Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IPSec VPN Configuration in next hop-style methodology

0

0

Article ID: KB14896 KB Last Updated: 04 Aug 2009Version: 1.0
Summary:
IPSec VPN configuration and explanation in next hop-style methodology
Symptoms:

Solution:

Topology

                 sp-1/3/0.0                                    sp-1/2/0.0

                 fe-0/3/0.0   f e-0/3/0.0        fe-0/3/2.0 fe-0/3/0.0
 LO:1.1.1.1  LAB-------------------------DYSPROSIUM  -------------OXYGEN    LO:3.3.3.3
                 10.1.1.1        10.1.1.2        20.1.1.1    20.1.1.2
                   |                                                        |
                   |                                                        |
                   +--------------------------------------------------------+
                                       IPSEC TUNNEL

In the above topology the goal is to only allow interesting traffic from source 1.1.1.1 to destination 3.3.3.3, and vice-versa, to use the IPSec VPN tunnel. In JUNOS there are 2 methodologies to create IPSec VPN tunnel:

  • Interface-style
  • Next-hop style

Note: Refer KB14895 for interface-style methodology.

Next-hop style

Below is an examination of the Next-Hop Style methodology with a minimum configuration and explanation to accomplish the above goal.

  1. Define two service-sets i.e. inside service sets and outside service set.

    On LAB router

    set interfaces sp-1/3/0 unit 0 family inet
    set interfaces sp-1/3/0 unit 1 family inet
    set interfaces sp-1/3/0 unit 1 service-domain inside
    set interfaces sp-1/3/0 unit 2 family inet
    set interfaces sp-1/3/0 unit 2 service-domain outside

    On OXYGEN router

    set interfaces sp-1/2/0 unit 0 family inet
    set interfaces sp-1/2/0 unit 1 family inet
    set interfaces sp-1/2/0 unit 1 service-domain inside
    set interfaces sp-1/2/0 unit 2 family inet
    set interfaces sp-1/2/0 unit 2 service-domain outside
  2. Define IKE policy referencing either a pre-shared key or a certificate on both routers.  The pre-shared key must also match on both the routers for IKE phase to negotiate and successfully be able to encrypt/decrypt the traffic.

    On LAB router

    set services ipsec-vpn ike policy IKE-POLICY pre-shared-key ascii-text "$9$PTF/1IceMX/CyKvW-dk.P5T3"

    On OXYGEN router

    set services ipsec-vpn ike policy IKE-POLICY pre-shared-key ascii-text "$9$PTF/1IceMX/CyKvW-dk.P5T3"

  3. Define IPSec VPN rule to match on the interesting traffic using the IPSec VPN rule.

    The IKE policy, defined in step 2, also needs to be applied here to define the direction in which to encrypt the traffic; the traffic is going to be mapped to the inside interface for encryption.  Hence a match-direction of input should be used.

    On LAB router

    set services ipsec-vpn rule secure-traffic term 1 from source-address 1.1.1.1/32
    set services ipsec-vpn rule secure-traffic term 1 from destination-address 3.3.3.3/32
    set services ipsec-vpn rule secure-traffic term 1 then remote-gateway 20.1.1.2
    set services ipsec-vpn rule secure-traffic term 1 then dynamic ike-policy IKE-POLICY
    set services ipsec-vpn rule secure-traffic match-direction
    input

    On OXYGEN router

    set services ipsec-vpn rule SECURE-TRAFFIC term 1 from source-address 3.3.3.3/32
    set services ipsec-vpn rule SECURE-TRAFFIC term 1 from destination-address 1.1.1.1/32
    set services ipsec-vpn rule SECURE-TRAFFIC term 1 then remote-gateway 10.1.1.1
    set services ipsec-vpn rule SECURE-TRAFFIC term 1 then dynamic ike-policy IKE-POLICY
    set services ipsec-vpn rule SECURE-TRAFFIC match-direction input
  4. Now direct the traffic to the inside service-interface for traffic encryption to take place through a static route pointing to service-interface.

    On LAB router

    set routing-options static route 3.3.3.3/32 next-hop sp-1/3/0.1 

    On OXYGEN router

    set routing-options static route 1.1.1.1/32 next-hop sp-1/2/0.1
  5. Configure Service-Set defining the inside-service interface and outside-service interface.

    On LAB Router

    set services service-set SP-INTERFACE-DEFINED next-hop-service inside-service-interface sp-1/3/0.1
    set services service-set SP-INTERFACE-DEFINED next-hop-service outside-service-interface sp-1/3/0.2

    On OXYGEN router

    set services service-set SP-INTERFACE-DEFINED next-hop-service inside-service-interface sp-1/2/0.1
    set services service-set SP-INTERFACE-DEFINED next-hop-service outside-service-interface sp-1/2/0.2

After configuring all the required steps, as given on both LAB and OXYGEN routers, it is time to configure DYSPROSIUM router.  The DYSPROSIUM simply needs to be configured for OSPF. No other special configuration is required since it is simply acting as a transit router in between the IPSEC tunnel.

Here is the configuration:

lab@DYP-R4# show | display set 
set version 9.3R2.8
set interfaces fe-0/3/0 unit 0 family inet address 10.1.1.2/30
set interfaces fe-0/3/2 unit 0 family inet address 20.1.1.1/30
set protocols ospf area 0.0.0.0 interface all

Pinging from source 1.1.1.1 to destination 3.3.3.3 will result in the IKE and IPSec SAs being created. Traffic should now correctly transit the IPSec Tunnel.

IPSEC VPN tunnel

Following commands can be used to verify whether IPSec VPN is working as expected

show services ipsec-vpn ike security-associations

Check whether IKE is in matured state under state

show services ipsec-vpn ipsec security-associations

If there is a continuous ping then should be able to see that packets in inbound/outbound direction are increasing.  Use the following command in order to verify whether packets transiting via IPSec tunnel are getting encrypted/decrypted.

show services ipsec-vpn ipsec statistics

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search