Problem
You want to configure basic IPSec on an M-series or T-series router that has an AS PIC, or on a J-series router, which has built-in software emulation of the AS PIC functionality.
Solution
Use dynamic IPSec to automatically generate keys and negotiate SAs. First, create an IKE policy:
[edit services ipsec-vpn] aviva@RouterA# set ike policy ike-dynamic-policy pre-shared-key ascii-text $1991poPPi
Then, create a rule for a bidirectional dynamic IKE SA that references the IKE policy:
[edit services ipsec-vpn rule ike-rule ] aviva@RouterA# set term ike then remote-gateway 10.0.15.2 aviva@RouterA# set term ike then dynamic ike-policy ike-dynamic-policy aviva@RouterA# set match-direction input
To configure IPSec, define a service set:
[edit services service-set ipsec-dynamic ] aviva@RouterA# set ipsec-vpn-rules ike-rule aviva@RouterA# set ipsec-vpn-options local-gateway 10.1.15.1 aviva@RouterA# set next-hop-service inside-service-interface sp-1/2/0.1 aviva@RouterA# set next-hop-service outside-service-interface sp-1/2/0.2
Next, configure the router interfaces. First, set up the service interfaces to use for IPSec:
[edit interfaces] aviva@RouterA# set sp-1/2/0 unit 0 family inet aviva@RouterA# set sp-1/2/0 unit 1 family inet aviva@RouterA# set sp-1/2/0 unit 1 service-domain inside aviva@RouterA# set sp-1/2/0 unit 2 family inet aviva@RouterA# set sp-1/2/0 unit 2 service-domain outside
Then, configure the physical interface to be used for the IPSec tunnel:
[edit interfaces] aviva@RouterA# set so-0/0/1 unit 0 family inet address 10.1.15.1/30
Finally, configure the domain's IGP traffic to use the IPSec tunnel:
[edit protocols ospf area 0.0.0.0 ] aviva@RouterA# set interface so-0/0/0 aviva@RouterA# set interface lo0.0 passive aviva@RouterA# set interface sp-1/2/1
Discussion
The JUNOS IPSec configuration for routers with AS PICs is quite a bit different than that for the ES PIC, because the PIC uses a different ASIC that has its own architecture. Instead of configuring at the [edit security] hierarchy, you configure IPSec at the [edit services] hierarchy, creating what the JUNOS software calls service sets, which define IPSec VPN rules for setting up the IPSec and IKE SAs. You also create service sets and rules for other services that require the AS PIC, such as Network Address Translation ( NAT) and stateful firewalls. The M-series and T-series routers have built-in AS PICs. You use the same configuration on J-series routers, which don't use an AS PIC but instead have built-in software emulation of the AS PIC functionality.
The basic requirements for configuring IPSec on an interface with an AS PIC are the same as for the ES PIC. You define an IKE policy and negotiation proposal and create an IPSec policy and proposal. This recipe uses the default IKE and IPSec policy and proposal settings (see Table 3-1), so no configuration commands are necessary.
Value |
IKE default |
IPSec default |
---|---|---|
Proposal values |
||
Authentication algorithm |
SHA-1 |
HMAC SHA-1-96 |
Authentication method |
Preshared keys |
Not applicable |
Diffie-Hellman keys |
group2 (1,024-bit Diffie-Hellman scheme) |
Not applicable |
Encryption algorithm |
Triple DES CBC |
Triple DES CBC |
Protocol |
Not applicable |
ESP |
SA lifetime |
3,600 seconds |
28,800 seconds |
Policy values |
||
Proposal name to reference |
Default |
Default |
PFS Diffie-Hellman keys |
Not applicable |
group2 (1,024-bit Diffie-Hellman scheme) |
Policy mode |
main |
Not applicable |
The first part of this recipe configures IKE. The set ike policy command defines an IKE policy. This recipe use the default policy settings. Because preshared keys is the default authentication method for IKE, you have to configure the key itself.
Next, define a rule for the IKE SA. This recipe creates the rule named ike-rule. The rule in this recipe has two set term commands that are similar in syntax to a policy or firewall then statement. The first command sends matching packets to the remote end point of the IPSec tunnel (here, 10.0.15.2), and the second command associates the IKE policy with the SA so that matching packets can be sent across the IPSec tunnel. The final command in the IKE SA rule, set match-direction, specifies a match direction for marking which traffic to encrypt or decrypt. This statement is a bit confusing in the IPSec configuration because all IKE-enabled IPSec VPNs are bidirectional by default. However, you need to issue either this command or the set match-direction command. The IKE SA rule is effectively a firewall filter, directing traffic into and out of the IPSec tunnel, so you don't need to configure a separate firewall filter as you do when configuring the ES PIC.
Next, configure IPSec. You do this by creating a service set that defines IPSec-specific information. (You can configure multiple services on a single AS PIC, each in its own service set.) The service set in this recipe is called ipsec- dynamic. The first command associates the IKE SA rule with IPSec, and the second command defines the address of the local end of the IPSec security tunnel. The last two commands configure the logical interfaces that participate in the IPSec services. The set next-hop-service inside-service-interface command configures the inward-facing interfaces, and the set next-hop-service outside-service-interface command configures the interface that faces the remote IPSec site. You configure these interfaces at the [edit interfaces] level. The final part of the IPSec configuration is to define an IPSec proposal and policy. This recipe uses the default values (see Table 3-1), so no configuration commands are required.
For IPSec to work, you need to configure the interfaces on the AS PIC, which are services (sp-) interfaces. For J-series routers, configure the sp-0/0/0 interface. You also configure the physical interface that carries the IPSec tunnel.
For the services interface, you configure logical interfaces. Each service interface has three logical interfaces. The first, unit 0, has no special configuration. You just set it to support IPv4 traffic (family inet). The other two logical interfaces handle the IPSec traffic. The first one, unit 1 in this recipe, is for inward-facing traffic (service-domain inside); it is the logical interface you include in the set next-hop-service inside-service-interface command. The second logical interface, unit 2, is for outward-facing traffic; it is the one you include in the service outside-service-interface command.
This recipe uses the so-0/0/1 interface to carry the IPSec tunnel.
To direct traffic from the local domain into the IPSec tunnel, include the services interface when configuring the IGP. This recipe uses OSPF and adds the services interface with the set interface sp-1/2/1 command.
Configure the security gateway router at the remote site in the same way, using the appropriate address and interface names.
You can check that the IKE SA negotiation is successful:
aviva@RouterA> show services ipsec-vpn ike security- associations Remote Address State Initiator cookie Responder cookie Exchange type 10.0.15.2 Matured 03075bd3a0000003 4bff26a5c7000003 Main
Use the following command to check that the IPSec SA is active:
aviva@RouterA> show services ipsec-vpn ipsec security-associations detail Service set: ipsec- dynamic-service-set Rule: ike-rule, Term: term-ike, Tunnel index: 1 Local gateway: 10.0.15.1, Remote gateway: 10.0.15.2 Local identity: ipv4_subnet(any:0,[0..7]=10.0.15.30/24) Remote identity: ipv4_subnet(any:0,[0..7]=10.0.15.20/24) Direction: inbound, SPI: 2666326758, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 26863 seconds Hard lifetime: Expires in 26998 seconds Anti-replay service: Enabled, Replay window size: 64 Direction: outbound, SPI: 684772754, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 26863 seconds Hard lifetime: Expires in 26998 seconds Anti-replay service: Enabled, Replay window size: 64
The output shows that the SA is using the default settings, including ESP for the protocol and HMAC-SHA1-96 for the authentication algorithm.
To check that traffic is traveling over the IPSec tunnel, use the following command:
aviva@RouterA> show services ipsec-vpn ipsec statistics PIC: sp-1/2/0, Service set: ipsec-dynamic ESP Statistics: Encrypted bytes: 2248 Decrypted bytes: 2120 Encrypted packets: 27 Decrypted packets: 25 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0
Again, it's worthwhile showing all sections of the configuration together, with added comments:
[edit services] service-set ipsec- dynamic { next-hop-service { inside-service-interface sp-1/2/0.1; # <--bind IPSec to sp-1/2/0.1 interface outside-service-interface sp-1/2/0.2; # <--bind IPSec to sp-1/2/0.2 interface } ipsec-vpn-options { local-gateway 10.1.15.1: # <-- define local side of IPSec tunnel } ipsec-vpn-rules ike-rule; # <-- bind IKE rule to service set } ipsec-vpn { rule ike-rule { # <-- policy to allow traffic into IPSec tunnel term ike { then { remote-gateway 10.0.15.2: dynamic { ike-policy ike-dynamic-policy; # <-- bind IKE policy to IPSec } } } match-direction input; } ike { # <-- define IKE policy policy ike-dynamic-policy { pre-shared-key ascii-text $1991poPPi; } } } [edit interfaces] so-0/0/1 { # <-- physical interface for IPSec tunnel unit 0 { family inet { address 10.1.15.2/30; } } } sp-1/2/0 { # <-- services interface to IPSec unit 0 { family inet { unit 1 { # <-- logical interface for IPSec inward-facing traffic family inet; service-domain inside; } unit 2 { # <-- logical interface for IPSec outward-facing traffic family inet; } } [edit protocols ospf area 0.0.0.0] ospf { area 0.0.0.0 { interface so-0/0/0; interface lo0.0 passive; interface sp-1/2/1.0; # <-- direct OSPF traffic into IPSec tunnel } }
Router Configuration and File Management
Basic Router Security and Access Control
IPSec
SNMP
Logging
NTP
Router Interfaces
IP Routing
Routing Policy and Firewall Filters
RIP
IS-IS
OSPF
BGP
MPLS
VPNs
IP Multicast