[j-nsp] ES PIC required for BGP-over-IPSEC?

harry harry at juniper.net
Fri Apr 16 15:04:14 EDT 2004


Sorry I did not catch the obvious. ;)

The following config commits for me; I suggest you add a mode transport, as
the docs indicate tunnel mode is the default, and tunnel mode requires ES
PIC. BGP from the RE should be in transport mode.


I noticed then when I pasted in your security config, I got a commit error
before I even applied it to BGP. Something about the key not being the right
size.

[edit]
lab at Sydney# show protocols    
bgp {
    group int {
        type internal;
        local-address 192.168.8.1;
        ipsec-sa ibgp;
        neighbor 192.168.12.1;
    }
}
ospf {
    area 0.0.0.0 {
        interface all;
        interface fxp0.0 {
            disable;
        }
    }
}

[edit]
lab at Sydney# show security     
ipsec {
    security-association ibgp {
        manual {
            direction bidirectional {
                protocol bundle;
                spi 1234;
                auxiliary-spi 1234;
                authentication {
                    algorithm hmac-sha1-96;
                    key ascii-text
"$9$M-m8LNdVYg4ZEcyKMW-dbs24oGDjqmPQxNds2gUDik.Pfz3nCtpBJGDk.mF3";
                }
                encryption {
                    algorithm 3des-cbc;
                    key ascii-text
"$9$/K0hCA0B1hSyKP5Qn/9OBIEcyrvW87-dsp0BEcSMWLxNdVYg4ZUDkevWxN-2goJGDjqmPQF3
9";
                }
            }
        }
    }
}

[edit]
lab at Sydney# commit 
commit complete

I would add the transport mode, however:

[edit]
lab at Sydney# show security 
ipsec {
    security-association ibgp {
        mode transport; <<<<<<<<<<<<<
        manual {
            direction bidirectional {
                protocol bundle;
                spi 1234;
                auxiliary-spi 1234;
                authentication {
                    algorithm hmac-sha1-96;
                    key ascii-text
"$9$M-m8LNdVYg4ZEcyKMW-dbs24oGDjqmPQxNds2gUDik.Pfz3nCtpBJGDk.mF3";
                }
                encryption {
                    algorithm 3des-cbc;
                    key ascii-text
"$9$/K0hCA0B1hSyKP5Qn/9OBIEcyrvW87-dsp0BEcSMWLxNdVYg4ZUDkevWxN-2goJGDjqmPQF3
9";
                }
            }
        }
    }
}



[edit]
lab at Sydney# run show version 
Hostname: Sydney
Model: m5
JUNOS Base OS boot [6.2R1.5]
JUNOS Base OS Software Suite [6.2R1.5]
JUNOS Kernel Software Suite [6.2R1.5]
JUNOS Packet Forwarding Engine Support (M5/M10) [6.2R1.5]
JUNOS Routing Software Suite [6.2R1.5]
JUNOS Online Documentation [6.2R1.5]
JUNOS Crypto Software Suite [6.2R1.5]

[edit]



> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of 
> Daniel Roesen
> Sent: Friday, April 16, 2004 11:41 AM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] ES PIC required for BGP-over-IPSEC?
> 
> 
> On Fri, Apr 16, 2004 at 11:34:03AM -0700, harry wrote:
> > The ES PIC is not needed to secure RE based BGP sessions.
> 
> OK, fine.
> 
> > This is done at the protocols bgp hierarchy:
> > 
> > 
> > [edit protocols bgp]
> > lab at Sydney# set ipsec-sa ?
> > Possible completions:
> >   <ipsec-sa>           IPSec SA name
> 
> Sure, this is set for the peer. I didn't quote it as I 
> thought this would be obvious. :-)
> 
> dr at A> show configuration protocols bgp group ibgp-mesh 
> neighbor 192.168.0.5 ipsec-sa ibgp; dr at E> show configuration 
> protocols bgp group ibgp-mesh neighbor 192.168.0.1 ipsec-sa ibgp;
> 
> Any clues on why I'm getting the same error on both 
> neighbors? I don't see a typo. Am I missing any additional 
> configuration necessary?
> 
> 
> Best regards,
> Daniel
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> http://puck.nether.net/mailman/listinfo/junipe> r-nsp
> 




More information about the juniper-nsp mailing list