[j-nsp] GRE over IPSEC on M Series

Sean Capshaw capshaw at juniper.net
Mon Feb 13 11:48:37 EST 2006


Nitin,

It is really IPSec over GRE.  When a router lacks an IP addressable
IPSec stack it is not possible to run a routing protocol over IPSec.
The workaround is to run the protocol over GRE and encrypt all the
GRE packets.  BTW Juniper doesn't have this problem but here is an
interop example when the neighboring router needs GRE.

Config:

lab at M10i-R108> show configuration interfaces t1-0/2/0:1
dce;
mtu 5000;
encapsulation frame-relay;
unit 0 {
     dlci 50;
     family inet {
         address 10.0.1.1/32 {
             destination 10.0.1.2;
         }
     }
}

lab at M10i-R108> show configuration interfaces gr-1/2/0.0
tunnel {
     source 10.0.1.1;
     destination 10.0.1.2;
}
family inet {
     address 40.0.1.1/32 {
         destination 40.0.1.2;
     }
}

lab at M10i-R108> show configuration interfaces es-0/0/0 unit 0
tunnel {
     source 40.0.1.1;
     destination 40.0.1.2;
}
family inet {
     ipsec-sa sa-esp-0;
     address 50.0.1.1/32 {
         destination 50.0.1.2;
     }
}

lab at M10i-R108> show configuration interfaces ge-1/3/0
unit 0 {
     family inet {
         filter {
             input encrypt;
         }
         address 100.0.0.2/24;
     }
}

lab at M10i-R108> show configuration security
traceoptions {
     flag all;
}
ipsec {
     proposal pro-esp-0 {
         protocol esp;
         authentication-algorithm hmac-sha1-96;
         encryption-algorithm 3des-cbc;
         lifetime-seconds 86400;
     }
     policy po-esp-0 {
         perfect-forward-secrecy {
             keys group2;
         }
         proposals pro-esp-0;
     }
     security-association sa-esp-0 {
         mode tunnel;
         dynamic {
             ipsec-policy po-esp-0;
         }
     }
     security-association sa-esp-1 {

lab at M10i-R108> show configuration security ike
max-negotiations-count 25;
proposal ike-esp-0 {
     authentication-method pre-shared-keys;
     dh-group group2;
     authentication-algorithm sha1;
     encryption-algorithm 3des-cbc;
     lifetime-seconds 86400;
}
proposal ike-esp-1 {
     authentication-method rsa-signatures;
     dh-group group2;
     authentication-algorithm sha1;
     encryption-algorithm 3des-cbc;
     lifetime-seconds 86400;
}
policy 40.0.1.2 {
     mode aggressive;
     proposals ike-esp-1;
     local-certificate 0.crt;
     local-key-pair 0.prv;
}
lab at M10i-R108> show configuration firewall filter encrypt
term sample {
     then {
         sample;
         next term;
     }
}
term 0 {
     from {
         destination-address {
             9.0.0.2/32;
         }
     }
     then ipsec-sa sa-esp-0;
}
term 1 {
     from {
         destination-address {
             9.0.0.3/32;
         }
     }
     then ipsec-sa sa-esp-1;
}
term 2 {

lab at M10i-R108> show configuration protocols ospf area 1
interface es-0/0/0.0 {
     metric 100;
}
Show Commands:


lab at M10i-R108> show ospf neighbor
   Address         Interface             State      ID              Pri 
Dead
100.0.0.1        ge-1/3/0.0             Full      10.10.10.110     128 
36
50.0.1.2         es-0/0/0.0             Full      10.10.10.24      128 
33

lab at M10i-R108> show ipsec security-associations
Security association: sa-esp-0, Interface family: Up
     Direction SPI         AUX-SPI     Mode       Type     Protocol
     inbound   3252448684  0           tunnel     dynamic  ESP
     outbound  34080526    0           tunnel     dynamic  ESP

Thanks
Sean

On Mon, 13 Feb 2006 Nitin.Vazirani at Hutch.in wrote:

>
> Hello!
>
> We are having a M 20 with Tunnel PIC and Encryption Services PIC for
> IPSEC. We are trying to make the Cisco GRE over IPSEC tunnel to
> interwork with the M 20.
>
> At the Cisco end of the configuration, we are using " tunnel protection
> ipsec profile xyz " command. Is it possible to configure a GRE over
> IPSEC tunnel on the M 20. If yes, please send back a sample
> configuration.
>
> Warm Regards,
> Nitin Vazirani
>
>
>
> The information in this message is confidential and may be legally privileged. It is intended solely for the addressee.  Access to this message by anyone else is unauthorized.  If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful.  Please immediately contact the sender if you have received this message in error. Thank you. Hutchison Essar Limited.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list