[j-nsp] GRE over IPsec on J-series
Peter Nyamukusa
petern at africaonline.co.sz
Wed Oct 31 04:42:01 EDT 2007
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Jonathan Looney
> Sent: 30 October 2007 06:06 PM
> To: Roman Shibrick
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] GRE over IPsec on J-series
>
> Roman,
>
> On newer versions of IOS (12.3(14)T or 12.4(2)T, for example), I
> understand that IOS supports treating IPSec tunnels as interfaces.
> That makes all of this a lot easier, since you can just configure
> IPSec tunnels (without configuring an additional GRE interface).
> However, I can not help you with the Cisco configuration syntax for
> that feature, as I've never configured it.
Hi sample Cisco config
RTRA(config)# crypto isakmp policy 10
RTRA(config-isakmp)# encryption aes 128
RTRA(config-isakmp)# hash sha
RTRA(config-isakmp)# authentication pre-share
RTRA(config-isakmp)# group 2
RTRA(config-isakmp)# exit
RTRA(config)# crypto isakmp key cisco123 address 192.168.37.1255.255.255.255
no-xauth
RTRA(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
RTRA(cfg-crypto-trans)# exit
RTRA(config)# crypto ipsec profile VTI
RTRA(ipsec-profile)# set transform-set RTRtran
RTRA(ipsec-profile)# exit
RTRA(config)# interface tunnel 0
RTRA(config-if)# ip address 10.1.1.1 255.255.255.252
RTRA(config-if)# tunnel source 172.17.38.4
RTRA(config-if)# tunnel destination 192.168.37.1
RTRA(config-if)# tunnel mode ipsec ipv4
RTRA(config-if)# tunnel protection ipsec VTI
RTRA(config)# interface Fa0/0
RTRA(config-if)# ip address 172.17.38.4 255.255.255.0
RTRA(config-if)# description Connection to ISP
RTRA(config-if)# exit
RTRA(config)# ip route x.x.x.x x.x.x.x tunnel0
Cheers,
---------------------------------------------------------
Peter Nyamukusa
MCSE, MCSA:Messaging, CCIP, CCNA, A+, JNCIA-ER, JNCIS-ER
Technical Manager
Africa Online Swaziland
>
> To configure a GRE tunnel, which will be encapsulated within IPSec,
> you configure an IPSec tunnel and then a GRE tunnel. The exact
> details depend on whether you will be using the same IP address for
> both the GRE and IPSec tunnel endpoints. It is slightly more
> straightforward if you use different addresses, so I will use that as
> an example.
>
> In this case, we have two routers (aptly named juniper and cisco),
> configured with the following addresses:
>
> juniper
> ISP interface: 172.17.37.4
> lo0.0: 192.168.37.1
>
> cisco
> ISP interface: 172.17.38.4
> loopback0: 192.168.38.1
>
> We will use the ISP interfaces as the endpoints for the IPSec tunnel
> and use the loopback interfaces as the endpoints for the GRE tunnel.
>
> On the Juniper side, we'll start by configuring the IPSec tunnel, as
> follows:
>
> [edit interfaces]
> user at juniper# show sp-0/0/0
> unit 0 {
> family inet;
> }
> unit 1 {
> family inet;
> service-domain outside;
> }
> unit 2 {
> family inet;
> service-domain inside;
> }
>
> [edit security]
> user at juniper# show
> service-set gre-vpn {
> next-hop-service {
> inside-service-interface sp-0/0/0.2;
> outside-service-interface sp-0/0/0.1;
>
> }
> ipsec-vpn-options {
> local-gateway 172.17.37.4;
> }
> ipsec-vpn-rules vpn-to-cisco;
> }
> ipsec-vpn {
> rule vpn-to-cisco {
> term gre-tunnel {
> from {
> source-address {
> 192.168.37.1/32;
> }
> destination-address {
> 192.168.38.1/32;
> }
> }
> then {
> remote-gateway 172.17.38.4;
> dynamic {
> ike-policy main_mode_ike_policy;
> ipsec-policy dynamic_ipsec_policy;
> }
> }
> }
> match-direction output;
> }
> ipsec {
> proposal cisco_compat {
> protocol esp;
> authentication-algorithm hmac-md5-96;
> encryption-algorithm des-cbc;
> }
> policy dynamic_ipsec_policy {
> perfect-forward-secrecy {
> keys group1;
> }
> proposals cisco_compat;
> }
> }
> ike {
> proposal cisco-compat {
> authentication-method pre-shared-keys;
> authentication-algorithm md5;
> dh-group group1;
> encryption-algorithm des-cbc;
> }
> policy main_mode_ike_policy {
> proposals cisco-compat;
> pre-shared-key ascii-text use-a-really-secure-key;
>
> }
> }
> establish-tunnels immediately;
> }
>
> You should customize the above to fit your environment. In particular:
> A) change the IKE/IPSec policies/proposals to use security parameters
> acceptable to your situation.
> B) change the local IKE/IPSec endpoint defined in the [edit security
> service-set gre-vpn ipsec-vpn-options] section.
> C) change the remote IKE/IPSec endpoint defined in the [edit security
> rule vpn-to-gre term gre-tunnel then] section.
> D) change the GRE endpoints defined in the [edit security rule
> vpn-to-gre term gre-tunnel from] section. Like the IOS configuration,
> you only define the outbound matching parameters and the inbound
> traffic will be automatically allowed. The source/destination address
> here must exactly match the source/destination allowed by the
> access-list you use in your crypto-map on the IOS side.
> E) change the services interface unit #s, if necessary.
>
> Now, we can configure the GRE tunnel:
>
>
> [edit]
> user at juniper# show interfaces gr-0/0/0
> unit 0 {
> tunnel {
> source 192.168.37.1;
> destination 192.168.38.1;
> }
> family inet {
> address 192.168.25.129/30;
> }
> }
> Again, you should customize this:
> A) Use the correct tunnel endpoints.
> B) Use an appropriate IP address. If you want to do the equivalent of
> "ip unnumbered" from the Cisco router, simply configure "family inet"
> with no address.
> C) Change the GRE tunnel interface unit # if necessary.
>
> Now, we configure a route to ensure the traffic to the remote GRE
> endpoint will be encrypted:
>
> [edit routing-options]
> user at juniper# show static
> route 192.168.38.1/32 next-hop sp-0/0/0.2;
>
> Again, you should customize this:
> A) Use the correct tunnel endpoint.
> B) Use the 'inside' services interface used for the IPSec service set.
>
> At this point, your GRE and IPSec tunnels should come up (assuming a
> compatible configuration on the Cisco side). Once you've confirmed IP
> connectivity, you can configure OSPF to run over the GRE interface by
> simply including the GRE interface in an OSPF area configuration. For
> example:
>
> [edit]
> user at juniper# show protocols ospf
> area 0.0.0.0 {
> interface gr-0/0/0.0;
> }
>
>
>
> For reference, I believe a compatible Cisco configuration would be:
>
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key test address 172.17.37.4
> crypto isakmp keepalive 10 2 periodic
>
> !
> !
> crypto ipsec transform-set esp_des_set esp-des esp-md5-hmac
> !
> !
> crypto map gre-to-juniper 1 ipsec-isakmp
> set peer 172.17.37.4
> set transform-set esp_des_set
> set pfs group1
> match address 110
>
> access-list 110 permit ip host 192.168.38.1 host 192.168.37.1
>
> interface tunnel1
> ip address 192.168.25.130 255.255.255.252
> tunnel mode gre ip
> tunnel destination 192.168.37.1
> tunnel source 192.168.38.1
>
> interface <to provider>
> crypto map gre-to-juniper
>
> router ospf 1
> network 192.168.25.128 0.0.0.3 area 0
>
>
> Of course, I provide no guarantees for the Cisco side of the config. :-
> )
>
> I hope this helps.
>
> -Jon
>
> On 10/30/07, Roman Shibrick <rshbrk at mail.ru> wrote:
> > Ok. I understand.
> > Then I shall formulate a question differently.
> >
> > There is a way to make IPsec the tunnel between Juniper J-series and
> Cisco's router with an opportunity of routing on the given tunnel, for
> example OSPF?
> > If somebody saw examples of a configuration give please the
> reference.
> >
> > -----Original Message-----
> > From: Sabri Berisha <sabri at cluecentral.net>
> > To: Roman Shibrick <rshbrk at mail.ru>
> > Date: Tue, 30 Oct 2007 10:13:53 +0100
> > Subject: Re: [j-nsp] GRE over IPsec on J-series
> >
> > >
> > > On Tue, Oct 30, 2007 at 11:36:35AM +0300, Roman Shibrick wrote:
> > >
> > > Hi,
> > >
> > > > Whether there is a given feature on routers of a J-series? I have
> found the documentation only for an E-series:
> > > >
> > > > http://www.juniper.net/techpubs/software/erx/junose82/swconfig-
> ip-services/html/l2tp-over-ipsec-config6.html
> > > >
> > > > It means, what J - a series does not support the given feature?
> > >
> > > The E-series and the J-series are completely different products.
> The
> > > documentation for the J-series is at
> > > http://www.juniper.net/techpubs/software/jseries/junos84/index.html
> > >
> > > Thanks,
> > >
> > > --
> > > Sabri
> > >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list