Configuring IPSec

Problem

You need a secure method of sending information between sites.

Solution

Start by defining the IPSec SA between your two intranet sites. On each security router, define identical SAs:

	[edit security ipsec]
	aviva@router1# edit security-association  site1-site2 
	[edit security ipsec security-association site1-site2 ]
	aviva@router1# set description  "SA from site1 to site2 "
	aviva@router1# set mode tunnel 
	aviva@router1# set manual direction bidirectional protocol bundle 
	aviva@router1# set manual direction bidirectional spi  400 
	aviva@router1# set manual direction bidirectional auxiliary-spi  400 
	aviva@router1# set manual direction bidirectional authentication algorithm hmac-sha1-96 
	aviva@router1# set manual direction bidirectional authentication key ascii-text  
$1991poPPi 
	aviva@router1# set manual direction bidirectional encryption algorithm des-cbc 
	aviva@router1# set manual direction bidirectional encryption key ascii-text  $1991poPPi 

Configuring a firewall filter accepts all traffic returning from the remote site:

	[edit firewall filter traffic-out-of-ipsec-tunnel ]
	aviva@router1# set term out-of-ipsec-tunnel from source-address  10.0.97.0/24 
	aviva@router1# set term out-of-ipsec-tunnel from destination-address  10.0.12.0/24 
	aviva@router1# set term out-of-ipsec-tunnel then accept 

Finally, apply the second filter on the ES interface that goes from the local security gateway to the remote security gateway:

	[edit interfaces es-3/0/0 ]
	aviva@router1# set unit 0 tunnel source  10.0.12.33 
	aviva@router1# set unit 0 tunnel destination  10.0.97.62 
	aviva@router1# set unit 0 family inet ipsec-sa  site1-site2 
	aviva@router1# set unit 0 family inet filter input  traffic-out-of-ipsec-tunnel 

 

Discussion

This recipe shows how to set up IPSec for M-series and T-series routers that have ES PICs. The setup process is fairly involved. There are three basic components to the configuration: defining the SA and the tunnel to carry the secured traffic, creating firewall filters to place traffic going from one site to the other into the tunnel, and configuring the interfaces to apply the filters and create the tunnel on the ES PIC. This recipe shows how to set up a manual SA, in which you specify all SA parameters in the configuration. While setting up SAs manually can be manageable in small networks, it does not scale well. As the network size increases, having IPSec dynamically configure SAs is a better option (see Recipe 3.2).

The SA is bidirectional, so the same encryption and authentication keys are used on incoming and outgoing traffic through the IPSec tunnel. To use different keys in each direction, use the set direction inbound and set direction outbound commands.

To start, define the SA. Because you have two routers acting as the security gateways between your two sites, you use tunnel mode. For the other SA parameters, this example chooses to use both the AH and ESP protocols (specified with the protocol bundle statement), HMAC-SHA1-96 authentication, DES-CBC encryption, and a SPI value of 400. The auxiliary SPI is needed because we are using both AH and ESP. Both security gateway routers must have the same SA configuration.

Next, you create a firewall filter to accept traffic returning from the remote site and you apply it to the ES interface. You need to set up similar firewall filters on the remote security gateway router.

Finally, you configure the router interfaces. On the ES interface facing the remote security gateway router, configure the tunnel on the logical unit, and for the IPv4 protocol family, associate the SA and apply the traffic-out-of-ipsec-tunnel filter. Set up the remote router in a similar fashion.

Use the following command to verify that the SA is active:

	aviva@router1> show ipsec security-associations detail
	Security association: site1-site2, Interface family: Up

	 Local gateway: 10.0.12.33, Remote gateway: 10.0.97.62
	 Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
	 Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

	 Direction: inbound, SPI: 400, AUX-SPI: 400
	 Mode: tunnel, Type: manual, State: Installed
	 Protocol: BUNDLE, Authentication: hmac-sha1-96, Encryption: des-cbc
	 Anti-replay service: Disabled

	 Direction: outbound, SPI: 400, AUX-SPI: 400
	 Mode: tunnel, Type: manual, State: Installed
	 Protocol: BUNDLE, Authentication: hmac-sha1-96, Encryption: des-cbc
	 Anti-replay service: Disabled

The first line shows that the SA is active (Up), and you see that the inbound and outbound SAs are installed. This command also shows the configured SA parameters.

You can check the status of the IPSec tunnel with the ping and traceroute commands. You should be able to ping a system at the remote site:

	aviva@router1> ping  10.0.97.2 
	PING 10.0.97.2 (10.0.97.2): 56 data bytes
	64 bytes from 10.0.97.2: icmp_seq=0 ttl=253 time=0.939 ms
	64 bytes from 10.0.97.2: icmp_seq=1 ttl=253 time=0.886 ms
	64 bytes from 10.0.97.2: icmp_seq=2 ttl=253 time=0.826 ms
	^C
	--- 10.0.97.2 ping statistics ---
	3 packets transmitted, 3 packets received, 0% packet loss
	round-trip min/avg/max/stddev = 0.826/0.884/0.939/0.046 ms

Use the traceroute command to verify that the traffic travels over the tunnel:

	aviva@router1> traceroute  10.0.97.2 
	traceroute to 10.0.97.2 (10.0.97.2), 30 hops max, 40 byte packets
	 1 10.0.12.2 (10.0.12.2) 0.655 ms 0.549 ms 0.508 ms
	 2 10.0.0.3 (10.0.0.3) 0.833 ms 0.786 ms 0.757 ms
	 3 10.0.97.2 (10.0.97.2) 0.808 ms 0.741 ms 0.716 ms

In the second line of the traceroute output, you don't see 10.0.97.62, which is the IP address of the remote side of the tunnel, but rather 10.0.0.3, which is the loopback address of the remote security gateway router.

The configuration is a bit complex, so it's worth looking at the structure of the relevant portions of the configuration file rather than all the commands that you use to configure it. Some comments have been added.

	[edit security 
ipsec]
	security-association site1-site2 { # <-- define the SA
	 description "tunnel from site1 to site2";
	 mode tunnel; # <-- use tunnel mode
	 manual { # <-- negotiate SA parameters up front
	 direction bidirectional {
	 protocol bundle;
	 spi 400;
	 auxiliary-spi 400;
	 authentication {
	 algorithm hmac-sha1-96;
	 key ascii-text "$9$…"; ## SECRET-DATA
	 }
	 encryption {
	 algorithm des-cbc;
	 key ascii-text "$9$b…"; ## SECRET-DATA
	 }
	 }
	 }
	}

	[edit firewall]
	filter traffic-out-of- 
ipsec-tunnel { # <-- receive remote traffic
	 term out-of- 
ipsec-tunnel {
	 from {
	 source-address { # <-- remote subnet
	 10.0.97.0/24;
	 }
	 destination-address { # <-- local subnet
	 10.0.12.0/24;
	 }
	 then accept;
	 }
	}

	[edit interfaces]
	es-3/0/0 { # <-- interface facing remote security gateway router
	 unit 0 {
	 tunnel {
	 source 10.0.12.33;
	 destination 10.0.97.62;
	 }
	 family inet {
	 ipsec-sa site1-site2;
	 filter {
	 input traffic-out-of-ipsec-tunnel;
	 }
	 }
	 }
	}



Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net