[j-nsp] GRE over IPsec on J-series

Jonathan Looney jonlooney at gmail.com
Tue Oct 30 12:06:29 EDT 2007 

Roman,

On newer versions of IOS (12.3(14)T or 12.4(2)T, for example), I
understand that IOS supports treating IPSec tunnels as interfaces.
That makes all of this a lot easier, since you can just configure
IPSec tunnels (without configuring an additional GRE interface).
However, I can not help you with the Cisco configuration syntax for
that feature, as I've never configured it.

To configure a GRE tunnel, which will be encapsulated within IPSec,
you configure an IPSec tunnel and then a GRE tunnel.  The exact
details depend on whether you will be using the same IP address for
both the GRE and IPSec tunnel endpoints.  It is slightly more
straightforward if you use different addresses, so I will use that as
an example.

In this case, we have two routers (aptly named juniper and cisco),
configured with the following addresses:

juniper
ISP interface: 172.17.37.4
lo0.0: 192.168.37.1

cisco
ISP interface: 172.17.38.4
loopback0: 192.168.38.1

We will use the ISP interfaces as the endpoints for the IPSec tunnel
and use the loopback interfaces as the endpoints for the GRE tunnel.

On the Juniper side, we'll start by configuring the IPSec tunnel, as follows:

[edit interfaces]
user at juniper# show sp-0/0/0
unit 0 {
    family inet;
}
unit 1 {
    family inet;
    service-domain outside;
}
unit 2 {
    family inet;
    service-domain inside;
}

[edit security]
user at juniper# show
service-set gre-vpn {
   next-hop-service {
      inside-service-interface sp-0/0/0.2;
      outside-service-interface sp-0/0/0.1;

   }
   ipsec-vpn-options {
      local-gateway 172.17.37.4;
   }
   ipsec-vpn-rules vpn-to-cisco;
}
ipsec-vpn {
   rule vpn-to-cisco {
      term gre-tunnel {
         from {
            source-address {
               192.168.37.1/32;
            }
            destination-address {
               192.168.38.1/32;
            }
         }
         then {
            remote-gateway 172.17.38.4;
            dynamic {
               ike-policy main_mode_ike_policy;
               ipsec-policy dynamic_ipsec_policy;
            }
         }
      }
      match-direction output;
   }
   ipsec {
      proposal cisco_compat {
         protocol esp;
         authentication-algorithm hmac-md5-96;
         encryption-algorithm des-cbc;
      }
      policy dynamic_ipsec_policy {
         perfect-forward-secrecy {
            keys group1;
         }
         proposals cisco_compat;
      }
   }
  ike {
    proposal cisco-compat {
      authentication-method pre-shared-keys;
      authentication-algorithm md5;
      dh-group group1;
      encryption-algorithm des-cbc;
    }
    policy main_mode_ike_policy {
      proposals cisco-compat;
      pre-shared-key ascii-text use-a-really-secure-key;

    }
  }
  establish-tunnels immediately;
}

You should customize the above to fit your environment.  In particular:
A) change the IKE/IPSec policies/proposals to use security parameters
acceptable to your situation.
B) change the local IKE/IPSec endpoint defined in the [edit security
service-set gre-vpn ipsec-vpn-options] section.
C) change the remote IKE/IPSec endpoint defined in the [edit security
rule vpn-to-gre term gre-tunnel then] section.
D) change the GRE endpoints defined in the [edit security rule
vpn-to-gre term gre-tunnel from] section.  Like the IOS configuration,
you only define the outbound matching parameters and the inbound
traffic will be automatically allowed.  The source/destination address
here must exactly match the source/destination allowed by the
access-list you use in your crypto-map on the IOS side.
E) change the services interface unit #s, if necessary.

Now, we can configure the GRE tunnel:


[edit]
user at juniper# show interfaces gr-0/0/0
unit 0 {
   tunnel {
      source 192.168.37.1;
      destination 192.168.38.1;
   }
   family inet {
      address 192.168.25.129/30;
   }
}
Again, you should customize this:
A) Use the correct tunnel endpoints.
B) Use an appropriate IP address. If you want to do the equivalent of
"ip unnumbered" from the Cisco router, simply configure "family inet"
with no address.
C) Change the GRE tunnel interface unit # if necessary.

Now, we configure a route to ensure the traffic to the remote GRE
endpoint will be encrypted:

[edit routing-options]
user at juniper# show static
route 192.168.38.1/32 next-hop sp-0/0/0.2;

Again, you should customize this:
 A) Use the correct tunnel endpoint.
 B) Use the 'inside' services interface used for the IPSec service set.

At this point, your GRE and IPSec tunnels should come up (assuming a
compatible configuration on the Cisco side).  Once you've confirmed IP
connectivity, you can configure OSPF to run over the GRE interface by
simply including the GRE interface in an OSPF area configuration.  For
example:

[edit]
user at juniper# show protocols ospf
area 0.0.0.0 {
    interface gr-0/0/0.0;
}



For reference, I believe a compatible Cisco configuration would be:

crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key test address 172.17.37.4
crypto isakmp keepalive 10 2 periodic

!
!
crypto ipsec transform-set esp_des_set esp-des esp-md5-hmac
!
!
crypto map gre-to-juniper 1 ipsec-isakmp
 set peer 172.17.37.4
 set transform-set esp_des_set
 set pfs group1
 match address 110

access-list 110 permit ip host 192.168.38.1 host 192.168.37.1

interface tunnel1
 ip address 192.168.25.130 255.255.255.252
 tunnel mode gre ip
 tunnel destination 192.168.37.1
 tunnel source 192.168.38.1

interface <to provider>
 crypto map gre-to-juniper

router ospf 1
 network 192.168.25.128 0.0.0.3 area 0


Of course, I provide no guarantees for the Cisco side of the config. :-)

I hope this helps.

-Jon

On 10/30/07, Roman Shibrick <rshbrk at mail.ru> wrote:
> Ok. I understand.
> Then I shall formulate a question differently.
>
> There is a way to make IPsec the tunnel between Juniper J-series and Cisco's router with an opportunity of routing on the given tunnel, for example OSPF?
> If somebody saw examples of a configuration give please the reference.
>
> -----Original Message-----
> From: Sabri Berisha <sabri at cluecentral.net>
> To: Roman Shibrick <rshbrk at mail.ru>
> Date: Tue, 30 Oct 2007 10:13:53 +0100
> Subject: Re: [j-nsp] GRE over IPsec on J-series
>
> >
> > On Tue, Oct 30, 2007 at 11:36:35AM +0300, Roman Shibrick wrote:
> >
> > Hi,
> >
> > > Whether there is a given feature on routers of a J-series? I have found the documentation only for an E-series:
> > >
> > > http://www.juniper.net/techpubs/software/erx/junose82/swconfig-ip-services/html/l2tp-over-ipsec-config6.html
> > >
> > > It means, what J - a series does not support the given feature?
> >
> > The E-series and the J-series are completely different products. The
> > documentation for the J-series is at
> > http://www.juniper.net/techpubs/software/jseries/junos84/index.html
> >
> > Thanks,
> >
> > --
> > Sabri
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list