[j-nsp] GRE over IPsec on J-series
Roman Shibrick
rshbrk at mail.ru
Wed Oct 31 06:00:04 EDT 2007
Many thanks to all for examples
-----Original Message-----
From: "Peter Nyamukusa" <petern at africaonline.co.sz>
To: "'Jonathan Looney'" <jonlooney at gmail.com>,"'Roman Shibrick'" <rshbrk at mail.ru>
Date: Wed, 31 Oct 2007 10:42:01 +0200
Subject: RE: [j-nsp] GRE over IPsec on J-series
>
> > -----Original Message-----
> > From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> > bounces at puck.nether.net] On Behalf Of Jonathan Looney
> > Sent: 30 October 2007 06:06 PM
> > To: Roman Shibrick
> > Cc: juniper-nsp at puck.nether.net
> > Subject: Re: [j-nsp] GRE over IPsec on J-series
> >
> > Roman,
> >
> > On newer versions of IOS (12.3(14)T or 12.4(2)T, for example), I
> > understand that IOS supports treating IPSec tunnels as interfaces.
> > That makes all of this a lot easier, since you can just configure
> > IPSec tunnels (without configuring an additional GRE interface).
> > However, I can not help you with the Cisco configuration syntax for
> > that feature, as I've never configured it.
>
> Hi sample Cisco config
>
> RTRA(config)# crypto isakmp policy 10
> RTRA(config-isakmp)# encryption aes 128
> RTRA(config-isakmp)# hash sha
> RTRA(config-isakmp)# authentication pre-share
> RTRA(config-isakmp)# group 2
> RTRA(config-isakmp)# exit
> RTRA(config)# crypto isakmp key cisco123 address 192.168.37.1255.255.255.255
> no-xauth
> RTRA(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
> RTRA(cfg-crypto-trans)# exit
> RTRA(config)# crypto ipsec profile VTI
> RTRA(ipsec-profile)# set transform-set RTRtran
> RTRA(ipsec-profile)# exit
> RTRA(config)# interface tunnel 0
> RTRA(config-if)# ip address 10.1.1.1 255.255.255.252
> RTRA(config-if)# tunnel source 172.17.38.4
> RTRA(config-if)# tunnel destination 192.168.37.1
> RTRA(config-if)# tunnel mode ipsec ipv4
> RTRA(config-if)# tunnel protection ipsec VTI
> RTRA(config)# interface Fa0/0
> RTRA(config-if)# ip address 172.17.38.4 255.255.255.0
> RTRA(config-if)# description Connection to ISP
> RTRA(config-if)# exit
> RTRA(config)# ip route x.x.x.x x.x.x.x tunnel0
>
> Cheers,
> ---------------------------------------------------------
> Peter Nyamukusa
> MCSE, MCSA:Messaging, CCIP, CCNA, A+, JNCIA-ER, JNCIS-ER
> Technical Manager
> Africa Online Swaziland
>
> >
> > To configure a GRE tunnel, which will be encapsulated within IPSec,
> > you configure an IPSec tunnel and then a GRE tunnel. The exact
> > details depend on whether you will be using the same IP address for
> > both the GRE and IPSec tunnel endpoints. It is slightly more
> > straightforward if you use different addresses, so I will use that as
> > an example.
> >
> > In this case, we have two routers (aptly named juniper and cisco),
> > configured with the following addresses:
> >
> > juniper
> > ISP interface: 172.17.37.4
> > lo0.0: 192.168.37.1
> >
> > cisco
> > ISP interface: 172.17.38.4
> > loopback0: 192.168.38.1
> >
> > We will use the ISP interfaces as the endpoints for the IPSec tunnel
> > and use the loopback interfaces as the endpoints for the GRE tunnel.
> >
> > On the Juniper side, we'll start by configuring the IPSec tunnel, as
> > follows:
> >
> > [edit interfaces]
> > user at juniper# show sp-0/0/0
> > unit 0 {
> > family inet;
> > }
> > unit 1 {
> > family inet;
> > service-domain outside;
> > }
> > unit 2 {
> > family inet;
> > service-domain inside;
> > }
> >
> > [edit security]
> > user at juniper# show
> > service-set gre-vpn {
> > next-hop-service {
> > inside-service-interface sp-0/0/0.2;
> > outside-service-interface sp-0/0/0.1;
> >
> > }
> > ipsec-vpn-options {
> > local-gateway 172.17.37.4;
> > }
> > ipsec-vpn-rules vpn-to-cisco;
> > }
> > ipsec-vpn {
> > rule vpn-to-cisco {
> > term gre-tunnel {
> > from {
> > source-address {
> > 192.168.37.1/32;
> > }
> > destination-address {
> > 192.168.38.1/32;
> > }
> > }
> > then {
> > remote-gateway 172.17.38.4;
> > dynamic {
> > ike-policy main_mode_ike_policy;
> > ipsec-policy dynamic_ipsec_policy;
> > }
> > }
> > }
> > match-direction output;
> > }
> > ipsec {
> > proposal cisco_compat {
> > protocol esp;
> > authentication-algorithm hmac-md5-96;
> > encryption-algorithm des-cbc;
> > }
> > policy dynamic_ipsec_policy {
> > perfect-forward-secrecy {
> > keys group1;
> > }
> > proposals cisco_compat;
> > }
> > }
> > ike {
> > proposal cisco-compat {
> > authentication-method pre-shared-keys;
> > authentication-algorithm md5;
> > dh-group group1;
> > encryption-algorithm des-cbc;
> > }
> > policy main_mode_ike_policy {
> > proposals cisco-compat;
> > pre-shared-key ascii-text use-a-really-secure-key;
> >
> > }
> > }
> > establish-tunnels immediately;
> > }
> >
> > You should customize the above to fit your environment. In particular:
> > A) change the IKE/IPSec policies/proposals to use security parameters
> > acceptable to your situation.
> > B) change the local IKE/IPSec endpoint defined in the [edit security
> > service-set gre-vpn ipsec-vpn-options] section.
> > C) change the remote IKE/IPSec endpoint defined in the [edit security
> > rule vpn-to-gre term gre-tunnel then] section.
> > D) change the GRE endpoints defined in the [edit security rule
> > vpn-to-gre term gre-tunnel from] section. Like the IOS configuration,
> > you only define the outbound matching parameters and the inbound
> > traffic will be automatically allowed. The source/destination address
> > here must exactly match the source/destination allowed by the
> > access-list you use in your crypto-map on the IOS side.
> > E) change the services interface unit #s, if necessary.
> >
> > Now, we can configure the GRE tunnel:
> >
> >
> > [edit]
> > user at juniper# show interfaces gr-0/0/0
> > unit 0 {
> > tunnel {
> > source 192.168.37.1;
> > destination 192.168.38.1;
> > }
> > family inet {
> > address 192.168.25.129/30;
> > }
> > }
> > Again, you should customize this:
> > A) Use the correct tunnel endpoints.
> > B) Use an appropriate IP address. If you want to do the equivalent of
> > "ip unnumbered" from the Cisco router, simply configure "family inet"
> > with no address.
> > C) Change the GRE tunnel interface unit # if necessary.
> >
> > Now, we configure a route to ensure the traffic to the remote GRE
> > endpoint will be encrypted:
> >
> > [edit routing-options]
> > user at juniper# show static
> > route 192.168.38.1/32 next-hop sp-0/0/0.2;
> >
> > Again, you should customize this:
> > A) Use the correct tunnel endpoint.
> > B) Use the 'inside' services interface used for the IPSec service set.
> >
> > At this point, your GRE and IPSec tunnels should come up (assuming a
> > compatible configuration on the Cisco side). Once you've confirmed IP
> > connectivity, you can configure OSPF to run over the GRE interface by
> > simply including the GRE interface in an OSPF area configuration. For
> > example:
> >
> > [edit]
> > user at juniper# show protocols ospf
> > area 0.0.0.0 {
> > interface gr-0/0/0.0;
> > }
> >
> >
> >
> > For reference, I believe a compatible Cisco configuration would be:
> >
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > crypto isakmp key test address 172.17.37.4
> > crypto isakmp keepalive 10 2 periodic
> >
> > !
> > !
> > crypto ipsec transform-set esp_des_set esp-des esp-md5-hmac
> > !
> > !
> > crypto map gre-to-juniper 1 ipsec-isakmp
> > set peer 172.17.37.4
> > set transform-set esp_des_set
> > set pfs group1
> > match address 110
> >
> > access-list 110 permit ip host 192.168.38.1 host 192.168.37.1
> >
> > interface tunnel1
> > ip address 192.168.25.130 255.255.255.252
> > tunnel mode gre ip
> > tunnel destination 192.168.37.1
> > tunnel source 192.168.38.1
> >
> > interface <to provider>
> > crypto map gre-to-juniper
> >
> > router ospf 1
> > network 192.168.25.128 0.0.0.3 area 0
> >
> >
> > Of course, I provide no guarantees for the Cisco side of the config. :-
> > )
> >
> > I hope this helps.
> >
> > -Jon
> >
> > On 10/30/07, Roman Shibrick <rshbrk at mail.ru> wrote:
> > > Ok. I understand.
> > > Then I shall formulate a question differently.
> > >
> > > There is a way to make IPsec the tunnel between Juniper J-series and
> > Cisco's router with an opportunity of routing on the given tunnel, for
> > example OSPF?
> > > If somebody saw examples of a configuration give please the
> > reference.
> > >
> > > -----Original Message-----
> > > From: Sabri Berisha <sabri at cluecentral.net>
> > > To: Roman Shibrick <rshbrk at mail.ru>
> > > Date: Tue, 30 Oct 2007 10:13:53 +0100
> > > Subject: Re: [j-nsp] GRE over IPsec on J-series
> > >
> > > >
> > > > On Tue, Oct 30, 2007 at 11:36:35AM +0300, Roman Shibrick wrote:
> > > >
> > > > Hi,
> > > >
> > > > > Whether there is a given feature on routers of a J-series? I have
> > found the documentation only for an E-series:
> > > > >
> > > > > http://www.juniper.net/techpubs/software/erx/junose82/swconfig-
> > ip-services/html/l2tp-over-ipsec-config6.html
> > > > >
> > > > > It means, what J - a series does not support the given feature?
> > > >
> > > > The E-series and the J-series are completely different products.
> > The
> > > > documentation for the J-series is at
> > > > http://www.juniper.net/techpubs/software/jseries/junos84/index.html
> > > >
> > > > Thanks,
> > > >
> > > > --
> > > > Sabri
> > > >
> > > _______________________________________________
> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list