VPN Tunnel Setup Cisco 1841 to Juniper SSG-320

Hi there experts,

We need to setup a VPN tunnel between Cisco Router 1841 and Juniper SSG-320.
Juniper SSG-320 is managed by Verizon (ISP) and will be configured by them so no problems there , we need to configure our end - Cisco 1841 for one of the sites.

Cisco 1841 runs IPSecBundle - (C1841-ADVIPSERVICESK9-M), Version 12.4(9)T5
FE0/0 is local LAN interface
FE0/1 is an interface connected to an ADSL PPPoA modem via static private IP address via one of the four switch ports , ADSL modem gets public WAN IP address dynamically - so it might change.
Based on the info from cisco web site i prepared the config , see below, can you doublecheck and tell me if something is missing or wrong as i'm not a network expert :
Lets assume that remote Juniper IP address is 99.99.99.1 , FE0/1 is assigned 10.2.2.1 , FE0/0 is assigned 10.1.1.1 and that no NAT statements are required as all traffic should be tunnelled including internet traffic:

crypto isakmp policy 1
 hash md5
authentication pre-share
crypto isakmp key xxxxxx address 99.99.99.1


crypto ipsec transform-set specialset esp-des esp-md5-hmac


crypto map remoteVPN 1 ipsec-isakmp  
set peer 99.99.99.1
set transform-set specialset
match address 115


interface Ethernet0/1
ip address 10.2.2.1 255.255.255.0
crypto map remoteVPN

access-list 115 permit ip 10.1.1.0 0.0.0.255 any


Thanks and regards ,

MENA ITServicesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mikecrCommented:
Won't work, you need to have a public IP address on FE0/1 for it to work. Both your end points need to be public IP's or you need to do a port forward of a public IP address to the E0/1 interface via NAT.

Also, you should NEVER, EVER, use the any command in an IPSEC statement because if your internal network is 10.1.1.0, it will match the access list and not matter where you're going, you'll get encrypted, so that won't work either.

Your crypto ISKAMP policy 1 should also specify the encryption level, either DES, 3-DES, or AES.
0
MENA ITServicesAuthor Commented:
Mikecr,
We have three sites that are setup this way , the only difference is that the terminating device for those three is cisco 2800 series router. This service is managed by ISP (Verizon) , the reason we cant have this office setup and managed by them is because the managed service is not available in that location - that's all i can say , basically local politics issue.
Are you saying that this wont work because the terminating device is Juniper Firewall and doesnt have similar functionality? Verizon confirmed this can work but wont help us with the configuration or it would cost probably around 1000 $ to get this done and would take weeks to implement. It would be cheaper to engage one of the in-country network vendors to get this done .
Please clarify what you meant there .
Regards ,
 
 
0
mikecrCommented:
If you have an ADSL modem connected to an interface on the router and the modem gets a public IP address, then I'm assuming that your getting a private ip address on FE0/1, correct? Are you using NAT on the ADSL modem to port forward all the traffic to the FE0/1 interface?

The FE0/1 interface on the router needs to have a public IP address so that it becomes the termination point for the VPN. Keep in mind that the private IP 10.2.2.1 is not routable on the internet so it would need to be a live IP like 67.9.184.5. This means the peer address you specified would not be able to contact the FE0/1 interface IP because it's not valid.

Otherwise, your config may work. Now that you specified you wanted all traffic to go across the tunnel, now I understand why you used the "any" keyword in your access-list command.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

MENA ITServicesAuthor Commented:
Ok , i think i understand where you're coming from , you're talking about site-to-site VPN (static-to-static) , i'm referring to static-to-dynamic unidirectional site-to-site VPN  , please see below article , i assume this is how Verizon have done this for us in the past:
 http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
Comments to your questions are below:
'If you have an ADSL modem connected to an interface on the router and the modem gets a public IP address, then I'm assuming that your getting a private ip address on FE0/1, correct? - Correct  Are you using NAT on the ADSL modem to port forward all the traffic to the FE0/1 interface? - No , because the public IP on the adsl port could change any time anyway.'
I cannot stress enough that adsl public dynamic IP can change any second - it has happened a few times over the past few weeks , so even if i port forwarded all the incoming traffic and that adsl public IP changed ,the remote end would not know where to connect to to establish VPN tunnel. Public static IP is not an option - it is simply not available with the adsl service otherwise we would have purchased cisco ADSL WIC Card and static public IP.
Any further comments are appreciated .
Thanks ,

 
0
mikecrCommented:
You want to use the Easy VPN setup in this document. Your configuration would be incorrect on the router due to the fact that your not specifiying a VPN end device to connect to and also, it is being set up as a host and not a client. Using this client that is build into the IOS, you should be able to set it up without a problem. You will probably need login information however for the Juniper.

http://www.cisco.com/en/US/products/hw/routers/ps221/prod_configuration_guide09186a008007cfa7.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MENA ITServicesAuthor Commented:
Although solution was provided we asked for step-by-step instructions.
0
MENA ITServicesAuthor Commented:
Thanks Mikecr
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.