[j-nsp] Configuring ipsec with an Adaptive Services PIC

Alexander Arsenyev (GU/ETL) alexander.arsenyev at ericsson.com
Wed May 25 06:50:33 EDT 2005 

Hello,

Could You show us the the configuration for the filter "ipsec-tunnel" appied to sp-1/2/0.0 ?
AFAIK, it's this filter that matters in IKE phase 2 when ID payloads are exchanged.
Also, what is the remote IKE peer, is it Juniper/Cisco router/Cisco PIX/something else?
If it is a Cisco router You could enable "debug crypto isa" and "debug crypto ipsec" to
see how IKE phases negotiate.
HTH,
Cheers
Alex


-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of John Holmes
Sent: 25 May 2005 07:34
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Configuring ipsec with an Adaptive Services PIC


Aviva Garrett wrote:

>Hi John,
>
>For initial reading, I suggest
>http://www.juniper.net/techpubs/software/junos/junos72/feature-guide-72/html/fg-ipsec.html
>
>Thanks,
>..Aviva
>
>In message <4282D5E9.8040108 at earthlink.net>you write:
>  
>
>>   I have read through the Juniper documentation for JunOS 6.4 and have 
>>no trouble defining ipsec/ike proposals and policies. What I am not 
>>following is how do I actually apply them. I'm getting lost in rules, 
>>rule-sets, services, service-sets, etc. Under Cisco I define my policy, 
>>define the traffic to be encrypted/decrypted using an 
>>    
>>
>access-control-list, combine the acl and policy in a crypto map which is 
>  
>
>>then applied to an interface. What is the Juniper way of doing this? 
>>I've found one or two examples using an ES PIC but nothing using the AS 
>>PIC. Could someone point me to good documentation or perhaps provide an 
>>example config? Thank you.
>>_______________________________________________
>>juniper-nsp mailing list juniper-nsp at puck.nether.net
>>http://puck.nether.net/mailman/listinfo/juniper-nsp
>>    
>>
>
>  
>
  I have read the information and tried to configure using the AS PIC 
IKE Dynamic SA Configuration. What I ended up with worked but only for 
the specific networks in the source-address and destination-address 
list. For example, I have

10.10.10.0/26
                         ---------------Router 
A------10.5.5.0/29--------Router B--------- 10.1.1.0/22
10.10.10.64/26

How do I get both networks behind Router A to use the tunnel?

Here is the relevant part of the config on Router A:

   fe-1/3/0 {

	vlan-tagging;

         unit 2 {

	    vlan-id 2;

	    family inet {
	       
	       address 10.10.10.1/26;
	     }

         unit 3 {

	    vlan-id 3;

            family inet {

	       address 10.10.10.65/26;

	    }

         unit 116 {

	    vlan-id 116;

            family inet {

                |*service {*| 

                    |*input {
*|
|*                        service-set R1-R2;
*|
                    }

                    |*output {
*|
|*                        service-set R1-R2;
*|
                    }

                }

                address 10.5.5.2/29;

            }

        }

    }

    sp-1/2/0 {

        services-options {

            syslog {

                host local {

                    services info;

                }

            }

        }

        unit 0 {

            family inet {

                filter {

                    |*input ipsec-tunnel;*|
                }

            }

        }

    }               

   
lo0 {

        unit 0 {

            family inet {

                address 10.10.3.3/32;

            }

        }

    }

services {

    |*service-set R1-R2*|

        interface-service {

            |*service-interface sp-1/2/0;*| 

        }

        ipsec-vpn-options {

            |*local-gateway 10.5.5.2;*| 

        }

        |*ipsec-vpn-rules rule-ike;*| 
    }

ipsec-vpn {

      |*rule rule-ike {*| 

           term term-ike {

                from {

                    source-address {

                        10.10.10.0/26;

                    }

                    destination-address {

                        10.1.1.0/22;

                    }

                }

                then {

                    |*remote-gateway 10.5.5.1*| 

                    |*dynamic {*| 

                        |*ike-policy ike-policy-preshared;*| 

                }

            }

             ike {

            |*policy ike-policy-preshared {*|

                |*pre-shared-key ascii-text "$9$KtKWX-YgJHqfVwqfTzCAvWL";
*|

                     }

        } 


  This seems to allow encrypted traffic to/from the networks in the rule 
but not the other network or the router's loopback address (which I 
would like to include for snmp traps). I can ping from a source-address 
to a destination-address but nothing else.  This seems fairly logical so 
far.

   If I change the source-address to, say, 10.10.10/24 to include both 
networks neither subnet will work. Of course, I am changing the 
destination-address on the other router to mirror this.

   Is the problem because I do not have a summary route specifically 
matching the 10.10.10/24 network in my routing tables? Would generating 
one using a policy-statement solve this or is there another way to add 
networks?

    Basically I want all the traffic from router A to router B to go in 
the tunnel with the exception of their connecting interfaces which are 
running OSPF. Any pointers?


_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list