[j-nsp] IPSec + GRE on same box, config example
telecom at servidor.unam.mx
telecom at servidor.unam.mx
Mon Jul 11 17:19:17 EDT 2005
On Mon, 11 Jul 2005, Mario Puras wrote:
Ok thanks, mine case with AS PIC for both IPSec and GRE, not ES PIC but
i'll try to give this a try... So I guess that Juniper doesnt officially
supports this right?
> I have been working on a config for one of my customers to do just what
> you are wanting to do but I have not heard back from them whether it has
> worked or not. Perhaps you can try it and let me know?
>
>
> interfaces {
> gr-0/1/0 {
> unit 0 {
> tunnel {
> source 192.168.12.1;
> destination 192.168.12.2;
> }
> family inet {
> address 1.1.1.6/30;
> }
> }
> }
> es-0/2/0 {
> unit 0 {
> tunnel {
> source 10.0.0.3;
> destination 10.0.0.1;
> }
> family inet {
> ipsec-sa testing_Proposal_IPSec;
> address 1.1.1.2/30;
> }
> }
> }
> t1-4/0/0 {
> unit 0 {
> family inet {
> address 192.168.12.1/30;
> }
> }
> }
> lo0 {
> unit 0 {
> family inet {
> address 10.0.0.3/32;
> }
> }
> }
> }
> security {
> traceoptions {
> file files 10;
> flag all;
> }
> ipsec {
> proposal testing_Proposal_IPSec {
> protocol esp;
> authentication-algorithm hmac-md5-96;
> encryption-algorithm des-cbc;
> lifetime-seconds 86400;
> }
> policy testing_Policy_IPSec {
> perfect-forward-secrecy {
> keys group1;
> }
> proposals testing_Proposal_IPSec;
> }
> security-association testing_SA_IPSec {
> description "...IPSec SA testing";
> mode tunnel;
> dynamic {
> ipsec-policy testing_Policy_IPSec;
> }
> }
> }
> ike {
> proposal testing {
> authentication-method pre-shared-keys;
> authentication-algorithm md5;
> encryption-algorithm des-cbc;
> }
> policy 10.0.0.1 {
> proposals testing;
> pre-shared-key ascii-text "$9$ef0vX7dbs4JGVbfTFnCAX7N-24";
> }
> }
> }
>
>
> It may be possible that you use the same lo0 interface on your GRE but I
> have not tried this.
>
> 1. Have a local static route pointing to the remote GRE tunnel
> destination with a next-hop of the IPSec tunnel (like es-0/2/0.0).
> 2. Point you multicast traffic at the GRE interface: gr-0/1/0.0.
>
> Let me know how it turns out.
>
>
>
> Thanks,
>
> Mario Puras
> SoluNet/SoluServe TAC Manager
> Web Address: www.solunet.com
> Mailto: mpuras at solunet.com
> Direct: (321) 309-1410
> Fax: (321) 676-1287
> TAC: 888.449.5766 (USA) / 888.SOLUNET (Canada)
>
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> telecom at servidor.unam.mx
> Sent: Monday, July 11, 2005 4:15 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] IPSec + GRE on same box, config example
>
>
> Hi everybody, I've done both tests separately with an AS PIC and so far
> the results have been great. Recently, i've been asked if it's possible
> to transport multicast over GRE over IPSec on an AS PIC. So before i
> jumped into the lab, I'd like to know if this is even supported today.
> Juniper is great at documenting their supported features and since I
> havent seen anything on their documentation, i'm wondering if anybody
> has tried this before. Thanks
>
> --
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
More information about the juniper-nsp
mailing list