[j-nsp] Configuring ipsec with an Adaptive Services PIC

Wed May 25 12:54:38 EDT 2005

You can define multiple terms under the 'rule-ike'

Term 1 -> from source N1 dest N2 then remote-gateway r1
Term 2 -> from source N3 dest N4 then remote-gateway r1

N* are the phase-2 identifiers here.

If you want to tunnel everything you can skip the from clause.

In the example config, Filter ipsec-tunnel doesn't do anything, 
its just for counting ipsec traffic for debugging. You don't have
 to configure that.

HTHs
Harshit

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of John Holmes
> Sent: Tuesday, May 24, 2005 11:34 PM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Configuring ipsec with an Adaptive Services PIC
> 
> Aviva Garrett wrote:
> 
> >Hi John,
> >
> >For initial reading, I suggest
> >http://www.juniper.net/techpubs/software/junos/junos72/featur
> e-guide-72/html/fg-ipsec.html
> >
> >Thanks,
> >..Aviva
> >
> >In message <4282D5E9.8040108 at earthlink.net>you write:
> >  
> >
> >>   I have read through the Juniper documentation for JunOS 
> 6.4 and have 
> >>no trouble defining ipsec/ike proposals and policies. What I am not 
> >>following is how do I actually apply them. I'm getting lost 
> in rules, 
> >>rule-sets, services, service-sets, etc. Under Cisco I 
> define my policy, 
> >>define the traffic to be encrypted/decrypted using an 
> >>    
> >>
> >access-control-list, combine the acl and policy in a crypto 
> map which is 
> >  
> >
> >>then applied to an interface. What is the Juniper way of 
> doing this? 
> >>I've found one or two examples using an ES PIC but nothing 
> using the AS 
> >>PIC. Could someone point me to good documentation or 
> perhaps provide an 
> >>example config? Thank you.
> >>_______________________________________________
> >>juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>http://puck.nether.net/mailman/listinfo/juniper-nsp
> >>    
> >>
> >
> >  
> >
>   I have read the information and tried to configure using the AS PIC 
> IKE Dynamic SA Configuration. What I ended up with worked but 
> only for 
> the specific networks in the source-address and destination-address 
> list. For example, I have
> 
> 10.10.10.0/26
>                          ---------------Router 
> A------10.5.5.0/29--------Router B--------- 10.1.1.0/22
> 10.10.10.64/26
> 
> How do I get both networks behind Router A to use the tunnel?
> 
> Here is the relevant part of the config on Router A:
> 
>    fe-1/3/0 {
> 
> 	vlan-tagging;
> 
>          unit 2 {
> 
> 	    vlan-id 2;
> 
> 	    family inet {
> 	       
> 	       address 10.10.10.1/26;
> 	     }
> 
>          unit 3 {
> 
> 	    vlan-id 3;
> 
>             family inet {
> 
> 	       address 10.10.10.65/26;
> 
> 	    }
> 
>          unit 116 {
> 
> 	    vlan-id 116;
> 
>             family inet {
> 
>                 |*service {*| 
> 
>                     |*input {
> *|
> |*                        service-set R1-R2;
> *|
>                     }
> 
>                     |*output {
> *|
> |*                        service-set R1-R2;
> *|
>                     }
> 
>                 }
> 
>                 address 10.5.5.2/29;
> 
>             }
> 
>         }
> 
>     }
> 
>     sp-1/2/0 {
> 
>         services-options {
> 
>             syslog {
> 
>                 host local {
> 
>                     services info;
> 
>                 }
> 
>             }
> 
>         }
> 
>         unit 0 {
> 
>             family inet {
> 
>                 filter {
> 
>                     |*input ipsec-tunnel;*|
>                 }
> 
>             }
> 
>         }
> 
>     }               
> 
>    
> lo0 {
> 
>         unit 0 {
> 
>             family inet {
> 
>                 address 10.10.3.3/32;
> 
>             }
> 
>         }
> 
>     }
> 
> services {
> 
>     |*service-set R1-R2*|
> 
>         interface-service {
> 
>             |*service-interface sp-1/2/0;*| 
> 
>         }
> 
>         ipsec-vpn-options {
> 
>             |*local-gateway 10.5.5.2;*| 
> 
>         }
> 
>         |*ipsec-vpn-rules rule-ike;*| 
>     }
> 
> ipsec-vpn {
> 
>       |*rule rule-ike {*| 
> 
>            term term-ike {
> 
>                 from {
> 
>                     source-address {
> 
>                         10.10.10.0/26;
> 
>                     }
> 
>                     destination-address {
> 
>                         10.1.1.0/22;
> 
>                     }
> 
>                 }
> 
>                 then {
> 
>                     |*remote-gateway 10.5.5.1*| 
> 
>                     |*dynamic {*| 
> 
>                         |*ike-policy ike-policy-preshared;*| 
> 
>                 }
> 
>             }
> 
>              ike {
> 
>             |*policy ike-policy-preshared {*|
> 
>                 |*pre-shared-key ascii-text 
> "$9$KtKWX-YgJHqfVwqfTzCAvWL";
> *|
> 
>                      }
> 
>         } 
> 
> 
>   This seems to allow encrypted traffic to/from the networks 
> in the rule 
> but not the other network or the router's loopback address (which I 
> would like to include for snmp traps). I can ping from a 
> source-address 
> to a destination-address but nothing else.  This seems fairly 
> logical so 
> far.
> 
>    If I change the source-address to, say, 10.10.10/24 to 
> include both 
> networks neither subnet will work. Of course, I am changing the 
> destination-address on the other router to mirror this.
> 
>    Is the problem because I do not have a summary route specifically 
> matching the 10.10.10/24 network in my routing tables? Would 
> generating 
> one using a policy-statement solve this or is there another 
> way to add 
> networks?
> 
>     Basically I want all the traffic from router A to router 
> B to go in 
> the tunnel with the exception of their connecting interfaces 
> which are 
> running OSPF. Any pointers?
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
> 