[j-nsp] IPSec + GRE on same box, config example
telecom at servidor.unam.mx
telecom at servidor.unam.mx
Mon Jul 11 19:47:59 EDT 2005
On Mon, 11 Jul 2005, Raymond Cheh wrote:
Thanks Raymond and Mario, I actually was able to test it before you sent
me this
configuration and some traffic goes through the gre/ipsec tunnel... (ospf
neighboors are up through the tunnel.) but not unicast traffic seems to
pass across the
router.. I checked your config and it seems that we are using different ip
scheme on the gre and ipsec tunnels than yours.. but i'm not sure if
that's the issue.. Here it's my
config but i'll try to change it to what you have, as soon as we have
the router back... but you see anything
wrong in my config? is it the addresses? Thanks
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.57.1.1/24;
}
}
}
ge-0/1/0 {
disable;
}
ge-0/2/0 {
vlan-tagging;
unit 0 {
vlan-id 241;
family inet {
service {
input {
service-set VPN_RULE_241;
}
output {
service-set VPN_RULE_241;
}
}
address 192.168.241.1/24;
}
}
}
fe-1/0/0 {
disable;
}
gr-1/3/0 {
unit 0 {
description b0000;
tunnel {
source 192.168.241.1;
destination 192.168.0.2;
}
family inet {
address 10.60.0.193/30;
}
}
unit 1 {
description b0001;
tunnel {
source 192.168.241.1;
destination 192.168.1.2;
}
family inet {
address 10.60.1.193/30;
}
}
unit 2 {
description b0002;
tunnel {
source 192.168.241.1;
destination 192.168.2.2;
}
family inet {
address 10.60.2.193/30;
}
}
unit 3 {
description b0003;
tunnel {
source 192.168.241.1;
destination 192.168.3.2;
}
family inet {
address 10.60.3.193/30;
}
}
}
sp-1/3/0 {
unit 0 {
family inet;
}
}
routing-options {
static {
route 192.168.0.0/30 next-hop 192.168.241.2;
route 192.168.1.0/30 next-hop 192.168.241.2;
route 192.168.2.0/30 next-hop 192.168.241.2;
route 192.168.3.0/30 next-hop 192.168.241.2;
protocols {
ospf {
area 10.60.0.0 {
area-range 10.60.0.0/18;
interface gr-1/3/0.0;
interface gr-1/3/0.1;
interface gr-1/3/0.2;
interface gr-1/3/0.3;
}
area 0.0.0.0 {
area-range 10.56.0.0/14;
interface ge-0/0/0.0;
}
}
services {
service-set VPN_RULE_241 {
interface-service {
service-interface sp-1/3/0;
}
ipsec-vpn-options {
local-gateway 192.168.241.1;
}
ipsec-vpn-rule-sets VPN_RULE_241;
}
ipsec-vpn {
rule R241 {
term b0000 {
from {
source-address {
192.168.241.1/32;
}
destination-address {
192.168.0.2/32;
}
}
then {
remote-gateway 192.168.0.2;
dynamic {
ike-policy P1;
ipsec-policy P1;
}
clear-dont-fragment-bit;
}
}
term b0001 {
from {
source-address {
192.168.241.1/32;
}
destination-address {
192.168.1.2/32;
}
}
then {
remote-gateway 192.168.1.2;
dynamic {
ike-policy P1;
ipsec-policy P1;
}
clear-dont-fragment-bit;
}
}
term b0002 {
from {
source-address {
192.168.241.1/32;
}
destination-address {
192.168.2.2/32;
}
}
then {
remote-gateway 192.168.2.2;
dynamic {
ike-policy P1;
ipsec-policy P1;
}
clear-dont-fragment-bit;
}
}
term b0003 {
from {
source-address {
192.168.241.1/32;
}
destination-address {
192.168.3.2/32;
}
}
then {
remote-gateway 192.168.3.2;
dynamic {
ike-policy P1;
ipsec-policy P1;
}
clear-dont-fragment-bit;
}
}
match-direction output;
}
rule-set VPN_RULE_241 {
rule R241;
}
ipsec {
proposal P1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy P1 {
proposals P1;
}
}
ike {
proposal P1 {
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
}
policy P1 {
proposals P1;
pre-shared-key ascii-text ""; ## SECRET-DATA
}
}
establish-tunnels immediately;
}
}
> Mario,
>
> This is one with IPSec + GRE but you'll need to add multicast on it. I
> don't have one as detailed as they put in the configuration guides but I
> hope this helps.
>
> interfaces {
> so-0/1/0 {
> unit 0 {
> family inet {
> service {
> input {
> service-set ss-1;
> }
> output {
> service-set ss-1;
> }
> }
> address 10.10.10.1/30;
> }
> family iso;
> }
> }
> gr-2/2/0 {
> unit 1 {
> tunnel {
> source 10.0.0.1;
> destination 10.0.0.2;
> }
> family inet {
> address 11.1.1.1/30;
> }
> }
> }
> sp-2/2/0 {
> unit 0 {
> family inet;
> }
> }
> }
> services {
> service-set ss-1 {
> interface-service {
> service-interface sp-2/2/0;
> }
> ipsec-vpn-options {
> local-gateway 10.10.10.1;
> }
> ipsec-vpn-rules espdes;
> }
> ipsec-vpn {
> rule espdes {
> term term-dynamic-SA {
> from {
> source-address {
> 10.0.0.1/32;
> }
> destination-address {
> 10.10.10.2/32;
> }
> }
> then {
> remote-gateway 10.30.1.2;
> dynamic {
> ike-policy hello;
> ipsec-policy policy1;
> }
> }
> }
> match-direction output;
> }
> ipsec {
> proposal ipsec1 {
> protocol esp;
> authentication-algorithm hmac-sha1-96;
> encryption-algorithm des-cbc;
> }
> policy policy1 {
> perfect-forward-secrecy {
> keys group2;
> }
> proposals ipsec1;
> }
> }
> ike {
> proposal ike1 {
> authentication-method pre-shared-keys;
> dh-group group2;
> authentication-algorithm sha1;
> encryption-algorithm des-cbc;
> }
> policy hello {
> mode main;
> proposals ike1;
> pre-shared-key ascii-text
> "$9$6fQDAtOrlMXNbp0MX7Nbwmf5F9A";
> }
> }
> }
> }
>
> Raymond
> rcheh at juniper.net
>
> > -----Original Message-----
> > From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> > bounces at puck.nether.net] On Behalf Of telecom at servidor.unam.mx
> > Sent: Monday, July 11, 2005 2:19 PM
> > To: Mario Puras
> > Cc: juniper-nsp at puck.nether.net
> > Subject: RE: [j-nsp] IPSec + GRE on same box, config example
> >
> > On Mon, 11 Jul 2005, Mario Puras wrote:
> >
> > Ok thanks, mine case with AS PIC for both IPSec and GRE, not ES PIC
> but
> > i'll try to give this a try... So I guess that Juniper doesnt
> officially
> > supports this right?
> >
> >
> > > I have been working on a config for one of my customers to do just
> what
> > > you are wanting to do but I have not heard back from them whether it
> has
> > > worked or not. Perhaps you can try it and let me know?
> > >
> > >
> > > interfaces {
> > > gr-0/1/0 {
> > > unit 0 {
> > > tunnel {
> > > source 192.168.12.1;
> > > destination 192.168.12.2;
> > > }
> > > family inet {
> > > address 1.1.1.6/30;
> > > }
> > > }
> > > }
> > > es-0/2/0 {
> > > unit 0 {
> > > tunnel {
> > > source 10.0.0.3;
> > > destination 10.0.0.1;
> > > }
> > > family inet {
> > > ipsec-sa testing_Proposal_IPSec;
> > > address 1.1.1.2/30;
> > > }
> > > }
> > > }
> > > t1-4/0/0 {
> > > unit 0 {
> > > family inet {
> > > address 192.168.12.1/30;
> > > }
> > > }
> > > }
> > > lo0 {
> > > unit 0 {
> > > family inet {
> > > address 10.0.0.3/32;
> > > }
> > > }
> > > }
> > > }
> > > security {
> > > traceoptions {
> > > file files 10;
> > > flag all;
> > > }
> > > ipsec {
> > > proposal testing_Proposal_IPSec {
> > > protocol esp;
> > > authentication-algorithm hmac-md5-96;
> > > encryption-algorithm des-cbc;
> > > lifetime-seconds 86400;
> > > }
> > > policy testing_Policy_IPSec {
> > > perfect-forward-secrecy {
> > > keys group1;
> > > }
> > > proposals testing_Proposal_IPSec;
> > > }
> > > security-association testing_SA_IPSec {
> > > description "...IPSec SA testing";
> > > mode tunnel;
> > > dynamic {
> > > ipsec-policy testing_Policy_IPSec;
> > > }
> > > }
> > > }
> > > ike {
> > > proposal testing {
> > > authentication-method pre-shared-keys;
> > > authentication-algorithm md5;
> > > encryption-algorithm des-cbc;
> > > }
> > > policy 10.0.0.1 {
> > > proposals testing;
> > > pre-shared-key ascii-text
> "$9$ef0vX7dbs4JGVbfTFnCAX7N-24";
> > > }
> > > }
> > > }
> > >
> > >
> > > It may be possible that you use the same lo0 interface on your GRE
> but I
> > > have not tried this.
> > >
> > > 1. Have a local static route pointing to the remote GRE tunnel
> > > destination with a next-hop of the IPSec tunnel (like es-0/2/0.0).
> > > 2. Point you multicast traffic at the GRE interface: gr-0/1/0.0.
> > >
> > > Let me know how it turns out.
> > >
> > >
> > >
> > > Thanks,
> > >
> > > Mario Puras
> > > SoluNet/SoluServe TAC Manager
> > > Web Address: www.solunet.com
> > > Mailto: mpuras at solunet.com
> > > Direct: (321) 309-1410
> > > Fax: (321) 676-1287
> > > TAC: 888.449.5766 (USA) / 888.SOLUNET (Canada)
> > >
> > >
> > > -----Original Message-----
> > > From: juniper-nsp-bounces at puck.nether.net
> > > [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> > > telecom at servidor.unam.mx
> > > Sent: Monday, July 11, 2005 4:15 PM
> > > To: juniper-nsp at puck.nether.net
> > > Subject: [j-nsp] IPSec + GRE on same box, config example
> > >
> > >
> > > Hi everybody, I've done both tests separately with an AS PIC and so
> far
> > > the results have been great. Recently, i've been asked if it's
> possible
> > > to transport multicast over GRE over IPSec on an AS PIC. So before i
> > > jumped into the lab, I'd like to know if this is even supported
> today.
> > > Juniper is great at documenting their supported features and since I
> > > havent seen anything on their documentation, i'm wondering if
> anybody
> > > has tried this before. Thanks
> > >
> > > --
> > > _______________________________________________
> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/juniper-nsp
> > >
> >
> > --
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
More information about the juniper-nsp
mailing list