[j-nsp] ES PIC required for BGP-over-IPSEC?
harry
harry at juniper.net
Fri Apr 16 14:34:03 EDT 2004
The ES PIC is not needed to secure RE based BGP sessions. This is done at
the protocols bgp hierarchy:
[edit protocols bgp]
lab at Sydney# set ipsec-sa ?
Possible completions:
<ipsec-sa> IPSec SA name
[edit protocols bgp]
HTHs
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> Daniel Roesen
> Sent: Friday, April 16, 2004 11:22 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] ES PIC required for BGP-over-IPSEC?
>
>
> Hi,
>
> being motivated by some current discussions about securing
> BGP, I decided to play around with BGP-over-IPSEC. :->
>
> can someone confirm wether an ES PIC is required to secure
> BGP sessions with IPSEC? My memories say "no", but when
> trying to actually do this, I'm getting errors:
>
> security {
> ipsec {
> security-association ibgp {
> manual {
> direction bidirectional {
> protocol bundle;
> spi 1234;
> auxiliary-spi 1234;
> authentication {
> algorithm hmac-sha1-96;
> key ascii-text ...;
> }
> encryption {
> algorithm 3des-cbc;
> key ascii-text ...;
> }
> }
> }
> }
> }
> }
>
> /kernel: ipsec_find_sa_in_so(1632): Couldn't dereference the
> sa name = ibgp
> rpd[4427]: task_connect: task BGP_1234.192.168.0.5+179 addr
> 192.168.0.5+179: Connection refused
> rpd[4427]: bgp_connect_start: connect 192.168.0.5 (Internal
> AS 1234): Connection refused
>
> Any clues? Docs are a little terse and don't give a practical
> example of how a typical manual SA looks like to secure BGP.
>
>
> Best regards,
> Daniel
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/junipe> r-nsp
>
More information about the juniper-nsp
mailing list