This article explains how to configure a GRE tunnel over IPsec between Juniper MX devices.

 

Topology

+------------------+                       +-----------------+
|                  |                       |                 |
|     R1           +-----------------------+        R2       |
| lo0 1.0.0.1/32   |                       |lo0: 2.0.0.1/32  |
+------------------+ 20.0.0.13   20.0.0.14 +-----------------+​

In the above topology, both devices R1 and R2 terminate IPsec and GRE tunnel.

1. IPsec between R1 and R2 Router
2. Form GRE over IPsec tunnel

Configuration on R1

Add IP to lo0 and route traffic destined to our peers lo0 (2.0.0.1/32) to the MS-MIC (we'll use this as the GRE tunnel destination):

set interfaces lo0 unit 0 family inet address 1.0.0.1/32
set routing-instances IPSEC-GRE instance-type virtual-router
set routing-instances IPSEC-GRE interface ms-2/0/0.1
set routing-instances IPSEC-GRE interface gr-5/0/0.0
set routing-instances IPSEC-GRE interface lo0.0
set routing-instances IPSEC-GRE routing-options static route 0.0.0.0/0 next-hop ms-2/0/0.1

Configure interfaces on the MS-MIC:

set interfaces ms-2/0/0 unit 0 family inet
set interfaces ms-2/0/0 unit 1 family inet
set interfaces ms-2/0/0 unit 1 service-domain inside
set interfaces ms-2/0/0 unit 2 family inet
set interfaces ms-2/0/0 unit 2 service-domain outside

Configure the IPsec rules to encrypt traffic from the lo0 interface that is destined to the peer router lo0 interface:

set services ipsec-vpn rule IPSec term 1 from source-address 1.0.0.1/32
set services ipsec-vpn rule IPSec term 1 from destination-address 2.0.0.1/32
set services ipsec-vpn rule IPSec term 1 then remote-gateway 20.0.0.14
set services ipsec-vpn rule IPSec term 1 then dynamic ike-policy IKE-Policy
set services ipsec-vpn rule IPSec term 1 then dynamic ipsec-policy IPSec_policy
set services ipsec-vpn rule IPSec term 1 then initiate-dead-peer-detection
set services ipsec-vpn rule IPSec match-direction input
set services ipsec-vpn ipsec proposal IPSec-proposal protocol esp
set services ipsec-vpn ipsec proposal IPSec-proposal authentication-algorithm hmac-sha1-96
set services ipsec-vpn ipsec proposal IPSec-proposal encryption-algorithm aes-128-cbc
set services ipsec-vpn ipsec policy IPSec_policy perfect-forward-secrecy keys group19
set services ipsec-vpn ipsec policy IPSec_policy proposals IPSec-proposal
set services ipsec-vpn ike proposal IKE-Proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal IKE-Proposal dh-group group19
set services ipsec-vpn ike proposal IKE-Proposal authentication-algorithm sha-256
set services ipsec-vpn ike proposal IKE-Proposal encryption-algorithm aes-128-cbc
set services ipsec-vpn ike proposal IKE-Proposal lifetime-seconds 14400
set services ipsec-vpn ike policy IKE-Policy proposals IKE-Proposal
set services ipsec-vpn ike policy IKE-Policy pre-shared-key ascii-text "$ABC123"
set services ipsec-vpn traceoptions file ipsec-vadi
set services ipsec-vpn traceoptions flag all
set services ipsec-vpn establish-tunnels immediately

Bind the service sets to the service interfaces:

set services service-set IPSec_SS next-hop-service inside-service-interface ms-2/0/0.1
set services service-set IPSec_SS next-hop-service outside-service-interface ms-2/0/0.2
set services service-set IPSec_SS ipsec-vpn-options local-gateway 20.0.0.13
set services service-set IPSec_SS ipsec-vpn-rules IPSec

Configure the GRE tunnel:

set interfaces gr-5/0/0 unit 0 tunnel source 1.0.0.1
set interfaces gr-5/0/0 unit 0 tunnel destination 2.0.0.1
set interfaces gr-5/0/0 unit 0 family inet address 10.10.10.1/30

Verify IPsec phase 1 and phase 2 is up:

R1> show services ipsec-vpn ike sa
Remote Address  State         Initiator cookie  Responder cookie  Exchange type
20.0.0.14       Matured       2826bd1cc712262c  07a795c489584ee8  Main         

R1> show services ipsec-vpn ipsec sa  
Service set: IPSec_SS, IKE Routing-instance: default

  Rule: IPSec, Term: 1, Tunnel index: 3
  Local gateway: 20.0.0.13, Remote gateway: 20.0.0.14
  IPSec inside interface: ms-2/0/0.1, Tunnel MTU: 1500
  UDP encapsulate: Disabled, UDP Destination port: 0
    Direction SPI         AUX-SPI     Mode       Type     Protocol
    inbound   4148274550  0           tunnel     dynamic  ESP       
    outbound  3565644226  0           tunnel     dynamic  ESP       

R1> show services ipsec-vpn ipsec statistics

PIC: ms-2/0/0, Service set: IPSec_SS

ESP Statistics:
  Encrypted bytes:              384
  Decrypted bytes:              384
  Encrypted packets:              4
  Decrypted packets:              4
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures:     0
  ESP authentication failures:    0
  ESP decryption failures:        0
  Bad headers: 0, Bad trailers: 0
  Replay before window drops: 0, Replayed pkts: 0
  IP integrity errors: 0, Exceeds tunnel MTU: 0
  Rule lookup failures: 0, No SA errors: 0
  Flow errors: 0, Misc errors: 0

Check that the GRE tunnel is up:

R1#
gr-5/0/0                up    up
gr-5/0/0.0              up    up   inet     10.10.10.1/30

Ping /30 IP from R2 to confirm that the GRE tunnel over IPsec is up:

R2> ping 1.0.0.1 source 2.0.0.1 routing-instance IPSEC-GRE    
PING 1.0.0.1 (1.0.0.1): 56 data bytes
64 bytes from 1.0.0.1: icmp_seq=0 ttl=64 time=1.773 ms
64 bytes from 1.0.0.1: icmp_seq=1 ttl=64 time=1.464 ms
64 bytes from 1.0.0.1: icmp_seq=2 ttl=64 time=1.490 ms
64 bytes from 1.0.0.1: icmp_seq=3 ttl=64 time=1.453 ms

 

2020-10-01: Article reviewed for accuracy, no changes required; article valid and relevant