[j-nsp] Encrypt GRE tunnel with ipsec

Ben Dale bdale at comlinx.com.au
Tue May 25 07:02:53 EDT 2010


Hi Nick,

> Im using a J6350.
> 
> All im trying to to is create a secure tunnel between 2 juniper routers and route traffic down the tunnel without having to specify what specific source destination ranges to encrypt.  Ie if a packet is destined to go down the tunnel then encrypt.

I'll assume you're using JUNOS-ES here so you don't require the use of GRE.  In a nutshell, set up your VPN, bind it to your st (secure tunnel) interface and place the st interface into it's own security-zone.  Then simply route traffic destined for the VPN to the st interface and have a policy to allow it with the action "permit".  You can also number the st0.0 interface and run an IGP across it.  There is a nice easy example in the following document:

http://www.juniper.net/us/en/local/pdf/app-notes/3500153-en.pdf

The use of GRE over IPSEC is to get around the limitation in IOS and others whereby a proxy-id needs to be configured for before a VPN tunnel will establish.  You specify a proxy ID to cover all traffic destined for the endpoint of the GRE tunnel so that the tunnel itself is encrypted, then you specify your traffic to be routed via the tunnel.  Juniper refers to this as policy-based VPN and there is a good document on it here:

http://www.juniper.net/us/en/local/pdf/app-notes/3500175-en.pdf

It differs from route-based in that instead of your policy just having an action "permit", you add "tunnel" to it, which establishes the VPN tunnel with a proxy-id matching your policy.

> From: Jonathan Looney [mailto:jonlooney at gmail.com]
> Sent: 24 May 2010 14:21
> To: Nick Ryce
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Encrypt GRE tunnel with ipsec
> 
> Are you using SRX/J-series or AS PIC/MS PIC/ASM/Services DPC?  The configuration will be different for those two classes of platform.
> 
> -Jon
> On Mon, May 24, 2010 at 8:44 AM, Nick Ryce <Nick.Ryce at lumison.net<mailto:Nick.Ryce at lumison.net>> wrote:
> Hi Guys,
> 
> Is there a way to set up a gre tunnel and then encrypt gre packets with ipsec?  I know it can be done on a cisco but the juniper kb makes my eyes bleed trying to find anything.
> 
> I found the following config here http://communities.juniper.net/jnet/attachments/jnet/srx/509/1/gre-ipsec-srx240.txt but dont think that would encrypt everything going down the tunnel....or would it.
> 
> Im using 9.6 at the moment.
> 
> Any help appreciated
> 
> --
> Nick Ryce
> Network Engineer
> Lumison
> 08451199999
> 
> P.S. do you love Lumison?  Why not take a moment and vote for us?
> http://bit.ly/Vote_Lumison
> 
> 
> 
> 
> --
> 
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender. Any
> offers or quotation of service are subject to formal specification.
> Errors and omissions excepted.  Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Lumison.
> Finally, the recipient should check this email and any attachments for the
> presence of viruses.  Lumison accept no liability for any
> damage caused by any virus transmitted by this email.
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 
> ________________________________
> --
> 
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender. Any
> offers or quotation of service are subject to formal specification.
> Errors and omissions excepted. Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Lumison.
> Finally, the recipient should check this email and any attachments for the
> presence of viruses. Lumison accept no liability for any
> damage caused by any virus transmitted by this email.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 




More information about the juniper-nsp mailing list