Site-to-site IPSec between Juniper and Cisco through Mikrotik’s NAT
Since my company has been using Cisco and Juniper network equipment we have a lot of IPSec tunnels to remote branches. To achieve some sort of high-availability we have decided to implement one of the IPSec tunnels over an LTE network.
To do so we bought Mikrotik wAP LTE kit to get connected to an LTE network and obtained a public IP address from a mobile data operator.
So.. we have:
- Cisco ISR in the DC with public IP address 1.1.1.1
- Mikrotik wAP LTE with public IP address 2.2.2.2
- Juniper SRX100 in the branch with private address 172.16.1.2/30 connected to Mikrotik
Cisco ISR config
Tunnel interface:
|
1 2 3 4 5 6 7 8 9 10 |
interface Tunnel10 description TO REMOTE BRANCH bandwidth 15000 ip address 172.20.1.1 255.255.255.252 ip mtu 1400 ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/0/0 tunnel mode ipsec ipv4 tunnel destination 2.2.2.2 tunnel protection ipsec profile VTI |
|
1 |
ip route 2.2.2.2 255.255.255.255 1.1.1.2 |
IPSec config:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key SHAREDKEY address 10.0.0.2 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 10 ! ! crypto ipsec transform-set TSET esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile VTI set transform-set TSET ! ! ! ! ! ! ! interface Tunnel10 bandwidth 15000 ip address 172.20.1.1 255.255.255.252 ip mtu 1400 ip tcp adjust-mss 1360 tunnel source Ethernet0/0 tunnel mode ipsec ipv4 tunnel destination 2.2.2.2 tunnel protection ipsec profile VTI ! |
Juniper SRX config
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
security { ike { policy IKE_DC { mode main; proposal-set compatible; pre-shared-key ascii-text "SHAREDPASS"; ## SECRET-DATA } gateway GW_DC { ike-policy IKE_DC; address 1.1.1.1; external-interface fe-0/0/6.0; } } ipsec { policy Juniper { proposal-set compatible; } vpn VPN_DC { bind-interface st0.10; ike { gateway GW_DC; ipsec-policy Juniper; } establish-tunnels immediately; } } alg { dns disable; } flow { tcp-mss { ipsec-vpn { mss 1360; } } } |
Adding to zone and allowing IKE on the interface:
|
1 2 |
set security zones security-zone untrust interfaces fe-0/0/6.0 set security zones security-zone untrust host-inbound-traffic system-services ike |
Mikrotik config
|
1 2 3 4 5 6 7 |
/ip firewall nat add action=dst-nat chain=dstnat dst-address=2.2.2.2 dst-port=4500 \ in-interface=lte1 protocol=udp to-addresses=172.16.1.2 to-ports=4500 add action=dst-nat chain=dstnat dst-address=2.2.2.2 dst-port=500 \ in-interface=lte1 protocol=udp to-addresses=172.16.1.2 to-ports=500 add action=src-nat chain=srcnat out-interface=lte1 src-address=172.16.1.2 \ to-addresses=2.2.2.2 |
IPsec debug on SRX
To debug IPSec on Juniper you can use this commands:
Phase 1
|
1 2 3 4 5 6 7 8 9 10 11 |
show security ike security-associations node0: -------------------------------------------------------------------------- Index State Initiator cookie Responder cookie Mode Remote Address 1990848 UP 0a8d1bb614de2965 47ade7df5b93f10f Main 1.1.1.1 show security ike security-association index <#> detail show security ike security-association <peer-ip> show security ike stats sa |
Phase 2
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
show security ipsec security-associations | no-more node0: -------------------------------------------------------------------------- Total active tunnels: 3 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 828f5d73 1299/ 4426652 - root 500 1.1.1.1 >131073 ESP:3des/sha1 3c0637c3 1299/ 4426652 - root 500 1.1.1.1 show security ipsec inactive-tunnels node0: -------------------------------------------------------------------------- Total inactive tunnels: 0 Total inactive tunnels with establish immediately: 0 |
