[j-nsp] IPSec + GRE on same box, config example
Raymond Cheh
rcheh at juniper.net
Mon Jul 11 17:56:30 EDT 2005
Mario,
This is one with IPSec + GRE but you'll need to add multicast on it. I
don't have one as detailed as they put in the configuration guides but I
hope this helps.
interfaces {
so-0/1/0 {
unit 0 {
family inet {
service {
input {
service-set ss-1;
}
output {
service-set ss-1;
}
}
address 10.10.10.1/30;
}
family iso;
}
}
gr-2/2/0 {
unit 1 {
tunnel {
source 10.0.0.1;
destination 10.0.0.2;
}
family inet {
address 11.1.1.1/30;
}
}
}
sp-2/2/0 {
unit 0 {
family inet;
}
}
}
services {
service-set ss-1 {
interface-service {
service-interface sp-2/2/0;
}
ipsec-vpn-options {
local-gateway 10.10.10.1;
}
ipsec-vpn-rules espdes;
}
ipsec-vpn {
rule espdes {
term term-dynamic-SA {
from {
source-address {
10.0.0.1/32;
}
destination-address {
10.10.10.2/32;
}
}
then {
remote-gateway 10.30.1.2;
dynamic {
ike-policy hello;
ipsec-policy policy1;
}
}
}
match-direction output;
}
ipsec {
proposal ipsec1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm des-cbc;
}
policy policy1 {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec1;
}
}
ike {
proposal ike1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm des-cbc;
}
policy hello {
mode main;
proposals ike1;
pre-shared-key ascii-text
"$9$6fQDAtOrlMXNbp0MX7Nbwmf5F9A";
}
}
}
}
Raymond
rcheh at juniper.net
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of telecom at servidor.unam.mx
> Sent: Monday, July 11, 2005 2:19 PM
> To: Mario Puras
> Cc: juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] IPSec + GRE on same box, config example
>
> On Mon, 11 Jul 2005, Mario Puras wrote:
>
> Ok thanks, mine case with AS PIC for both IPSec and GRE, not ES PIC
but
> i'll try to give this a try... So I guess that Juniper doesnt
officially
> supports this right?
>
>
> > I have been working on a config for one of my customers to do just
what
> > you are wanting to do but I have not heard back from them whether it
has
> > worked or not. Perhaps you can try it and let me know?
> >
> >
> > interfaces {
> > gr-0/1/0 {
> > unit 0 {
> > tunnel {
> > source 192.168.12.1;
> > destination 192.168.12.2;
> > }
> > family inet {
> > address 1.1.1.6/30;
> > }
> > }
> > }
> > es-0/2/0 {
> > unit 0 {
> > tunnel {
> > source 10.0.0.3;
> > destination 10.0.0.1;
> > }
> > family inet {
> > ipsec-sa testing_Proposal_IPSec;
> > address 1.1.1.2/30;
> > }
> > }
> > }
> > t1-4/0/0 {
> > unit 0 {
> > family inet {
> > address 192.168.12.1/30;
> > }
> > }
> > }
> > lo0 {
> > unit 0 {
> > family inet {
> > address 10.0.0.3/32;
> > }
> > }
> > }
> > }
> > security {
> > traceoptions {
> > file files 10;
> > flag all;
> > }
> > ipsec {
> > proposal testing_Proposal_IPSec {
> > protocol esp;
> > authentication-algorithm hmac-md5-96;
> > encryption-algorithm des-cbc;
> > lifetime-seconds 86400;
> > }
> > policy testing_Policy_IPSec {
> > perfect-forward-secrecy {
> > keys group1;
> > }
> > proposals testing_Proposal_IPSec;
> > }
> > security-association testing_SA_IPSec {
> > description "...IPSec SA testing";
> > mode tunnel;
> > dynamic {
> > ipsec-policy testing_Policy_IPSec;
> > }
> > }
> > }
> > ike {
> > proposal testing {
> > authentication-method pre-shared-keys;
> > authentication-algorithm md5;
> > encryption-algorithm des-cbc;
> > }
> > policy 10.0.0.1 {
> > proposals testing;
> > pre-shared-key ascii-text
"$9$ef0vX7dbs4JGVbfTFnCAX7N-24";
> > }
> > }
> > }
> >
> >
> > It may be possible that you use the same lo0 interface on your GRE
but I
> > have not tried this.
> >
> > 1. Have a local static route pointing to the remote GRE tunnel
> > destination with a next-hop of the IPSec tunnel (like es-0/2/0.0).
> > 2. Point you multicast traffic at the GRE interface: gr-0/1/0.0.
> >
> > Let me know how it turns out.
> >
> >
> >
> > Thanks,
> >
> > Mario Puras
> > SoluNet/SoluServe TAC Manager
> > Web Address: www.solunet.com
> > Mailto: mpuras at solunet.com
> > Direct: (321) 309-1410
> > Fax: (321) 676-1287
> > TAC: 888.449.5766 (USA) / 888.SOLUNET (Canada)
> >
> >
> > -----Original Message-----
> > From: juniper-nsp-bounces at puck.nether.net
> > [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> > telecom at servidor.unam.mx
> > Sent: Monday, July 11, 2005 4:15 PM
> > To: juniper-nsp at puck.nether.net
> > Subject: [j-nsp] IPSec + GRE on same box, config example
> >
> >
> > Hi everybody, I've done both tests separately with an AS PIC and so
far
> > the results have been great. Recently, i've been asked if it's
possible
> > to transport multicast over GRE over IPSec on an AS PIC. So before i
> > jumped into the lab, I'd like to know if this is even supported
today.
> > Juniper is great at documenting their supported features and since I
> > havent seen anything on their documentation, i'm wondering if
anybody
> > has tried this before. Thanks
> >
> > --
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
> --
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list