[j-nsp] Encrypt a GRE tunnels between CSCO and JNPR M7i
Doug Marschke
Doug at ietraining.net
Wed Feb 6 21:28:46 EST 2008
Just to help you out too, here is a sample config from the chapter.
1)Create GRE Interface
lab at PBR# show interfaces gr-0/0/0
unit 0 {
tunnel {
source 172.16.1.2;
destination 128.3.3.4;
}
family inet;
}
2)Map Traffic to the GRE tunnel
lab at PBR# show routing-options static route 128.3.3.0/24
next-hop gr-0/0/0.0;
3)Create Unique proposals
ipsec {
proposal cisco-interop {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm des-cbc;
}
policy ipsecgre {
perfect-forward-secrecy {
keys group1;
}
proposals cisco-interop;
}
}
ike {
proposal cisco-interop-ike {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm md5;
encryption-algorithm des-cbc;
}
policy main_ike {
proposals cisco-interop-ike;
pre-shared-key ascii-text "$9$JhUi.QF/0BEP5BEcyW8ZUjHP5z
36AuO"; ## SECRET-DATA
}
}
4) Create IpSec Rule
lab at PBR# show services | find ipsec-vpn
ipsec-vpn {
rule map-gre {
term 1 {
from {
source-address {
172.16.1.2/32;
}
destination-address {
128.3.3.4/32;
}
}
then {
remote-gateway 128.3.3.4;
dynamic {
ike-policy main_ike;
ipsec-policy ipsecgre;
}
}
}
match-direction output;
}
5) Create Service Set
lab at PBR# show services
service-set ipsec-gre {
interface-service {
service-interface sp-0/0/0.0;
}
ipsec-vpn-options {
local-gateway 172.16.1.2;
}
ipsec-vpn-rules map-gre;
}
6) Apply to interfaces
lab at PBR# show interfaces
fe-0/0/0 {
vlan-tagging;
unit 412 {
description PBR-to-Wheat;
vlan-id 412;
family inet {
service {
input {
service-set ipsec-gre }
output {
service-set ipsec-gre
}
}
address 172.16.1.2/24;
}
}
7) Create Service Filters
lab at PBR> show configuration firewall
family inet {
service-filter match-vpn-input {
term service {
from {
source-address {
128.3.3.4/32;
}
destination-address {
172.16.1.2/32;
}
}
then service;
}
term skip {
then skip;
}
}
service-filter match-vpn-output {
term service {
from {
source-address {
172.16.1.2/32;
}
destination-address {
128.3.3.4/32;
}
}
then service;
}
term skip {
then skip;
}
}
}
8) Apply Service Filters
lab at PBR> show configuration interfaces fe-0/0/0 unit 412
description PBR-to-Wheat;
vlan-id 412;
family inet {
service {
input {
service-set ipsec-gre service-filter match-vpn-input;
}
output {
service-set ipsec-gre service-filter match-vpn-output;
}
}
address 172.16.1.2/24;
9) Verify it all works
lab at PBR# run show services ipsec-vpn ipsec statistics
PIC: sp-0/0/0, Service set: ipsec-gre
ESP Statistics:
Encrypted bytes: 11200
Decrypted bytes: 11200
Encrypted packets: 100
Decrypted packets: 100
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
For reference purposes only, here is an example of what the
configuration may look like on the Cisco side in the extranet:
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key test address 172.16.1.2
crypto isakmp keepalive 10 2 periodic
!
!
crypto ipsec transform-set esp_des_set esp-des esp-md5-hmac
!
!
crypto map gre-to-ipsec 1 ipsec-isakmp
set peer 172.16.1.2
set transform-set esp_des_set
set pfs group1
match address 110
access-list 110 permit ip host 128.3.3.4 host 172.16.1.2
interface tunnel1
tunnel mode gre ip
tunnel destination 172.16.1.2
tunnel source 128.3.3.4
interface fast0
crypto map gre-to-ipsec
Doug Marschke
Principal Technologist
Strategic Networks Training
JNCIE-ER #3, JNCIE-M/T #41, JNCIS-FW, JNAT
www.ietraining.net
(415)902-5702
-----Original Message-----
From: Doug Marschke
Sent: Wednesday, February 06, 2008 9:57 AM
To: 'Jonathan Looney'; Massimiliano Galizia
Cc: juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] Encrypt a GRE tunnels between CSCO and JNPR M7i
I also have an example in here but you might not be able to wait that
long:
http://www.amazon.com/JUNOS-Enterprise-Routing-Practical-Certification/d
p/0596514425/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1202320197&sr=8-1
In general, steps are:
1) Create GRE interface
2) Map Traffic to GRE tunnel
3) Create IPSec Tunnel (may need to create custom proposals)
4) Create Service Filters to Map GRE packets to the IPsec tunnel
5) Optional: Create service filters if any SFW are applied to bypass
traffic
Doug Marschke
Principal Technologist
Strategic Networks Training
JNCIE-ER #3, JNCIE-M/T #41, JNCIS-FW, JNAT
www.ietraining.net
(415)902-5702
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Jonathan
Looney
Sent: Wednesday, February 06, 2008 6:45 AM
To: Massimiliano Galizia
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Encrypt a GRE tunnels between CSCO and JNPR M7i
Juniper has an example of this in the "Advanced Juniper Networks
Routing in the Enterprise" course. This is an instructor-led class,
which I would recommend. However, if you cannot attend the class, you
can download the class materials for free as part of the Fast Track
program. There is a link to this program on Juniper's "Education"
webpage.
-Jon
On Feb 6, 2008 6:29 AM, Massimiliano Galizia
<massimiliano.galizia at gmail.com> wrote:
> Hello all,
> I'm been requested to bring up a test plant with two CSCOs and two M7i
> in this fashion:
>
> ______ _____
> PCs |-----|CSCO|--|---|JNPR|-----|PCs
> |
> ______ | _____
> PCs |-----|CSCO|--|---|JNPR|-----|PCs
>
> My customer want to encrypt with IPSEC the GRE tunnels between the
> boxes. I don't find anything related in KB or doc sites.
> Any suggestion?
> Many thanks in advance
>
> Regards
>
> Max
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list