[j-nsp] Encrypt a GRE tunnels between CSCO and JNPR M7i

Doug Marschke Doug at ietraining.net
Wed Feb 6 21:28:46 EST 2008


Just to help you out too, here is a sample config from the chapter.

1)Create GRE Interface

lab at PBR# show interfaces gr-0/0/0 
unit 0 {
    tunnel {
        source 172.16.1.2;
        destination 128.3.3.4;
    }
    family inet;
}

2)Map Traffic to the GRE tunnel

lab at PBR# show routing-options static route 128.3.3.0/24 
next-hop gr-0/0/0.0;


3)Create Unique proposals

    ipsec {
        proposal cisco-interop {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm des-cbc;
        }
        policy ipsecgre {
            perfect-forward-secrecy {
                keys group1;
            }
            proposals cisco-interop;
        }
    }
    ike {
        proposal cisco-interop-ike {
            authentication-method pre-shared-keys;
            dh-group group1;
            authentication-algorithm md5;
            encryption-algorithm des-cbc;
        }
        policy main_ike {
            proposals cisco-interop-ike;
            pre-shared-key ascii-text "$9$JhUi.QF/0BEP5BEcyW8ZUjHP5z
36AuO"; ## SECRET-DATA
        }
    }
4) Create IpSec Rule

lab at PBR# show services | find ipsec-vpn
ipsec-vpn {
    rule map-gre {
        term 1 {
            from {
                source-address {
                    172.16.1.2/32;
                }
                destination-address {
                    128.3.3.4/32;
                }
            }
            then {
                remote-gateway 128.3.3.4;
                dynamic {
                    ike-policy main_ike;
                    ipsec-policy ipsecgre;
                }
            }
        }
        match-direction output;
    }
5) Create Service Set

lab at PBR# show services 
service-set ipsec-gre {
    interface-service {
        service-interface sp-0/0/0.0;
    }
    ipsec-vpn-options {
        local-gateway 172.16.1.2;
    }
    ipsec-vpn-rules map-gre;
}

6) Apply to interfaces
lab at PBR# show interfaces 
fe-0/0/0 {
    vlan-tagging;
    unit 412 {
        description PBR-to-Wheat;
        vlan-id 412;
        family inet {
            service {
                input {
                    service-set ipsec-gre                }
                output {
                    service-set ipsec-gre 
                }
            }
            address 172.16.1.2/24;
        }
    }

7) Create Service Filters

lab at PBR> show configuration firewall 
family inet {
    service-filter match-vpn-input {
        term service {
            from {
                source-address {
                    128.3.3.4/32;
                }
                destination-address {
                    172.16.1.2/32;
                }
            }
            then service;
        }
        term skip {
            then skip;
        }
    }
    service-filter match-vpn-output {
        term service {
            from {
                source-address {
                    172.16.1.2/32;
                }
                destination-address {
                    128.3.3.4/32;
                }
            }
            then service;
        }
        term skip {
            then skip;
        }
    }
}

8) Apply Service Filters
lab at PBR> show configuration interfaces fe-0/0/0 unit 412 
description PBR-to-Wheat;
vlan-id 412;
family inet {
    service {
        input {
            service-set ipsec-gre service-filter match-vpn-input;
        }
        output {
            service-set ipsec-gre service-filter match-vpn-output;
        }
    }
    address 172.16.1.2/24;

9) Verify it all works

lab at PBR# run show services ipsec-vpn ipsec statistics            

PIC: sp-0/0/0, Service set: ipsec-gre

ESP Statistics:
  Encrypted bytes:            11200
  Decrypted bytes:            11200
  Encrypted packets:            100
  Decrypted packets:            100
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0



For reference purposes only, here is an example of what the
configuration may look like on the Cisco side in the extranet:

crypto isakmp policy 1
 hash md5 
 authentication pre-share
crypto isakmp key test address 172.16.1.2
crypto isakmp keepalive 10 2 periodic 

!         
!         
crypto ipsec transform-set esp_des_set esp-des esp-md5-hmac 
!         
!         
crypto map gre-to-ipsec 1 ipsec-isakmp 
 set peer 172.16.1.2
 set transform-set esp_des_set 
 set pfs group1
 match address 110


access-list 110 permit ip host 128.3.3.4 host 172.16.1.2

interface tunnel1
 tunnel mode gre ip
 tunnel destination 172.16.1.2
 tunnel source 128.3.3.4

interface fast0
 crypto map gre-to-ipsec

Doug Marschke
Principal Technologist
Strategic Networks Training
JNCIE-ER #3, JNCIE-M/T #41, JNCIS-FW, JNAT
www.ietraining.net
(415)902-5702


-----Original Message-----
From: Doug Marschke 
Sent: Wednesday, February 06, 2008 9:57 AM
To: 'Jonathan Looney'; Massimiliano Galizia
Cc: juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] Encrypt a GRE tunnels between CSCO and JNPR M7i

I also have an example in here but you might not be able to wait that
long:
http://www.amazon.com/JUNOS-Enterprise-Routing-Practical-Certification/d
p/0596514425/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1202320197&sr=8-1

In general, steps are:

1) Create GRE interface
2) Map Traffic to GRE tunnel
3) Create IPSec Tunnel (may need to create custom proposals)
4) Create Service Filters to Map GRE packets to the IPsec tunnel
5) Optional: Create service filters if any SFW are applied to bypass
traffic



Doug Marschke
Principal Technologist
Strategic Networks Training
JNCIE-ER #3, JNCIE-M/T #41, JNCIS-FW, JNAT
www.ietraining.net
(415)902-5702


-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Jonathan
Looney
Sent: Wednesday, February 06, 2008 6:45 AM
To: Massimiliano Galizia
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Encrypt a GRE tunnels between CSCO and JNPR M7i

Juniper has an example of this in the "Advanced Juniper Networks
Routing in the Enterprise" course.  This is an instructor-led class,
which I would recommend.  However, if you cannot attend the class, you
can download the class materials for free as part of the Fast Track
program.  There is a link to this program on Juniper's "Education"
webpage.

-Jon

On Feb 6, 2008 6:29 AM, Massimiliano Galizia
<massimiliano.galizia at gmail.com> wrote:
> Hello all,
> I'm been requested to bring up a test plant with two CSCOs and two M7i
> in this fashion:
>
> ______                                              _____
> PCs     |-----|CSCO|--|---|JNPR|-----|PCs
>                                    |
> ______                       |                       _____
> PCs     |-----|CSCO|--|---|JNPR|-----|PCs
>
> My customer want to encrypt with IPSEC the GRE tunnels between the
> boxes. I don't find anything related in KB or doc sites.
> Any suggestion?
> Many thanks in advance
>
> Regards
>
> Max
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list