HOWTO Configure an IPSec VPN between a Juniper Netscreen firewall and a Cisco ASA device

Luca Maranzano — Fri, 27 Aug 2010 14:10:00 +0000

Last week I got some fun configuring an IPSec VPN Lan-to-Lan between a Juniper Netscreen firewall and a Cisco ASA of a customer; in my past experience I’ve configured almost any kind of VPN, but this combination was still missing .

The process has been quite straightforward on the (our) Juniper side, the device is a SSG-320M with ScreenOS 6.2. Unlike other devices (Nortel, Cisco) the ScreenOS supports 2 kinds of VPN: Policy based and route based.

I was able to use the Policy based mode and the device on the other side is a Cisco ASA5540 managed by a smart network guy.

The steps have been basically the following:

An accurate plan of the network addresses involved by the two encryption domains; as an additional difficulty in my setup the encryption domains have overlapping address space so I configured a virtual Linux “Nat Box” to manage the NAT on my side with the excellent Shorewall package
The definition of the Address Lists on the ScreenOS, binded to the right zones (Trust/Untrust/other)
The definition of the Gateway with a static IP and the pre-shared key. Be careful in the definition the Phase1 parameters, they have to match precisely on both sides
The definition of a VPN AutoKey IKE: again, be careful in the definition of the Phase2 parameters and enable the Reply Protection.
The definition of the Policies between the Network objects involved in the VPN; it was mandatory to flag the “Position at top” and “Modify matching bidirectional VPN policy”

The most important thing in these situations is to have some handful commands to efficiently debug the VPN during the phase 1 and 2. Here I’ll summarize some of them, at the CLI level on the ScreenOS:

fw> debug ike detail                   #enable debug ike
fw> get dbuf stream                    #show the debug messages in the buffer
fw> undebug all                        #disable all debug
fw> clear dbuf                         #clear the buffer
fw> get config | include ike           #show the ike relevant config statements
fw> set ike accept-all-proposal        #try this to check the other side proposals
fw> clear ike-cookie all               #clear IKE cookie for all VPN
fw> get sa active                      #show the active SAs
fw> get sa id                      #show the SA details with network details
fw> get sa stat                        #show traffic with pkt IN/OUT counters

Some useful links for this kind of tasks:
Configuring or Troubleshooting a Juniper Firewall VPN (Juniper KB)
Building IPSEC VPN with Juniper Netscreen ScreenOS
Setting up an IPSEC VPN Tunnel betweek a Juniper Netscreen and a Cisco VPN device

((enjoy))

IEEE 802.21: Media-Independent Handover Services

Luca Maranzano — Sun, 26 Jul 2009 20:57:35 +0000

The IEEE 802.21 working group (see www.ieee802.org/21) recently finalized the first standard for dealing with handovers in heterogeneous networks, also called Media-Independent Handovers (MIH). The standard is expected to allow mobile users (and operators) to take full advantage of overlapping and diverse access networks. It provides a framework for efficiently discovering networks in range and executing intelligent heterogeneous handovers, based on their respective capabilities and current link conditions.

An interesting primer about this can be found on the last issue of “The Internet Protocol Journal”.

((enjoy))

Guru dell'Eccelso Picco » Networking

HOWTO Configure an IPSec VPN between a Juniper Netscreen firewall and a Cisco ASA device

IEEE 802.21: Media-Independent Handover Services