Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Sample Configuration IPSEC tunnel terminating into VRF

0

0

Article ID: KB13138 KB Last Updated: 12 Jun 2009Version: 1.0
Summary:
Configuration of IPSEC tunnel for VRF.
Symptoms:
Sample Configuration IPSEC tunnel terminating into VRF
Solution:
Below is the setup used for an IPSec tunnel terminating on VRF.

Topology
Seaborgium-ge-0/1/1------------------- ge-0/1/1-halfnium

In the above setup Seaborgium is acting as PE and Halfnium is acting as CE.

On Seaborgium ge-0/1/1 is configured under VRF test-ipsec-vpn.

Configuration

Below is the configuration on Seaborgium:
{MASTER}[edit]
jtac@Seaborgium-RE0# show interfaces ge-0/1/1

unit 0 {
family inet {
address 99.99.99.2/30;
}
}

{MASTER}[edit]
jtac@Seaborgium-RE0# show interfaces sp-1/1/0
unit 0 {
family inet;
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}

{MASTER}[edit]
jtac@Seaborgium-RE0# show interfaces lo0
unit 0 {
family inet {
address 1.1.1.1/32;
}
}

{MASTER}[edit]
jtac@Seaborgium-RE0# show routing-instances
test-ipsec-vpn {
instance-type vrf;
interface ge-0/1/1.0; >>> connecting to CE(halfnium)
interface sp-1/1/0.1; >>> inside sp interface
interface sp-1/1/0.2; >>> outside sp interface

interface lo0.0;
route-distinguisher 9304:9999;
vrf-target target:9304:9999;
vrf-table-label;
routing-options {
static {
route 2.2.2.2/32 next-hop sp-1/1/0.1;>>> to test ipsec statitics.
}
}
}

{MASTER}[edit]
jtac@Seaborgium-RE0# show services
ipsec-vpn {
rule screenos-junos {
term 1 {
then {
remote-gateway 99.99.99.1;
dynamic {
ike-policy test-p1-pro;
ipsec-policy test-p2-pro;
}
}
}
match-direction input;
}
ipsec {
proposal test-p2-pro {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm des-cbc;
lifetime-seconds 500;
}
policy test-p2-pro {
perfect-forward-secrecy {
keys group1;
}
proposals test-p2-pro;
}
}
ike {
proposal test-p1-pro {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm sha1;
encryption-algorithm des-cbc;
}
policy test-p1-pro {
proposals test-p1-pro;
pre-shared-key ascii-text "$9$DwiHmf5Fn6AYgoGDjPfTz36/tu0IEhrqmfz3npuO1RhclKvLx7VCtu1REeK"; ## SECRET-DATA
}
}
establish-tunnels immediately;
}
service-set screenos-junos {
ipsec-vpn-options {
local-gateway 99.99.99.2 routing-instance test-ipsec-vpn; >>> very important to include routing-instance
}
ipsec-vpn-rules screenos-junos;
next-hop-service {
inside-service-interface sp-1/1/0.1;
outside-service-interface sp-1/1/0.2;
}
}
{MASTER}[edit]
jtac@Seaborgium-RE0#
Below is the configuration on halfnium, this is a normal next-hop style IPSEC config.

[edit]
jtac@Arun-Hafnium-RE0# show interfaces ge-0/1/1
unit 0 {
family inet {
address 99.99.99.1/30;
}
}

[edit]
jtac@Arun-Hafnium-RE0# show interfaces lo0
unit 0 {
family inet {
address 2.2.2.2/32;
}
}

[edit]
jtac@Arun-Hafnium-RE0# show services
service-set screenos-junos {
next-hop-service {
inside-service-interface sp-0/3/0.1;
outside-service-interface sp-0/3/0.2;
}
ipsec-vpn-options {
local-gateway 99.99.99.1;
}
ipsec-vpn-rules screenos-junos;
}
ipsec-vpn {
rule screenos-junos {
term 1 {
then {
remote-gateway 99.99.99.2;
dynamic {
ike-policy test-p1-pro;
ipsec-policy test-p2-pro;
}
}
}
match-direction input;
}
ipsec {
proposal test-p2-pro {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm des-cbc;
lifetime-seconds 500;
}
policy test-p2-pro {
perfect-forward-secrecy {
keys group1;
}
proposals test-p2-pro;
}
}
ike {
proposal test-p1-pro {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm sha1;
encryption-algorithm des-cbc;
}
policy test-p1-pro {
proposals test-p1-pro;
pre-shared-key ascii-text "$9$0vtQB1hSyKMWx369p0OcSrevW87-ds2gJRhSevMN-VwYg4ZUDk.mTX7-wY2GU"; ## SECRET-DATA
}
}
establish-tunnels immediately;
}

jtac@Arun-Hafnium-RE0# show routing-options
static {
route 1.1.1.1/32 next-hop sp-0/3/0.1;
}

[edit]
jtac@Arun-Hafnium-RE0#



Verify IPSEC tunnels:

{MASTER}[edit]
jtac@Seaborgium-RE0# run show services ipsec-vpn ike security-associations
Remote Address State Initiator cookie Responder cookie Exchange type
99.99.99.1 Matured f46dfd5c98988bb8 51944e77e7055c0f Main
{MASTER}[edit]
jtac@Seaborgium-RE0# run show services ipsec-vpn ipsec security-associations
Service set: screenos-junos, IKE Routing-instance: test-ipsec-vpn

Rule: screenos-junos, Term: 1, Tunnel index: 1
Local gateway: 99.99.99.2, Remote gateway: 99.99.99.1
IPSec inside interface: sp-1/1/0.1, Tunnel MTU: 1500
Direction SPI AUX-SPI Mode Type Protocol
inbound 1240348654 0 tunnel dynamic ESP
outbound 2941928505 0 tunnel dynamic ESP
inbound 1258227566 0 tunnel dynamic ESP
outbound 754196477 0 tunnel dynamic ESP

{MASTER}[edit]
jtac@Seaborgium-RE0#

Verify IPSEC statistics.

Before sending traffic.

{MASTER}[edit]
jtac@Seaborgium-RE0# run clear services ipsec-vpn ipsec statistics

{MASTER}[edit]
jtac@Seaborgium-RE0# run show services ipsec-vpn ipsec statistics
PIC: sp-1/1/0, Service set: screenos-junos

ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: 0

AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

{MASTER}[edit]
jtac@Seaborgium-RE0# run ping 2.2.2.2 source 1.1.1.1 routing-instance test-ipsec-vpn rapid count 1000
PING 2.2.2.2 (2.2.2.2): 56 data bytes
!!!!!!!!!<snip>
--- 2.2.2.2 ping statistics ---
1000 packets transmitted, 1000 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.935/1.128/24.051/1.338 ms

{MASTER}[edit]
jtac@Seaborgium-RE0# run show services ipsec-vpn ipsec statistics
PIC: sp-1/1/0, Service set: screenos-junos

ESP Statistics:
Encrypted bytes: 88000
Decrypted bytes: 88000
Encrypted packets: 1000
Decrypted packets: 1000

AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

{MASTER}[edit]
jtac@Seaborgium-RE0#

On Halfnium:

[edit]
jtac@Arun-Hafnium-RE0# run show services ipsec-vpn ipsec statistics
PIC: sp-0/3/0, Service set: screenos-junos

ESP Statistics:
Encrypted bytes: 88000
Decrypted bytes: 88000
Encrypted packets: 1000
Decrypted packets: 1000

AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

[edit]
jtac@Arun-Hafnium-RE0#
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search