Creating IPSec Dynamic SAs on J-Series Routers or Routers with AS PICs

Problem

You want to configure basic IPSec on an M-series or T-series router that has an AS PIC, or on a J-series router, which has built-in software emulation of the AS PIC functionality.

Solution

Use dynamic IPSec to automatically generate keys and negotiate SAs. First, create an IKE policy:

	[edit services ipsec-vpn]
	aviva@RouterA# set ike policy  ike-dynamic-policy pre-shared-key ascii-text $1991poPPi 

Then, create a rule for a bidirectional dynamic IKE SA that references the IKE policy:

	[edit services ipsec-vpn rule ike-rule ]
	aviva@RouterA# set term ike then remote-gateway 10.0.15.2 
	aviva@RouterA# set term ike then dynamic ike-policy ike-dynamic-policy 
	aviva@RouterA# set match-direction input 

To configure IPSec, define a service set:

	[edit services service-set ipsec-dynamic ]
	aviva@RouterA# set ipsec-vpn-rules ike-rule 
	aviva@RouterA# set ipsec-vpn-options local-gateway 10.1.15.1 
	aviva@RouterA# set next-hop-service inside-service-interface sp-1/2/0.1 
	aviva@RouterA# set next-hop-service outside-service-interface sp-1/2/0.2 

Next, configure the router interfaces. First, set up the service interfaces to use for IPSec:

	[edit interfaces]
	aviva@RouterA# set sp-1/2/0 unit 0 family inet
	aviva@RouterA# set sp-1/2/0 unit 1 family inet
	aviva@RouterA# set sp-1/2/0 unit 1 service-domain inside
	aviva@RouterA# set sp-1/2/0 unit 2 family inet
	aviva@RouterA# set sp-1/2/0 unit 2 service-domain outside

Then, configure the physical interface to be used for the IPSec tunnel:

	[edit interfaces]
	aviva@RouterA# set so-0/0/1 unit 0 family inet address 10.1.15.1/30

Finally, configure the domain's IGP traffic to use the IPSec tunnel:

	[edit protocols ospf area 0.0.0.0 ]
	aviva@RouterA# set interface so-0/0/0 
	aviva@RouterA# set interface lo0.0 passive 
	aviva@RouterA# set interface sp-1/2/1 

 

Discussion

The JUNOS IPSec configuration for routers with AS PICs is quite a bit different than that for the ES PIC, because the PIC uses a different ASIC that has its own architecture. Instead of configuring at the [edit security] hierarchy, you configure IPSec at the [edit services] hierarchy, creating what the JUNOS software calls service sets, which define IPSec VPN rules for setting up the IPSec and IKE SAs. You also create service sets and rules for other services that require the AS PIC, such as Network Address Translation ( NAT) and stateful firewalls. The M-series and T-series routers have built-in AS PICs. You use the same configuration on J-series routers, which don't use an AS PIC but instead have built-in software emulation of the AS PIC functionality.

The basic requirements for configuring IPSec on an interface with an AS PIC are the same as for the ES PIC. You define an IKE policy and negotiation proposal and create an IPSec policy and proposal. This recipe uses the default IKE and IPSec policy and proposal settings (see Table 3-1), so no configuration commands are necessary.

Table 3-1. IPSec and IKE defaults with AS PIC

Value

IKE default

IPSec default

Proposal values

   

Authentication algorithm

SHA-1

HMAC SHA-1-96

Authentication method

Preshared keys

Not applicable

Diffie-Hellman keys

group2 (1,024-bit Diffie-Hellman scheme)

Not applicable

Encryption algorithm

Triple DES CBC

Triple DES CBC

Protocol

Not applicable

ESP

SA lifetime

3,600 seconds

28,800 seconds

Policy values

   

Proposal name to reference

Default

Default

PFS Diffie-Hellman keys

Not applicable

group2 (1,024-bit Diffie-Hellman scheme)

Policy mode

main

Not applicable

The first part of this recipe configures IKE. The set ike policy command defines an IKE policy. This recipe use the default policy settings. Because preshared keys is the default authentication method for IKE, you have to configure the key itself.

Next, define a rule for the IKE SA. This recipe creates the rule named ike-rule. The rule in this recipe has two set term commands that are similar in syntax to a policy or firewall then statement. The first command sends matching packets to the remote end point of the IPSec tunnel (here, 10.0.15.2), and the second command associates the IKE policy with the SA so that matching packets can be sent across the IPSec tunnel. The final command in the IKE SA rule, set match-direction, specifies a match direction for marking which traffic to encrypt or decrypt. This statement is a bit confusing in the IPSec configuration because all IKE-enabled IPSec VPNs are bidirectional by default. However, you need to issue either this command or the set match-direction command. The IKE SA rule is effectively a firewall filter, directing traffic into and out of the IPSec tunnel, so you don't need to configure a separate firewall filter as you do when configuring the ES PIC.

Next, configure IPSec. You do this by creating a service set that defines IPSec-specific information. (You can configure multiple services on a single AS PIC, each in its own service set.) The service set in this recipe is called ipsec- dynamic. The first command associates the IKE SA rule with IPSec, and the second command defines the address of the local end of the IPSec security tunnel. The last two commands configure the logical interfaces that participate in the IPSec services. The set next-hop-service inside-service-interface command configures the inward-facing interfaces, and the set next-hop-service outside-service-interface command configures the interface that faces the remote IPSec site. You configure these interfaces at the [edit interfaces] level. The final part of the IPSec configuration is to define an IPSec proposal and policy. This recipe uses the default values (see Table 3-1), so no configuration commands are required.

For IPSec to work, you need to configure the interfaces on the AS PIC, which are services (sp-) interfaces. For J-series routers, configure the sp-0/0/0 interface. You also configure the physical interface that carries the IPSec tunnel.

For the services interface, you configure logical interfaces. Each service interface has three logical interfaces. The first, unit 0, has no special configuration. You just set it to support IPv4 traffic (family inet). The other two logical interfaces handle the IPSec traffic. The first one, unit 1 in this recipe, is for inward-facing traffic (service-domain inside); it is the logical interface you include in the set next-hop-service inside-service-interface command. The second logical interface, unit 2, is for outward-facing traffic; it is the one you include in the service outside-service-interface command.

This recipe uses the so-0/0/1 interface to carry the IPSec tunnel.

To direct traffic from the local domain into the IPSec tunnel, include the services interface when configuring the IGP. This recipe uses OSPF and adds the services interface with the set interface sp-1/2/1 command.

Configure the security gateway router at the remote site in the same way, using the appropriate address and interface names.

You can check that the IKE SA negotiation is successful:

	aviva@RouterA> show services 
ipsec-vpn ike security- 
associations
	Remote Address State Initiator cookie Responder cookie Exchange type
	10.0.15.2 Matured 03075bd3a0000003 4bff26a5c7000003 Main

Use the following command to check that the IPSec SA is active:

	aviva@RouterA> show services ipsec-vpn ipsec security-associations detail
	Service set: ipsec- 
dynamic-service-set

	 Rule: ike-rule, Term: term-ike, Tunnel index: 1
	 Local gateway: 10.0.15.1, Remote gateway: 10.0.15.2
	 Local identity: ipv4_subnet(any:0,[0..7]=10.0.15.30/24)
	 Remote identity: ipv4_subnet(any:0,[0..7]=10.0.15.20/24)

	 Direction: inbound, SPI: 2666326758, AUX-SPI: 0
	 Mode: tunnel, Type: dynamic, State: Installed
	 Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
	 Soft lifetime: Expires in 26863 seconds
	 Hard lifetime: Expires in 26998 seconds
	 Anti-replay service: Enabled, Replay window size: 64
	 
	 Direction: outbound, SPI: 684772754, AUX-SPI: 0
	 Mode: tunnel, Type: dynamic, State: Installed
	 Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
	 Soft lifetime: Expires in 26863 seconds
	 Hard lifetime: Expires in 26998 seconds
	 Anti-replay service: Enabled, Replay window size: 64

The output shows that the SA is using the default settings, including ESP for the protocol and HMAC-SHA1-96 for the authentication algorithm.

To check that traffic is traveling over the IPSec tunnel, use the following command:

	aviva@RouterA> show services ipsec-vpn ipsec statistics
	PIC: sp-1/2/0, Service set: ipsec-dynamic

	ESP Statistics:
	 Encrypted bytes: 2248
	 Decrypted bytes: 2120
	 Encrypted packets: 27
	 Decrypted packets: 25
	AH Statistics:
	 Input bytes: 0
	 Output bytes: 0
	 Input packets: 0
	 Output packets: 0
	Errors:
	 AH authentication failures: 0, Replay errors: 0
	 ESP authentication failures: 0, ESP decryption failures: 0
	 Bad headers: 0, Bad trailers: 0

Again, it's worthwhile showing all sections of the configuration together, with added comments:

	[edit services]
	service-set ipsec- 
dynamic {
	 next-hop-service {
	 inside-service-interface sp-1/2/0.1; # <--bind IPSec to sp-1/2/0.1 interface
	 outside-service-interface sp-1/2/0.2; # <--bind IPSec to sp-1/2/0.2
	interface
	 }
	 ipsec-vpn-options {
	 local-gateway 10.1.15.1: # <-- define local side of IPSec tunnel
	 }
	 ipsec-vpn-rules ike-rule; # <-- bind IKE rule to service set
	}
	ipsec-vpn {
	 rule ike-rule { # <-- policy to allow traffic into IPSec tunnel
	 term ike {
	 then {
	 remote-gateway 10.0.15.2:
	 dynamic {
	 ike-policy ike-dynamic-policy; # <-- bind IKE policy to IPSec
	 }
	 }
	 }
	 match-direction input;
	 }
	 ike { # <-- define IKE policy
	 policy ike-dynamic-policy {
	 pre-shared-key 
ascii-text $1991poPPi;
	 }
	 }
	}

	[edit interfaces]
	so-0/0/1 { # <-- physical interface for IPSec tunnel
	 unit 0 {
	 family inet {
	 address 10.1.15.2/30;
	 }
	 }
	}
	sp-1/2/0 { # <-- services interface to IPSec
	 unit 0 {
	 family inet {
	 unit 1 { # <-- logical interface for IPSec inward-facing traffic
	 family inet;
	 service-domain inside;
	 }
	 unit 2 { # <-- logical interface for IPSec outward-facing traffic
	 family inet;
	 }
	}
	[edit protocols ospf area 0.0.0.0]
	ospf {
	 area 0.0.0.0 {
	 interface so-0/0/0;
	 interface lo0.0 passive;
	 interface sp-1/2/1.0; # <-- direct OSPF traffic into IPSec tunnel
	 }
	}



Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net