Juniper SSG to Cisco RVS4000 VPN using IPSec
Firstly we shall configure the Cisco RVS4000 which, in this case, will be for a satellite office or home user.
The Cisco RVS4000 VPN SoHO Router
After a full reset the Cisco will have the IP range 192.168.1.1/24 and, as this may very likely be the subnet your workers will have at home, it is best to choose something else. In my example here I am just sticking with 192.168.1.0/24 because the network I am plugging into has a different range but you get the idea.
To start with We are going to configure the Cisco before it is taken off-site to become the opposite end of the VPN tunnel.
We begin with a fully reset Cisco RVS4000 - you will obviously want to adjust the password and rig up any remote administrative features beforehand in case the VPN does not come up straight away, I would recommend opening up HTTPS for remote configuration on an obscure port rather than 443.
Now, move on to configure the VPN.
Go to the VPN Ipsec page of the router and enter the relevant details:
In the above we are configuring the VPN as an IP only gateway only as this will allow the VPN to connect easily from the home environment.
The enabled option has been chosen and the destination office chosen as a name for the VPN
Local security type is Subnet and the IP address is the IP address of the Cisco router LAN port
In this case the internal network of the Cisco RVS4000 will be 192.168.1.0/24 but in your case it may well be best to choose an alternative as mentioned earlier.
The subnet mask is a class C of 255.255.255.0 as normal on a home or SoHo network.
Next configure the main office network (the one behind the Juniper SSG)
The gateway is the external WAN IP address associated with the VPN you are connecting to (the Juniper WAN port)
The IP address and subnet mask are the internal network for the DrayTek router, in this case another Class C network.
We move down the page...
We are choosing IKE with preshared key
We select 3DES encryption for phase 1 as this is the best that the Cisco will do but if you're using a later model, feel free to select AES256 if you have it.
Phase 1 authentication is being set to SHA1
We select Group 5 1536-bit authentication and leave the key lifetime at 28800 as this is also the Juniper default
Phase 2 we set as 3DES, SHA1, enable PFS and enter the preshared key. The authentication has been left at Group 1 768-bit
We move down to the 'advanced' settings:
We are setting NETBIOS broadcast as on just to keep the machine naming up-to-date on each network for Windows machines.
This concludes config for the Cisco.
The Juniper needs to be told to allow traffic through a VPN and also needs a tunnel and an endpoint configured and so let us deal with that first.
We are assuming that you already have access to the Juniper via the web browser and can reach the configuration screens.
Go to the Network menu and select Interfaces and List.
Now with the drop down top right, choose Tunnel IF and then click New.
Set the Zone to be Untrust (trust-vr)
Check the bubble for Unumbered as this is a route-based VPN
Choose the WAN interface to be the internet facing interface with the IP address that you will be pointing the Cisco RVS4000 VPN at.
Now click the Tunnel link at the right of the links at the top of your configuration panel.
Once again the destination will be left as 0.0.0.0 as this is a route-based VPN and the Gateway we define in a minute will determine the endpoint for the VPN.
Now we have the tunnel configured we move on to configure the VPN:
Click Autokey IKE and then New:
Rather than configure a gateway in advance we will simply create one in this page. Click the bubble to Create a Simple Gateway and enter a name for the remote gateway. Leave IKE as ver.1 and choose Static IP and enter the Cisco WAN IP or hostname.
Now enter the pre-shared key which is a code that you will enter into the Cisco or share with the admin of the remote Cisco by some secure means. The Outgoing Interface will be the Juniper physical interface on which the WAN IP address resides to which you will be pointing the Vigor VPN.
Now click Advanced:
Here we are choosing the Phase 2 encryption proposal which is simply the encryption types - 3DES 156-bit in this case with DH Group 5 PFS (Perfect Forward Secrecy) and 28800 seconds time-out, but feel free to simply select a standard choice and simply make a note of the one you are choosing. Is it AES or 3DES or DES? What is the time-out, is it in seconds, minutes or hours? What is the PFS DH group? All of these should be noted as the Vigor must be configured to accept them.
Now enter the local and remote IP / Netmask where the local is the LAN address and the subnet and the remote is the LAN which resides behind the Cisco which we are going to have remote access to once the VPN is established. In this case both subnets are set at /24 meaning 255.255.255.0 Class-C subnets but you must obviously enter your own details for each network.
Set service to Any which will allow all traffic to pass between the sites via our VPN.
Tick VPN Monitor, Optimised and Rekey and leave the destination as default whilst choosing the external interface to which you will point the Vigor as the Source Interface.
Now click Return and OK. Now move on to configure the policies. The Gateway settings below are just for reference.
Here are the configurations for the Gateway but these two pages have been configured already when we configured the VPN but they are included as reference if you need to troubleshoot your Gateway settings:
Now click Advanced:
Now we must configure the policies to allow traffic between the sites. Go to Policy then Policies and at the top select from Trusted to Untrusted and click New.
Give the policy a name and enter the local subnet in the source and the remote subnet in the destination address boxes.
Choose the service type as Any and click OK. There is no need to configure advanced options in this instance.
Now at the top of the policy screen, select from Untrusted to Trusted and New and configure the settings as above but with the Cisco remote LAN subnet as the source and the local Juniper subnet as the destination with the service set as Any.
This completes the Juniper set-up