[j-nsp] GRE over IPsec on J-series

Peter Nyamukusa petern at africaonline.co.sz
Wed Oct 31 04:42:01 EDT 2007


> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Jonathan Looney
> Sent: 30 October 2007 06:06 PM
> To: Roman Shibrick
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] GRE over IPsec on J-series
> 
> Roman,
> 
> On newer versions of IOS (12.3(14)T or 12.4(2)T, for example), I
> understand that IOS supports treating IPSec tunnels as interfaces.
> That makes all of this a lot easier, since you can just configure
> IPSec tunnels (without configuring an additional GRE interface).
> However, I can not help you with the Cisco configuration syntax for
> that feature, as I've never configured it.

Hi sample Cisco config

RTRA(config)# crypto isakmp policy 10
RTRA(config-isakmp)# encryption aes 128
RTRA(config-isakmp)# hash sha
RTRA(config-isakmp)# authentication pre-share
RTRA(config-isakmp)# group 2
RTRA(config-isakmp)# exit
RTRA(config)# crypto isakmp key cisco123 address 192.168.37.1255.255.255.255
no-xauth
RTRA(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
RTRA(cfg-crypto-trans)# exit
RTRA(config)# crypto ipsec profile VTI
RTRA(ipsec-profile)# set transform-set RTRtran
RTRA(ipsec-profile)# exit
RTRA(config)# interface tunnel 0
RTRA(config-if)# ip address 10.1.1.1 255.255.255.252
RTRA(config-if)# tunnel source 172.17.38.4
RTRA(config-if)# tunnel destination 192.168.37.1
RTRA(config-if)# tunnel mode ipsec ipv4
RTRA(config-if)# tunnel protection ipsec VTI
RTRA(config)# interface Fa0/0
RTRA(config-if)# ip address 172.17.38.4 255.255.255.0
RTRA(config-if)# description Connection to ISP
RTRA(config-if)# exit
RTRA(config)# ip route x.x.x.x x.x.x.x tunnel0

Cheers,
---------------------------------------------------------
Peter Nyamukusa
MCSE, MCSA:Messaging, CCIP, CCNA, A+, JNCIA-ER, JNCIS-ER
Technical Manager
Africa Online Swaziland

> 
> To configure a GRE tunnel, which will be encapsulated within IPSec,
> you configure an IPSec tunnel and then a GRE tunnel.  The exact
> details depend on whether you will be using the same IP address for
> both the GRE and IPSec tunnel endpoints.  It is slightly more
> straightforward if you use different addresses, so I will use that as
> an example.
> 
> In this case, we have two routers (aptly named juniper and cisco),
> configured with the following addresses:
> 
> juniper
> ISP interface: 172.17.37.4
> lo0.0: 192.168.37.1
> 
> cisco
> ISP interface: 172.17.38.4
> loopback0: 192.168.38.1
> 
> We will use the ISP interfaces as the endpoints for the IPSec tunnel
> and use the loopback interfaces as the endpoints for the GRE tunnel.
> 
> On the Juniper side, we'll start by configuring the IPSec tunnel, as
> follows:
> 
> [edit interfaces]
> user at juniper# show sp-0/0/0
> unit 0 {
>     family inet;
> }
> unit 1 {
>     family inet;
>     service-domain outside;
> }
> unit 2 {
>     family inet;
>     service-domain inside;
> }
> 
> [edit security]
> user at juniper# show
> service-set gre-vpn {
>    next-hop-service {
>       inside-service-interface sp-0/0/0.2;
>       outside-service-interface sp-0/0/0.1;
> 
>    }
>    ipsec-vpn-options {
>       local-gateway 172.17.37.4;
>    }
>    ipsec-vpn-rules vpn-to-cisco;
> }
> ipsec-vpn {
>    rule vpn-to-cisco {
>       term gre-tunnel {
>          from {
>             source-address {
>                192.168.37.1/32;
>             }
>             destination-address {
>                192.168.38.1/32;
>             }
>          }
>          then {
>             remote-gateway 172.17.38.4;
>             dynamic {
>                ike-policy main_mode_ike_policy;
>                ipsec-policy dynamic_ipsec_policy;
>             }
>          }
>       }
>       match-direction output;
>    }
>    ipsec {
>       proposal cisco_compat {
>          protocol esp;
>          authentication-algorithm hmac-md5-96;
>          encryption-algorithm des-cbc;
>       }
>       policy dynamic_ipsec_policy {
>          perfect-forward-secrecy {
>             keys group1;
>          }
>          proposals cisco_compat;
>       }
>    }
>   ike {
>     proposal cisco-compat {
>       authentication-method pre-shared-keys;
>       authentication-algorithm md5;
>       dh-group group1;
>       encryption-algorithm des-cbc;
>     }
>     policy main_mode_ike_policy {
>       proposals cisco-compat;
>       pre-shared-key ascii-text use-a-really-secure-key;
> 
>     }
>   }
>   establish-tunnels immediately;
> }
> 
> You should customize the above to fit your environment.  In particular:
> A) change the IKE/IPSec policies/proposals to use security parameters
> acceptable to your situation.
> B) change the local IKE/IPSec endpoint defined in the [edit security
> service-set gre-vpn ipsec-vpn-options] section.
> C) change the remote IKE/IPSec endpoint defined in the [edit security
> rule vpn-to-gre term gre-tunnel then] section.
> D) change the GRE endpoints defined in the [edit security rule
> vpn-to-gre term gre-tunnel from] section.  Like the IOS configuration,
> you only define the outbound matching parameters and the inbound
> traffic will be automatically allowed.  The source/destination address
> here must exactly match the source/destination allowed by the
> access-list you use in your crypto-map on the IOS side.
> E) change the services interface unit #s, if necessary.
> 
> Now, we can configure the GRE tunnel:
> 
> 
> [edit]
> user at juniper# show interfaces gr-0/0/0
> unit 0 {
>    tunnel {
>       source 192.168.37.1;
>       destination 192.168.38.1;
>    }
>    family inet {
>       address 192.168.25.129/30;
>    }
> }
> Again, you should customize this:
> A) Use the correct tunnel endpoints.
> B) Use an appropriate IP address. If you want to do the equivalent of
> "ip unnumbered" from the Cisco router, simply configure "family inet"
> with no address.
> C) Change the GRE tunnel interface unit # if necessary.
> 
> Now, we configure a route to ensure the traffic to the remote GRE
> endpoint will be encrypted:
> 
> [edit routing-options]
> user at juniper# show static
> route 192.168.38.1/32 next-hop sp-0/0/0.2;
> 
> Again, you should customize this:
>  A) Use the correct tunnel endpoint.
>  B) Use the 'inside' services interface used for the IPSec service set.
> 
> At this point, your GRE and IPSec tunnels should come up (assuming a
> compatible configuration on the Cisco side).  Once you've confirmed IP
> connectivity, you can configure OSPF to run over the GRE interface by
> simply including the GRE interface in an OSPF area configuration.  For
> example:
> 
> [edit]
> user at juniper# show protocols ospf
> area 0.0.0.0 {
>     interface gr-0/0/0.0;
> }
> 
> 
> 
> For reference, I believe a compatible Cisco configuration would be:
> 
> crypto isakmp policy 1
>  hash md5
>  authentication pre-share
> crypto isakmp key test address 172.17.37.4
> crypto isakmp keepalive 10 2 periodic
> 
> !
> !
> crypto ipsec transform-set esp_des_set esp-des esp-md5-hmac
> !
> !
> crypto map gre-to-juniper 1 ipsec-isakmp
>  set peer 172.17.37.4
>  set transform-set esp_des_set
>  set pfs group1
>  match address 110
> 
> access-list 110 permit ip host 192.168.38.1 host 192.168.37.1
> 
> interface tunnel1
>  ip address 192.168.25.130 255.255.255.252
>  tunnel mode gre ip
>  tunnel destination 192.168.37.1
>  tunnel source 192.168.38.1
> 
> interface <to provider>
>  crypto map gre-to-juniper
> 
> router ospf 1
>  network 192.168.25.128 0.0.0.3 area 0
> 
> 
> Of course, I provide no guarantees for the Cisco side of the config. :-
> )
> 
> I hope this helps.
> 
> -Jon
> 
> On 10/30/07, Roman Shibrick <rshbrk at mail.ru> wrote:
> > Ok. I understand.
> > Then I shall formulate a question differently.
> >
> > There is a way to make IPsec the tunnel between Juniper J-series and
> Cisco's router with an opportunity of routing on the given tunnel, for
> example OSPF?
> > If somebody saw examples of a configuration give please the
> reference.
> >
> > -----Original Message-----
> > From: Sabri Berisha <sabri at cluecentral.net>
> > To: Roman Shibrick <rshbrk at mail.ru>
> > Date: Tue, 30 Oct 2007 10:13:53 +0100
> > Subject: Re: [j-nsp] GRE over IPsec on J-series
> >
> > >
> > > On Tue, Oct 30, 2007 at 11:36:35AM +0300, Roman Shibrick wrote:
> > >
> > > Hi,
> > >
> > > > Whether there is a given feature on routers of a J-series? I have
> found the documentation only for an E-series:
> > > >
> > > > http://www.juniper.net/techpubs/software/erx/junose82/swconfig-
> ip-services/html/l2tp-over-ipsec-config6.html
> > > >
> > > > It means, what J - a series does not support the given feature?
> > >
> > > The E-series and the J-series are completely different products.
> The
> > > documentation for the J-series is at
> > > http://www.juniper.net/techpubs/software/jseries/junos84/index.html
> > >
> > > Thanks,
> > >
> > > --
> > > Sabri
> > >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list