CISCO | Mike’s Blog

Yeeeep! Cisco Cyber Ops Scholarship

by Mike | Dec 12, 2017 | CISCO | 0 comments

I have really exciting news:

Site-to-site IPSec between Juniper and Cisco through Mikrotik’s NAT

by Mike | Dec 6, 2017 | CISCO, Juniper | 0 comments

Since my company has been using Cisco and Juniper network equipment we have a lot of IPSec tunnels to remote branches. To achieve some sort of high-availability we have decided to implement one of the IPSec tunnels over an LTE network.

To do so we bought Mikrotik wAP LTE kit to get connected to an LTE network and obtained a public IP address from a mobile data operator.

So.. we have:

Cisco ISR in the DC with public IP address 1.1.1.1
Mikrotik wAP LTE with public IP address 2.2.2.2
Juniper SRX100 in the branch with private address 172.16.1.2/30 connected to Mikrotik

Cisco ISR config

Tunnel interface:

interface Tunnel10
 description TO REMOTE BRANCH
 bandwidth 15000
 ip address 172.20.1.1 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0/0
 tunnel mode ipsec ipv4
 tunnel destination 2.2.2.2
 tunnel protection ipsec profile VTI

interface Tunnel10

description TO REMOTE BRANCH

bandwidth 15000

ip address 172.20.1.1 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0/0

tunnel mode ipsec ipv4

tunnel destination 2.2.2.2

tunnel protection ipsec profile VTI

ip route 2.2.2.2 255.255.255.255 1.1.1.2

1	ip route 2.2.2.2 255.255.255.255 1.1.1.2

IPSec config:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key SHAREDKEY address 10.0.0.2 
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile VTI
 set transform-set TSET
!
!
!
!
!
!
!
interface Tunnel10
 bandwidth 15000
 ip address 172.20.1.1 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 2.2.2.2
 tunnel protection ipsec profile VTI
!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key SHAREDKEY address 10.0.0.2

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

mode tunnel

crypto ipsec profile VTI

set transform-set TSET

interface Tunnel10

bandwidth 15000

ip address 172.20.1.1 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source Ethernet0/0

tunnel mode ipsec ipv4

tunnel destination 2.2.2.2

tunnel protection ipsec profile VTI

Juniper SRX config

security {
    ike {
        policy IKE_DC {
            mode main;
            proposal-set compatible;
            pre-shared-key ascii-text "SHAREDPASS"; ## SECRET-DATA
        }
        gateway GW_DC {
            ike-policy IKE_DC;
            address 1.1.1.1;
            external-interface fe-0/0/6.0;
        }
    }
    ipsec {
        policy Juniper {
            proposal-set compatible;
        }
        vpn VPN_DC {
            bind-interface st0.10;
            ike {
                gateway GW_DC;
                ipsec-policy Juniper;
            }
            establish-tunnels immediately;
        }
    }
    alg {
        dns disable;
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1360;
            }
        }
    }

security {

ike {

policy IKE_DC {

mode main;

proposal-set compatible;

pre-shared-key ascii-text "SHAREDPASS"; ## SECRET-DATA

}

gateway GW_DC {

ike-policy IKE_DC;

address 1.1.1.1;

external-interface fe-0/0/6.0;

}

ipsec {

policy Juniper {

proposal-set compatible;

}

vpn VPN_DC {

bind-interface st0.10;

ike {

gateway GW_DC;

ipsec-policy Juniper;

}

establish-tunnels immediately;

}

alg {

dns disable;

}

flow {

tcp-mss {

ipsec-vpn {

mss 1360;

}

Adding to zone and allowing IKE on the interface:

set security zones security-zone untrust interfaces fe-0/0/6.0
set security zones security-zone untrust host-inbound-traffic system-services ike

1 2	set security zones security-zone untrust interfaces fe-0/0/6.0 set security zones security-zone untrust host-inbound-traffic system-services ike

Mikrotik config

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=2.2.2.2 dst-port=4500 \
    in-interface=lte1 protocol=udp to-addresses=172.16.1.2 to-ports=4500
add action=dst-nat chain=dstnat dst-address=2.2.2.2 dst-port=500 \
    in-interface=lte1 protocol=udp to-addresses=172.16.1.2 to-ports=500
add action=src-nat chain=srcnat out-interface=lte1 src-address=172.16.1.2 \
    to-addresses=2.2.2.2

/ip firewall nat

add action=dst-nat chain=dstnat dst-address=2.2.2.2 dst-port=4500 \

in-interface=lte1 protocol=udp to-addresses=172.16.1.2 to-ports=4500

add action=dst-nat chain=dstnat dst-address=2.2.2.2 dst-port=500 \

in-interface=lte1 protocol=udp to-addresses=172.16.1.2 to-ports=500

add action=src-nat chain=srcnat out-interface=lte1 src-address=172.16.1.2 \

to-addresses=2.2.2.2

IPsec debug on SRX

To debug IPSec on Juniper you can use this commands:

Phase 1

show security ike security-associations
node0:
--------------------------------------------------------------------------
Index State Initiator cookie Responder cookie Mode Remote Address
1990848 UP 0a8d1bb614de2965 47ade7df5b93f10f Main 1.1.1.1

show security ike security-association index <#> detail
show security ike security-association <peer-ip>


show security ike stats sa

show security ike security-associations

node0:

--------------------------------------------------------------------------

Index State Initiator cookie Responder cookie Mode Remote Address

1990848 UP 0a8d1bb614de2965 47ade7df5b93f10f Main 1.1.1.1

show security ike security-association index <#> detail

show security ike security-association <peer-ip>

show security ike stats sa

Phase 2

show security ipsec security-associations | no-more
node0:
--------------------------------------------------------------------------
 Total active tunnels: 3
 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway 
 <131073 ESP:3des/sha1 828f5d73 1299/ 4426652 - root 500 1.1.1.1 
 >131073 ESP:3des/sha1 3c0637c3 1299/ 4426652 - root 500 1.1.1.1 

show security ipsec inactive-tunnels
node0:
--------------------------------------------------------------------------
 Total inactive tunnels: 0
 Total inactive tunnels with establish immediately: 0

show security ipsec security-associations | no-more

node0:

--------------------------------------------------------------------------

Total active tunnels: 3

ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway

<131073 ESP:3des/sha1 828f5d73 1299/ 4426652 - root 500 1.1.1.1

>131073 ESP:3des/sha1 3c0637c3 1299/ 4426652 - root 500 1.1.1.1

show security ipsec inactive-tunnels

node0:

--------------------------------------------------------------------------

Total inactive tunnels: 0

Total inactive tunnels with establish immediately: 0

Passed CCNA R&S certification

by Mike | Aug 19, 2017 | CCNA | 0 comments

Yesterday I finally passed CCNA R&S 200-125 exam. Next goal – CCNP.

Cisco Certification

by Mike | Jun 13, 2017 | CCNA | 0 comments

I have been around networks for over 8 years and I always have had a dream to become a CCIE. Now It is time to set the GOAL and to start my journey.

So that I’ve started studying for the CCNA R&S exam and thought I would put my notes on this blog. It might be useful for me and hopefully, my notes can be helpful to someone else. These notes are based on CCNAR&S 200-125 Official Cert Guide and CBT Nuggets.