[j-nsp] ES PIC required for BGP-over-IPSEC?
harry
harry at juniper.net
Fri Apr 16 15:04:14 EDT 2004
Sorry I did not catch the obvious. ;)
The following config commits for me; I suggest you add a mode transport, as
the docs indicate tunnel mode is the default, and tunnel mode requires ES
PIC. BGP from the RE should be in transport mode.
I noticed then when I pasted in your security config, I got a commit error
before I even applied it to BGP. Something about the key not being the right
size.
[edit]
lab at Sydney# show protocols
bgp {
group int {
type internal;
local-address 192.168.8.1;
ipsec-sa ibgp;
neighbor 192.168.12.1;
}
}
ospf {
area 0.0.0.0 {
interface all;
interface fxp0.0 {
disable;
}
}
}
[edit]
lab at Sydney# show security
ipsec {
security-association ibgp {
manual {
direction bidirectional {
protocol bundle;
spi 1234;
auxiliary-spi 1234;
authentication {
algorithm hmac-sha1-96;
key ascii-text
"$9$M-m8LNdVYg4ZEcyKMW-dbs24oGDjqmPQxNds2gUDik.Pfz3nCtpBJGDk.mF3";
}
encryption {
algorithm 3des-cbc;
key ascii-text
"$9$/K0hCA0B1hSyKP5Qn/9OBIEcyrvW87-dsp0BEcSMWLxNdVYg4ZUDkevWxN-2goJGDjqmPQF3
9";
}
}
}
}
}
[edit]
lab at Sydney# commit
commit complete
I would add the transport mode, however:
[edit]
lab at Sydney# show security
ipsec {
security-association ibgp {
mode transport; <<<<<<<<<<<<<
manual {
direction bidirectional {
protocol bundle;
spi 1234;
auxiliary-spi 1234;
authentication {
algorithm hmac-sha1-96;
key ascii-text
"$9$M-m8LNdVYg4ZEcyKMW-dbs24oGDjqmPQxNds2gUDik.Pfz3nCtpBJGDk.mF3";
}
encryption {
algorithm 3des-cbc;
key ascii-text
"$9$/K0hCA0B1hSyKP5Qn/9OBIEcyrvW87-dsp0BEcSMWLxNdVYg4ZUDkevWxN-2goJGDjqmPQF3
9";
}
}
}
}
}
[edit]
lab at Sydney# run show version
Hostname: Sydney
Model: m5
JUNOS Base OS boot [6.2R1.5]
JUNOS Base OS Software Suite [6.2R1.5]
JUNOS Kernel Software Suite [6.2R1.5]
JUNOS Packet Forwarding Engine Support (M5/M10) [6.2R1.5]
JUNOS Routing Software Suite [6.2R1.5]
JUNOS Online Documentation [6.2R1.5]
JUNOS Crypto Software Suite [6.2R1.5]
[edit]
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> Daniel Roesen
> Sent: Friday, April 16, 2004 11:41 AM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] ES PIC required for BGP-over-IPSEC?
>
>
> On Fri, Apr 16, 2004 at 11:34:03AM -0700, harry wrote:
> > The ES PIC is not needed to secure RE based BGP sessions.
>
> OK, fine.
>
> > This is done at the protocols bgp hierarchy:
> >
> >
> > [edit protocols bgp]
> > lab at Sydney# set ipsec-sa ?
> > Possible completions:
> > <ipsec-sa> IPSec SA name
>
> Sure, this is set for the peer. I didn't quote it as I
> thought this would be obvious. :-)
>
> dr at A> show configuration protocols bgp group ibgp-mesh
> neighbor 192.168.0.5 ipsec-sa ibgp; dr at E> show configuration
> protocols bgp group ibgp-mesh neighbor 192.168.0.1 ipsec-sa ibgp;
>
> Any clues on why I'm getting the same error on both
> neighbors? I don't see a typo. Am I missing any additional
> configuration necessary?
>
>
> Best regards,
> Daniel
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/junipe> r-nsp
>
More information about the juniper-nsp
mailing list