In all the vendor documentation I find, examples for setting up IPSec tunnels use some of the worst encryption possible.
This is documenting better alternatives between vendors (not necessarily ideal, but the idea is to provide the best solution given the options).
This is an example of a tunnel between a Juniper SRX and Cisco ASA using
- AES256 CBC (Debatable whether AES-CBC is better than AES-GCM, but GCM is easier on your CPU)
- SHA1 (SHA256 would be better)
- PFS Group 5 (Group 19 would be better)
Juniper SRX IPSec
1set version 15.1X49-D75.5
2set system root-authentication encrypted-password "password"
3set system login user louisk uid 2000
4set system login user louisk class super-user
5set system login user louisk authentication encrypted-password "password"
6set system services ssh
7set security ike traceoptions file ike-debug
8set security ike traceoptions file size 10m
9set security ike traceoptions file files 2
10set security ike traceoptions flag general
11set security ike traceoptions level 3
12set security ike proposal ike-proposal-ite-1 authentication-method pre-shared-keys
13set security ike proposal ike-proposal-site-1 dh-group group5
14set security ike proposal ike-proposal-site-1 authentication-algorithm sha1
15set security ike proposal ike-proposal-site-1 encryption-algorithm aes-256-cbc
16set security ike proposal ike-proposal-site-1 lifetime-seconds 86400
17set security ike policy ike-policy-site-1 mode main
18set security ike policy ike-policy-site-1 proposals ike-proposal-site-1
19set security ike policy ike-policy-site-1 pre-shared-key ascii-text "password"
20set security ike gateway ike-gate-site-1 ike-policy ike-policy-site-1
21set security ike gateway ike-gate-site-1 address 192.0.0.2
22set security ike gateway ike-gate-site-1 dead-peer-detection optimized
23set security ike gateway ike-gate-site-1 dead-peer-detection interval 10
24set security ike gateway ike-gate-site-1 dead-peer-detection threshold 5
25set security ike gateway ike-gate-site-1 external-interface ge-0/0/0
26set security ike gateway ike-gate-site-1 version v1-only
27set security ipsec traceoptions flag security-associations
28set security ipsec proposal ipsec-proposal-site-1 protocol esp
29set security ipsec proposal ipsec-proposal-site-1 authentication-algorithm hmac-sha1-96
30set security ipsec proposal ipsec-proposal-site-1 encryption-algorithm aes-256-cbc
31set security ipsec proposal ipsec-proposal-site-1 lifetime-seconds 28800
32set security ipsec policy ipsec-policy-site-1 perfect-forward-secrecy keys group5
33set security ipsec policy ipsec-policy-site-1 proposals ipsec-proposal-site-1
34set security ipsec vpn ipsec-vpn-site-1 bind-interface st0.0
35set security ipsec vpn ipsec-vpn-site-1 ike gateway ike-gate-site-1
36set security ipsec vpn ipsec-vpn-site-1 ike ipsec-policy ipsec-policy-site-1
37set security ipsec vpn ipsec-vpn-site-1 traffic-selector ts1-trust-site-1 local-ip 192.168.250.224/29
38set security ipsec vpn ipsec-vpn-site-1 traffic-selector ts1-trust-site-1 remote-ip 10.10.64.32/27
39set security ipsec vpn ipsec-vpn-site-1 establish-tunnels immediately
40set security policies from-zone trust to-zone site-1 policy trust-site-1-site-1 match source-address net-site-1_192.168_250_224_m29
41set security policies from-zone trust to-zone site-1 policy trust-site-1-site-1 match destination-address net-site-1_10.10_64_32_m27
42set security policies from-zone trust to-zone site-1 policy trust-site-1-site-1 match application any
43set security policies from-zone trust to-zone site-1 policy trust-site-1-site-1 then permit
44set security policies from-zone site-1 to-zone trust policy site-1-trust-site-1 match source-address net-site-1_10.10_64_32_m27
45set security policies from-zone site-1 to-zone trust policy site-1-trust-site-1 match destination-address net-site-1_192.168_250_224_m29
46set security policies from-zone site-1 to-zone trust policy site-1-trust-site-1 match application any
47set security policies from-zone site-1 to-zone trust policy site-1-trust-site-1 then permit
48set security zones security-zone trust address-book address net-site-1_192.168_250_224_m29 192.168.250.224/29
49set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
50set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all
51set security zones security-zone site-1 address-book address net-site-1_10.10_64_32_m27 10.10.64.32/27
52set security zones security-zone site-1 interfaces st0.0
53set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
54set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
55set interfaces ge-0/0/0 unit 0 family inet address 192.0.0.1/24
56set interfaces ge-0/0/1 unit 0 family inet address 192.168.250.225/29
57set interfaces fxp0 unit 0 family inet dhcp-client
58set interfaces st0 unit 0 description "Cisco ASA IPSec"
59set interfaces st0 unit 0 family inet
60set routing-options static route 10.10.64.32/27 next-hop st0.0
Cisco ASA IPSec
1ASA Version 9.2(4)
2!
3hostname ciscoasa
4names
5!
6interface Ethernet0/0
7!
8interface Ethernet0/1
9 switchport access vlan 2
10!
11interface Ethernet0/2
12!
13interface Ethernet0/3
14!
15interface Ethernet0/4
16!
17interface Ethernet0/5
18!
19interface Ethernet0/6
20!
21interface Ethernet0/7
22!
23interface Vlan1
24 nameif inside
25 security-level 100
26 ip address 10.10.64.33 255.255.255.224
27!
28interface Vlan2
29 nameif outside
30 security-level 0
31 ip address 192.0.0.2 255.255.255.0
32!
33ftp mode passive
34object network obj_any
35 subnet 0.0.0.0 0.0.0.0
36access-list s2s extended permit ip 10.10.64.32 255.255.255.224 192.168.250.224 255.255.255.248
37access-list from_outside extended permit icmp any any echo
38pager lines 24
39logging asdm informational
40mtu inside 1500
41mtu outside 1500
42icmp unreachable rate-limit 1 burst-size 1
43no asdm history enable
44arp timeout 14400
45no arp permit-nonconnected
46!
47object network obj_any
48 nat (inside,outside) dynamic interface
49timeout xlate 3:00:00
50timeout pat-xlate 0:00:30
51timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
52timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
53timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
54timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
55timeout tcp-proxy-reassembly 0:01:00
56timeout floating-conn 0:00:00
57dynamic-access-policy-record DfltAccessPolicy
58user-identity default-domain LOCAL
59http server enable
60http 10.10.64.32 255.255.255.224 inside
61no snmp-server location
62no snmp-server contact
63crypto ipsec ikev1 transform-set CISCO esp-aes-256 esp-sha-hmac
64crypto ipsec security-association pmtu-aging infinite
65crypto map outside_map 20 match address s2s
66crypto map outside_map 20 set pfs group5
67crypto map outside_map 20 set peer 192.0.0.1
68crypto map outside_map 20 set ikev1 transform-set CISCO
69crypto map outside_map 20 set security-association lifetime seconds 28800
70crypto map outside_map interface outside
71crypto ca trustpool policy
72crypto isakmp identity address
73no crypto isakmp nat-traversal
74crypto ikev1 enable outside
75crypto ikev1 am-disable
76crypto ikev1 policy 20
77 authentication pre-share
78 encryption aes-256
79 hash sha
80 group 5
81 lifetime 86400
82telnet timeout 5
83no ssh stricthostkeycheck
84ssh timeout 5
85ssh key-exchange group dh-group1-sha1
86console timeout 0
87
88threat-detection basic-threat
89threat-detection statistics access-list
90no threat-detection statistics tcp-intercept
91tunnel-group 192.0.0.1 type ipsec-l2l
92tunnel-group 192.0.0.1 ipsec-attributes
93 ikev1 pre-shared-key *****
94!
95class-map inspection_default
96 match default-inspection-traffic
97!
98!
99policy-map type inspect dns preset_dns_map
100 parameters
101 message-length maximum client auto
102 message-length maximum 512
103policy-map global_policy
104 class inspection_default
105 inspect dns preset_dns_map
106 inspect ftp
107 inspect h323 h225
108 inspect h323 ras
109 inspect rsh
110 inspect rtsp
111 inspect esmtp
112 inspect sqlnet
113 inspect skinny
114 inspect sunrpc
115 inspect xdmcp
116 inspect sip
117 inspect netbios
118 inspect tftp
119 inspect ip-options
120 inspect icmp
121!
122service-policy global_policy global
123prompt hostname context
124no call-home reporting anonymous
Functional tunnel status
SRX
1louisk> show security ike sa
2Index State Initiator cookie Responder cookie Mode Remote Address
337052 UP f68955764fc31224 9dc48b4d2398a8c5 Main 192.0.0.2
4
5louisk> show security ipsec sa detail index 67108867
6
7ID: 67108867 Virtual-system: root, VPN Name: ipsec-vpn-site-1
8 Local Gateway: 192.0.0.1, Remote Gateway: 192.0.0.2
9 Traffic Selector Name: ts1-trust-site-1
10 Local Identity: ipv4(10.10.250.224-10.10.250.231)
11 Remote Identity: ipv4(192.168.64.32-192.168.64.63)
12 Version: IKEv1
13 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0
14 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29
15 Tunnel events:
16 Tue Feb 19 2019 21:32:05: IPSec SA negotiation successfully completed (1 times)
17 Tue Feb 19 2019 21:32:04: IKE SA negotiation successfully completed (27 times)
18 Tue Feb 19 2019 21:31:27: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times)
19 Tue Feb 19 2019 21:01:05: IPSec SA negotiation successfully completed (1 times)
20 Tue Feb 19 2019 21:00:27: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times)
21 Tue Feb 19 2019 20:30:05: IPSec SA negotiation successfully completed (1 times)
22 Direction: inbound, SPI: 4724138f, AUX-SPI: 0
23 , VPN Monitoring: -
24 Hard lifetime: Expires in 27411 seconds
25 Lifesize Remaining: 4608000 kilobytes
26 Soft lifetime: Expires in 26792 seconds
27 Mode: Tunnel(0 0), Type: dynamic, State: installed
28 Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
29 Anti-replay service: counter-based enabled, Replay window size: 64
30 Direction: outbound, SPI: fc21b380, AUX-SPI: 0
31 , VPN Monitoring: -
32 Hard lifetime: Expires in 27411 seconds
33 Lifesize Remaining: 4608000 kilobytes
34 Soft lifetime: Expires in 26792 seconds
35 Mode: Tunnel(0 0), Type: dynamic, State: installed
36 Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
37 Anti-replay service: counter-based enabled, Replay window size: 64
38
39louisk>
ASA
1iscoasa# sh crypto isakmp sa
2
3IKEv1 SAs:
4
5 Active SA: 1
6 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
7Total IKE SA: 1
8
91 IKE Peer: 192.0.0.1
10 Type : L2L Role : responder
11 Rekey : no State : MM_ACTIVE
12
13There are no IKEv2 SAs
14ciscoasa# show crypto ipsec sa
15interface: outside
16 Crypto map tag: outside_map, seq num: 20, local addr: 192.0.0.2
17
18 access-list s2s extended permit ip 192.168.64.32 255.255.255.224 10.10.250.224 255.255.255.248
19 local ident (addr/mask/prot/port): (192.168.64.32/255.255.255.224/0/0)
20 remote ident (addr/mask/prot/port): (10.10.250.224/255.255.255.248/0/0)
21 current_peer: 192.0.0.1
22
23
24 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
25 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
26 #pkts compressed: 0, #pkts decompressed: 0
27 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
28 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
29 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
30 #TFC rcvd: 0, #TFC sent: 0
31 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
32 #send errors: 0, #recv errors: 0
33
34 local crypto endpt.: 192.0.0.2/0, remote crypto endpt.: 192.0.0.1/0
35 path mtu 1500, ipsec overhead 74(44), media mtu 1500
36 PMTU time remaining (sec): 0, DF policy: copy-df
37 ICMP error validation: disabled, TFC packets: disabled
38 current outbound spi: 9E267F5A
39 current inbound spi : 6D64FD16
40
41 inbound esp sas:
42 spi: 0x6D64FD16 (1835334934)
43 transform: esp-aes-256 esp-sha-hmac no compression
44 in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
45 slot: 0, conn_id: 512000, crypto-map: outside_map
46 sa timing: remaining key lifetime (kB/sec): (4374000/27884)
47 IV size: 16 bytes
48 replay detection support: Y
49 Anti replay bitmap:
50 0x00000000 0x00000001
51 outbound esp sas:
52 spi: 0x9E267F5A (2653323098)
53 transform: esp-aes-256 esp-sha-hmac no compression
54 in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
55 slot: 0, conn_id: 512000, crypto-map: outside_map
56 sa timing: remaining key lifetime (kB/sec): (4374000/27884)
57 IV size: 16 bytes
58 replay detection support: Y
59 Anti replay bitmap:
60 0x00000000 0x00000001
61
62ciscoasa# show crypto ipsec sa detail
63interface: outside
64 Crypto map tag: outside_map, seq num: 20, local addr: 192.0.0.2
65
66 access-list s2s extended permit ip 192.168.64.32 255.255.255.224 10.10.250.224 255.255.255.248
67 local ident (addr/mask/prot/port): (192.168.64.32/255.255.255.224/0/0)
68 remote ident (addr/mask/prot/port): (10.10.250.224/255.255.255.248/0/0)
69 current_peer: 192.0.0.1
70
71
72 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
73 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
74 #pkts compressed: 0, #pkts decompressed: 0
75 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
76 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
77 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
78 #TFC rcvd: 0, #TFC sent: 0
79 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
80 #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
81 #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
82 #pkts invalid prot (rcv): 0, #pkts verify failed: 0
83 #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
84 #pkts invalid pad (rcv): 0,
85 #pkts invalid ip version (rcv): 0,
86 #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
87 #pkts replay failed (rcv): 0
88 #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
89 #pkts internal err (send): 0, #pkts internal err (rcv): 0
90
91 local crypto endpt.: 192.0.0.2/0, remote crypto endpt.: 192.0.0.1/0
92 path mtu 1500, ipsec overhead 74(44), media mtu 1500
93 PMTU time remaining (sec): 0, DF policy: copy-df
94 ICMP error validation: disabled, TFC packets: disabled
95 current outbound spi: 9E267F5A
96 current inbound spi : 6D64FD16
97
98 inbound esp sas:
99 spi: 0x6D64FD16 (1835334934)
100 transform: esp-aes-256 esp-sha-hmac no compression
101 in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
102 slot: 0, conn_id: 512000, crypto-map: outside_map
103 sa timing: remaining key lifetime (kB/sec): (4374000/27861)
104 IV size: 16 bytes
105 replay detection support: Y
106 Anti replay bitmap:
107 0x00000000 0x00000001
108 outbound esp sas:
109 spi: 0x9E267F5A (2653323098)
110 transform: esp-aes-256 esp-sha-hmac no compression
111 in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
112 slot: 0, conn_id: 512000, crypto-map: outside_map
113 sa timing: remaining key lifetime (kB/sec): (4374000/27859)
114 IV size: 16 bytes
115 replay detection support: Y
116 Anti replay bitmap:
117 0x00000000 0x00000001
118
119ciscoasa#
Comments