Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Sample Configuration IPSEC tunnel terminating into VRF

0

0

Article ID: KB13138 KB Last Updated: 26 Feb 2020Version: 2.0
Summary:
Configuration of IPSec tunnel for VRF.
Symptoms:
Sample Configuration IPSec tunnel terminating into VRF
Solution:
Below is the setup used for an IPSec tunnel terminating on VRF.

Topology
router1-ge-0/1/1------------------- ge-0/1/1-router2

In the above setup router1 is acting as PE and router2 is acting as CE.

On router1 ge-0/1/1 is configured under VRF test-ipsec-vpn.

Configuration

Below is the configuration on router1:
[edit]
user@router1-RE0# show interfaces ge-0/1/1

unit 0 {
family inet {
address 99.99.99.2/30;
}
}

[edit]
user@router1-RE0# show interfaces sp-1/1/0
unit 0 {
family inet;
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}

[edit]
user@router1-RE0# show interfaces lo0
unit 0 {
family inet {
address 1.1.1.1/32;
}
}

[edit]
user@router1-RE0# show routing-instances
test-ipsec-vpn {
instance-type vrf;
interface ge-0/1/1.0; >>> connecting to CE(router2)
interface sp-1/1/0.1; >>> inside sp interface
interface sp-1/1/0.2; >>> outside sp interface

interface lo0.0;
route-distinguisher 9304:9999;
vrf-target target:9304:9999;
vrf-table-label;
routing-options {
static {
route 2.2.2.2/32 next-hop sp-1/1/0.1;>>> to test ipsec statitics.
}
}
}

[edit]
user@router1-RE0# show services
ipsec-vpn {
rule screenos-junos {
term 1 {
then {
remote-gateway 99.99.99.1;
dynamic {
ike-policy test-p1-pro;
ipsec-policy test-p2-pro;
}
}
}
match-direction input;
}
ipsec {
proposal test-p2-pro {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm des-cbc;
lifetime-seconds 500;
}
policy test-p2-pro {
perfect-forward-secrecy {
keys group1;
}
proposals test-p2-pro;
}
}
ike {
proposal test-p1-pro {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm sha1;
encryption-algorithm des-cbc;
}
policy test-p1-pro {
proposals test-p1-pro;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
}
establish-tunnels immediately;
}
service-set screenos-junos {
ipsec-vpn-options {
local-gateway 99.99.99.2 routing-instance test-ipsec-vpn; >>> very important to include routing-instance
}
ipsec-vpn-rules screenos-junos;
next-hop-service {
inside-service-interface sp-1/1/0.1;
outside-service-interface sp-1/1/0.2;
}
}
[edit]
user@router1-RE0#

Below is the configuration on router2, this is a normal next-hop style IPSEC config.

[edit]
user2@router2-RE0# show interfaces ge-0/1/1
unit 0 {
family inet {
address 99.99.99.1/30;
}
}

[edit]
user2@router2-RE0# show interfaces lo0
unit 0 {
family inet {
address 2.2.2.2/32;
}
}

[edit]
user2@router2-RE0# show services
service-set screenos-junos {
next-hop-service {
inside-service-interface sp-0/3/0.1;
outside-service-interface sp-0/3/0.2;
}
ipsec-vpn-options {
local-gateway 99.99.99.1;
}
ipsec-vpn-rules screenos-junos;
}
ipsec-vpn {
rule screenos-junos {
term 1 {
then {
remote-gateway 99.99.99.2;
dynamic {
ike-policy test-p1-pro;
ipsec-policy test-p2-pro;
}
}
}
match-direction input;
}
ipsec {
proposal test-p2-pro {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm des-cbc;
lifetime-seconds 500;
}
policy test-p2-pro {
perfect-forward-secrecy {
keys group1;
}
proposals test-p2-pro;
}
}
ike {
proposal test-p1-pro {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm sha1;
encryption-algorithm des-cbc;
}
policy test-p1-pro {
proposals test-p1-pro;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
}
establish-tunnels immediately;
}

user2@router2-RE0# show routing-options
static {
route 1.1.1.1/32 next-hop sp-0/3/0.1;
}

[edit]
user2@router2-RE0#



Verify IPSEC tunnels:
 
[edit]
user@router-RE0# run show services ipsec-vpn ike security-associations
Remote Address State Initiator cookie Responder cookie Exchange type
99.99.99.1 Matured f46d000000008bb8 5194000000005c0f Main
[edit]
user@router-RE0# run show services ipsec-vpn ipsec security-associations
Service set: screenos-junos, IKE Routing-instance: test-ipsec-vpn

Rule: screenos-junos, Term: 1, Tunnel index: 1
Local gateway: 99.99.99.2, Remote gateway: 99.99.99.1
IPSec inside interface: sp-1/1/0.1, Tunnel MTU: 1500
Direction SPI AUX-SPI Mode Type Protocol
inbound 1240348654 0 tunnel dynamic ESP
outbound 2941928505 0 tunnel dynamic ESP
inbound 1258227566 0 tunnel dynamic ESP
outbound 754196477 0 tunnel dynamic ESP

 
[edit]
user@router-RE0#

Verify IPSEC statistics.
 
Before sending traffic.

[edit]
user@router-RE0# run clear services ipsec-vpn ipsec statistics

[edit]
user@router-RE0# run show services ipsec-vpn ipsec statistics
PIC: sp-1/1/0, Service set: screenos-junos

ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: 0

AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

[edit]
user@router-RE0# run ping 2.2.2.2 source 1.1.1.1 routing-instance test-ipsec-vpn rapid count 1000
PING 2.2.2.2 (2.2.2.2): 56 data bytes
!!!!!!!!!<snip>
--- 2.2.2.2 ping statistics ---
1000 packets transmitted, 1000 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.935/1.128/24.051/1.338 ms

[edit]
user@router-RE0# run show services ipsec-vpn ipsec statistics
PIC: sp-1/1/0, Service set: screenos-junos

ESP Statistics:
Encrypted bytes: 88000
Decrypted bytes: 88000
Encrypted packets: 1000
Decrypted packets: 1000

AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

[edit]
user@router-RE0#

On router2:

[edit]
user2@router2-RE0# run show services ipsec-vpn ipsec statistics
PIC: sp-0/3/0, Service set: screenos-junos

ESP Statistics:
Encrypted bytes: 88000
Decrypted bytes: 88000
Encrypted packets: 1000
Decrypted packets: 1000

AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

[edit]
user2@router2-RE0#
Modification History:
2020-02-26: minor non-technical edits.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search