad09fa2 86394/ 4608000 - root 500 198.51.100.1

root@vSRX-1> show security ike security-associations detail
IKE peer 198.51.100.1, Index 6355135, Gateway Name: ASA-GATEWAY
  Role: Responder, State: UP
  Initiator cookie: d3571252c13d577f, Responder cookie: 6fad532d597e1cf7
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 203.0.113.1:500, Remote: 198.51.100.1:500
  Lifetime: Expires in 86068 seconds
  Reauth Lifetime: Disabled
  Peer ike-id: 198.51.100.1
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-5
  Traffic statistics:
   Input  bytes  :                 3876
   Output bytes  :                 3676
   Input  packets:                   36
   Output packets:                   35
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: 203.0.113.1:500, Remote: 198.51.100.1:500
    Local identity: 203.0.113.1
    Remote identity: 198.51.100.1
    Flags: IKE SA is created

root@vSRX-1> show security ipsec security-associations detail
  ID: 131073 Virtual-system: root, VPN Name: ASA-VPN
  Local Gateway: 203.0.113.1, Remote Gateway: 198.51.100.1
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: clear
           , Copy-Outer-DSCP Disabled
    Bind-interface: st0.0

  Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
  Tunnel events:
    Sat Feb 23 2019
    : IPSec SA negotiation successfully completed          (1 times)
    Sat Feb 23 2019
    : IKE SA negotiation successfully completed            (1 times)
    Direction: inbound, SPI: f4423134, AUX-SPI: 0
    Hard lifetime: Expires in 85986 seconds
    Lifesize Remaining:  4607998 kilobytes
    Soft lifetime: Expires in 85396 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled

                          , Replay window size: 64
    Direction: outbound, SPI: cad09fa2, AUX-SPI: 0
    Hard lifetime: Expires in 85986 seconds
    Lifesize Remaining:  4607998 kilobytes
    Soft lifetime: Expires in 85396 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled

                          , Replay window size: 64

root@vSRX-1> show interfaces st0.0 | match put
    Input packets : 5
    Output packets: 5

root@vSRX-1> show route 172.16.100.0

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.100.0/24    *[Static/5] 13:42:01
                    > to 10.255.255.1 via st0.0

We’re good! Thanks for reading.

ASA to SRX Route-based IPSec VPN (part 1)

ASA to SRX Topology

Yes, you can have an IPSec tunnel between a Cisco and Juniper firewall!

It’s actually pretty easy to set up a tunnel between an ASA and an SRX. The above topology is set up as a traditional branch with an inside subnet being NAT’ted to the internet with a WAN address.

This is a two page post with this page going over the initial setup of the above topology covering addressing, NAT’ing, security policies and so on. If you’re just looking for the VPN config, skip to page 2!

ASA Initial Configuration

To get started on the ASA we’ll assign the interfaces IP Addresses, Security Zones, NAT and a default route like so:

ciscoasa(config-if)# int gi0/0 
ciscoasa(config-if)# nameif OUTSIDE INFO: Security level for "OUTSIDE" set to 0 by default. 
ciscoasa(config-if)# ip add 198.51.100.1 255.255.255.252 ciscoasa(config-if)# no shut 

ciscoasa(config)# int gi0/1 
ciscoasa(config-if)# nameif INSIDE INFO: Security level for "INSIDE" set to 100 by default. 
ciscoasa(config-if)# ip add 172.16.100.1 255.255.255.0 
ciscoasa(config-if)# no shut 

ciscoasa(config)# nat (INSIDE,OUTSIDE) after-auto source dynamic any interface description "PAT out the OUTSIDE interface from the INSIDE interface"

ciscoasa(config)# route OUTSIDE 0.0.0.0 0.0.0.0 198.51.100.2

One additional note for the ASA: by default ICMP passing through the firewall will be dropped. To get around this you need to inspect ICMP like so:

ciscoasa# conf t
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)#  class inspection_default
ciscoasa(config-pmap-c)# inspect icmp
ciscoasa(config-pmap-c)# end

SRX Initial Configuration

Here we set the interfaces IP Addresses, assign Zones and set a Default Route.

set interfaces ge-0/0/0 unit 0 family inet address 203.0.113.1/30                                                       set interfaces ge-0/0/1 unit 0 family inet address 192.168.50.1/24

set security zones security-zone UNTRUST interfaces ge-0/0/0.0
set security zones security-zone TRUST interfaces ge-0/0/1.0

set routing-options static route 0.0.0.0/0 next-hop 203.0.113.2

In addition on the SRX we’ll need to enable host inbound traffic for ICMP-PING and IKE. We’ll have a security policy allowing TRUST zone traffic to the UNTRUST zone.

set security zones security-zone UNTRUST host-inbound-traffic system-services ping
set security zones security-zone UNTRUST host-inbound-traffic system-services ike

set security policies from-zone TRUST to-zone UNTRUST policy PERMIT-ALL match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT-ALL match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT-ALL match application any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT-ALL then permit

set security zones security-zone TRUST host-inbound-traffic system-services any-service
set security zones security-zone TRUST host-inbound-traffic protocols all

NAT is more than a one-liner on the SRX but performs the same exact function as above:

set security nat source rule-set UNTRUST-TO-TRUST from zone TRUST
set security nat source rule-set UNTRUST-TO-TRUST to zone UNTRUST
set security nat source rule-set UNTRUST-TO-TRUST rule RULE-1 match source-address 192.168.50.0/24
set security nat source rule-set UNTRUST-TO-TRUST rule RULE-1 then source-nat interface

Quick Sanity Checks

A ping from the East Host behind the SRX to the WAN interface and vice versa is successful.

EastPC> ping 198.51.100.1
84 bytes from 198.51.100.1 icmp_seq=1 ttl=253 time=3.665 ms
84 bytes from 198.51.100.1 icmp_seq=2 ttl=253 time=3.844 ms

WestPC> ping 203.0.113.1
84 bytes from 203.0.113.1 icmp_seq=1 ttl=63 time=4.912 ms
84 bytes from 203.0.113.1 icmp_seq=2 ttl=63 time=2.034 ms

Alright, after all that, we’re now ready to move on to the actual VPN set up on Page 2!