[j-nsp] ES PIC required for BGP-over-IPSEC?

David Xu dxu at nortelnetworks.com
Fri Apr 16 14:37:17 EDT 2004


Daniel,

Try the following configs (worked in my lab, no ES PIC required):

protocols {
    bgp {
        group pe-pe {
            type internal;
            local-address 192.168.0.29;
            family inet-vpn {
                unicast;
            }
            ipsec-sa bgp-protect;
            neighbor 192.168.0.31 {
                outbound-route-filter {
                    extended-community {
                        accept;
                        vrf-filter;
                    }
                }
            }
        }
    }
}
security {
    ipsec {
        security-association bgp-protect {
            mode transport;
            manual {
                direction bidirectional {
                    protocol esp;
                    spi 800;
                    authentication {
                        algorithm hmac-md5-96;
                        key ascii-text
"$9$R6WhlKWLxdwY8LjH.PQzlKvMNdaZUDHqY25Qn6At8XxNs2GDi";
                    }
                    encryption {
                        algorithm des-cbc;
                        key ascii-text "$9$mfFn9ApBRhCA8XNdsYFn6/0B";
                    }
                }
            }
        }
    }
}

Regards,
David

-----Original Message-----
From: Daniel Roesen [mailto:dr at cluenet.de] 
Sent: April 16, 2004 2:22 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] ES PIC required for BGP-over-IPSEC?


Hi,

being motivated by some current discussions about securing BGP, I decided to
play around with BGP-over-IPSEC. :->

can someone confirm wether an ES PIC is required to secure BGP sessions with
IPSEC? My memories say "no", but when trying to actually do this, I'm
getting errors:

security {
    ipsec {
        security-association ibgp {
            manual {
                direction bidirectional {
                    protocol bundle;
                    spi 1234;
                    auxiliary-spi 1234;
                    authentication {
                        algorithm hmac-sha1-96;
                        key ascii-text ...;
                    }
                    encryption {
                        algorithm 3des-cbc;
                        key ascii-text ...;
                    }
                }
            }
        }
    }
}

/kernel: ipsec_find_sa_in_so(1632): Couldn't dereference the sa name = ibgp
rpd[4427]: task_connect: task BGP_1234.192.168.0.5+179 addr 192.168.0.5+179:
Connection refused
rpd[4427]: bgp_connect_start: connect 192.168.0.5 (Internal AS 1234):
Connection refused

Any clues? Docs are a little terse and don't give a practical example of how
a typical manual SA looks like to secure BGP.


Best regards,
Daniel
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list