Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configuration example of Dynamic IPSEC VPN with ADSL

0

0

Article ID: KB14264 KB Last Updated: 26 Feb 2020Version: 2.0
Summary:
Dynamic IPSEC VPN for ADSL Customers
Symptoms:

This document contains a IPSec configuration example (using packet-based Junos OS), where client IP address keep changing.  This commonly occurs in a customer scenario with ADSL modems, which are taking the IP address from the ISP'S DHCP server for the nodes connected to it.

Solution:

Topology:

 Node_1----->Device1(DHCP Relay)--->Device2(Dhcp Server)--->Device3(M10i)---->Node-2

(Customer)                |------------ISP------------|             

 

                   |<-----------------IPSEC------------------>|

Topology overview:


Device1:  Establishes IPSEC to the HO location(Device3). Working in place of ADSL. It is also working as a Relay agent on the customer end.
Device3:  Configured with Dynamic IPSEC, which will allow any client trying to establish IPSEC with it.
Node-1 and Node-2:  Used to test the connectivity end to end.
Device2: Router at ISP end which is providing DHCP service.

 

 

Relevant Configurations:

Device1:


 

interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
sp-1/2/0 {
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
ge-1/3/0 {
vlan-tagging;
unit 50 {
vlan-id 50;
family inet {
address 193.1.1.2/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.1.1.1/32;
}
}
}
}
forwarding-options {
dhcp-relay {
server-group {
DHCP_SERVER {
193.1.1.1;
}
}
active-server-group DHCP_SERVER;
group DHCP {
interface fe-0/0/0.0;
interface fe-0/3/0.0;
interface fe-0/3/1.0;
}
}
}
routing-options {
static {
route 192.1.1.0/24 next-hop sp-1/2/0.1;
route 10.0.2.18/32 next-hop 193.1.1.1;
route 10.0.6.1/32 next-hop 193.1.1.1;
}
}
access {
profile demo-ike-access-profile {
client * {
ike {
allowed-proxy-pair local 0.0.0.0/0 remote 0.0.0.0/0;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
interface-id demo-ipsec-interface-id;
}
}
}
}
services {
service-set SERVICE-SET {
next-hop-service {
inside-service-interface sp-1/2/0.1;
outside-service-interface sp-1/2/0.2;
}
ipsec-vpn-options {
local-gateway 193.1.1.2;
}
ipsec-vpn-rules IPSEC-RULE;
}
ipsec-vpn {
rule IPSEC-RULE {
term 1 {
from {
destination-address {
192.1.1.0/24;
}
}
then {
remote-gateway 10.0.2.18;
dynamic {
ike-policy IKE-POLICY;
ipsec-policy IPSEC-POLICY;
}
}
}
match-direction input;
}
ipsec {
proposal IPSEC-PROPOSAL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy IPSEC-POLICY {
perfect-forward-secrecy {
keys group2;
}
proposals IPSEC-PROPOSAL;
}
}
ike {
proposal IKE-PROPOSAL {
authentication-method pre-shared-keys;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
}
policy IKE-POLICY {
mode main;
proposals IKE-PROPOSAL;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
}
establish-tunnels immediately;
}
}

*****************************************************************************************************************


Device2:

//******Router on ISP side. Providing DHCP IP address to Node_1 via ADSL on CE side(Device1).

services {
dhcp {
maximum-lease-time infinite;
default-lease-time infinite;
pool 192.168.1.0/24 {
address-range low 192.168.1.1 high 192.168.1.254;
exclude-address {
192.168.1.1;
192.168.1.254;
}
domain-name TEST_1;
router {
192.168.1.1;
}
server-identifier 192.168.1.1;
}
pool 192.168.2.0/24 {
address-range low 192.168.2.1 high 192.168.2.254;
exclude-address {
192.168.2.1;
192.168.2.254;
}
domain-name TEST_2;
router {
192.168.2.1;
}
server-identifier 192.168.2.1;
}
}
}
}
interfaces {
ge-0/0/0 {
vlan-tagging;
unit 44 {
vlan-id 44;
family inet {
address 10.0.4.5/30;
}
}
unit 47 {
vlan-id 47;
family inet {
address 10.0.2.17/30;
}
}
unit 50 {
vlan-id 50;
family inet {
address 193.1.1.1/24;
}
}
unit 412 {
vlan-id 412;
family inet {
address 10.0.4.14/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.6.1/32;
}
}
}
}
routing-options {
static {
route 192.168.1.0/24 next-hop 193.1.1.2;
route 192.168.2.0/24 next-hop 193.1.1.2;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface all;
}
}
}

******************************************************************************************************************

Device3:

interfaces {
fe-0/3/3 {
vlan-tagging;
unit 88 {
vlan-id 88;
family inet {
address 10.0.8.10/30;
}
family mpls;
}
}
sp-1/2/0 {

//***Each customer needs to have an inside and one outside interface.

unit 1 {
dial-options {
ipsec-interface-id demo-ipsec-interface-id;
shared;
}
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
unit 3 {
dial-options {
ipsec-interface-id demo-ipsec-interface-id_2;
shared;
}
family inet;
service-domain inside;
}
unit 4 {
family inet;
service-domain outside;
}
unit 5 {
dial-options {
ipsec-interface-id demo-ipsec-interface-id_5;
shared;
}
family inet;
service-domain inside;
}
unit 6 {
family inet;
service-domain outside;
}
unit 7 {
dial-options {
ipsec-interface-id demo-ipsec-interface-id_7;
shared;
}
family inet;
service-domain inside;
}
unit 8 {
family inet;
service-domain outside;
}
unit 9 {
dial-options {
ipsec-interface-id demo-ipsec-interface-id_192;
shared;
}
family inet;
service-domain inside;
}
unit 10 {
family inet;
service-domain outside;
}
}
ge-1/3/0 {
vlan-tagging;
unit 47 {
vlan-id 47;
family inet {
address 10.0.2.18/30;
}
family mpls;
}
unit 48 {
vlan-id 48;
family inet {
address 10.0.2.22/30;
}
family mpls;
}
unit 51 {
vlan-id 51;
family inet {
address 192.1.1.2/24;
}
}
unit 200 {
vlan-id 200;
family inet {
address 172.16.41.6/30;
}
}
unit 201 {
vlan-id 201;
family inet {
address 172.16.42.6/30;
}
}
unit 404 {
vlan-id 404;
family inet {
address 172.16.40.6/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.6.7/32;
}
}
}
}
routing-options {
static {
route 172.24.18.168/32 next-hop 10.209.75.254;
route 193.1.1.0/24 next-hop 10.0.2.17;
route 192.168.1.0/24 next-hop 10.0.2.17;
}
autonomous-system 100;
}
protocols {
ospf {
area 0.0.0.0 {
interface all;
interface fxp0.0 {
disable;
}
}
}
}
access {


//***This configuration will be done on per customer basis***//

profile demo-ike-access-profile {
client * {
ike {
allowed-proxy-pair local 0.0.0.0/0 remote 0.0.0.0/0;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
interface-id demo-ipsec-interface-id;
}
}
}
profile demo-ike-access-profile_2 {
client * {
ike {
allowed-proxy-pair local 0.0.0.0/0 remote 0.0.0.0/0;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
interface-id demo-ipsec-interface-id_2;
}
}
}
profile demo-ike-access-profile_5 {
client * {
ike {
allowed-proxy-pair local 0.0.0.0/0 remote 0.0.0.0/0;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
interface-id demo-ipsec-interface-id_5;
}
}
}
profile demo-ike-access-profile_7 {
client * {
ike {
allowed-proxy-pair local 0.0.0.0/0 remote 0.0.0.0/0;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
interface-id demo-ipsec-interface-id_7;
}
}
}
profile demo-ike-access-profile_192 {
client * {
ike {
allowed-proxy-pair local 0.0.0.0/0 remote 0.0.0.0/0;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
interface-id demo-ipsec-interface-id_192;
}
}
}
}
services {

//*** This configuration will be done on per customer basis***//

service-set demo-service-set {
next-hop-service {
inside-service-interface sp-1/2/0.1;
outside-service-interface sp-1/2/0.2;
}
ipsec-vpn-options {
local-gateway 10.0.2.18;
ike-access-profile demo-ike-access-profile;
}
}

service-set demo-service-set_2 {
next-hop-service {
inside-service-interface sp-1/2/0.3;
outside-service-interface sp-1/2/0.4;
}
ipsec-vpn-options {
local-gateway 172.16.40.6;
ike-access-profile demo-ike-access-profile_2;
}
}
service-set demo-service-set_5 {
next-hop-service {
inside-service-interface sp-1/2/0.5;
outside-service-interface sp-1/2/0.6;
}
ipsec-vpn-options {
local-gateway 172.16.41.6;
ike-access-profile demo-ike-access-profile_5;
}
}
service-set demo-service-set_7 {
next-hop-service {
inside-service-interface sp-1/2/0.7;
outside-service-interface sp-1/2/0.8;
}
ipsec-vpn-options {
local-gateway 172.16.42.6;
ike-access-profile demo-ike-access-profile_7;
}
}
service-set demo-service-set_192 {
next-hop-service {
inside-service-interface sp-1/2/0.9;
outside-service-interface sp-1/2/0.10;
}
ipsec-vpn-options {
local-gateway 192.168.1.2;
ike-access-profile demo-ike-access-profile_192;
}
}
}

 

Modification History:
2020-02-26: minor non-technical edits.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search