[j-nsp] GRE over IPSEC on M Series
Sean Capshaw
capshaw at juniper.net
Mon Feb 13 11:48:37 EST 2006
Nitin,
It is really IPSec over GRE. When a router lacks an IP addressable
IPSec stack it is not possible to run a routing protocol over IPSec.
The workaround is to run the protocol over GRE and encrypt all the
GRE packets. BTW Juniper doesn't have this problem but here is an
interop example when the neighboring router needs GRE.
Config:
lab at M10i-R108> show configuration interfaces t1-0/2/0:1
dce;
mtu 5000;
encapsulation frame-relay;
unit 0 {
dlci 50;
family inet {
address 10.0.1.1/32 {
destination 10.0.1.2;
}
}
}
lab at M10i-R108> show configuration interfaces gr-1/2/0.0
tunnel {
source 10.0.1.1;
destination 10.0.1.2;
}
family inet {
address 40.0.1.1/32 {
destination 40.0.1.2;
}
}
lab at M10i-R108> show configuration interfaces es-0/0/0 unit 0
tunnel {
source 40.0.1.1;
destination 40.0.1.2;
}
family inet {
ipsec-sa sa-esp-0;
address 50.0.1.1/32 {
destination 50.0.1.2;
}
}
lab at M10i-R108> show configuration interfaces ge-1/3/0
unit 0 {
family inet {
filter {
input encrypt;
}
address 100.0.0.2/24;
}
}
lab at M10i-R108> show configuration security
traceoptions {
flag all;
}
ipsec {
proposal pro-esp-0 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy po-esp-0 {
perfect-forward-secrecy {
keys group2;
}
proposals pro-esp-0;
}
security-association sa-esp-0 {
mode tunnel;
dynamic {
ipsec-policy po-esp-0;
}
}
security-association sa-esp-1 {
lab at M10i-R108> show configuration security ike
max-negotiations-count 25;
proposal ike-esp-0 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
proposal ike-esp-1 {
authentication-method rsa-signatures;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy 40.0.1.2 {
mode aggressive;
proposals ike-esp-1;
local-certificate 0.crt;
local-key-pair 0.prv;
}
lab at M10i-R108> show configuration firewall filter encrypt
term sample {
then {
sample;
next term;
}
}
term 0 {
from {
destination-address {
9.0.0.2/32;
}
}
then ipsec-sa sa-esp-0;
}
term 1 {
from {
destination-address {
9.0.0.3/32;
}
}
then ipsec-sa sa-esp-1;
}
term 2 {
lab at M10i-R108> show configuration protocols ospf area 1
interface es-0/0/0.0 {
metric 100;
}
Show Commands:
lab at M10i-R108> show ospf neighbor
Address Interface State ID Pri
Dead
100.0.0.1 ge-1/3/0.0 Full 10.10.10.110 128
36
50.0.1.2 es-0/0/0.0 Full 10.10.10.24 128
33
lab at M10i-R108> show ipsec security-associations
Security association: sa-esp-0, Interface family: Up
Direction SPI AUX-SPI Mode Type Protocol
inbound 3252448684 0 tunnel dynamic ESP
outbound 34080526 0 tunnel dynamic ESP
Thanks
Sean
On Mon, 13 Feb 2006 Nitin.Vazirani at Hutch.in wrote:
>
> Hello!
>
> We are having a M 20 with Tunnel PIC and Encryption Services PIC for
> IPSEC. We are trying to make the Cisco GRE over IPSEC tunnel to
> interwork with the M 20.
>
> At the Cisco end of the configuration, we are using " tunnel protection
> ipsec profile xyz " command. Is it possible to configure a GRE over
> IPSEC tunnel on the M 20. If yes, please send back a sample
> configuration.
>
> Warm Regards,
> Nitin Vazirani
>
>
>
> The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. Hutchison Essar Limited.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list