This article explains how to configure a GRE tunnel over IPsec between Juniper MX devices.
Topology
+------------------+ +-----------------+
| | | |
| R1 +-----------------------+ R2 |
| lo0 1.0.0.1/32 | |lo0: 2.0.0.1/32 |
+------------------+ 20.0.0.13 20.0.0.14 +-----------------+
In the above topology, both devices R1 and R2 terminate IPsec and GRE tunnel.
- IPsec between R1 and R2 Router
- Form GRE over IPsec tunnel
Configuration on R1
Add IP to lo0 and route traffic destined to our peers lo0 (2.0.0.1/32) to the MS-MIC (we'll use this as the GRE tunnel destination):
set interfaces lo0 unit 0 family inet address 1.0.0.1/32
set routing-instances IPSEC-GRE instance-type virtual-router
set routing-instances IPSEC-GRE interface ms-2/0/0.1
set routing-instances IPSEC-GRE interface gr-5/0/0.0
set routing-instances IPSEC-GRE interface lo0.0
set routing-instances IPSEC-GRE routing-options static route 0.0.0.0/0 next-hop ms-2/0/0.1
Configure interfaces on the MS-MIC:
set interfaces ms-2/0/0 unit 0 family inet
set interfaces ms-2/0/0 unit 1 family inet
set interfaces ms-2/0/0 unit 1 service-domain inside
set interfaces ms-2/0/0 unit 2 family inet
set interfaces ms-2/0/0 unit 2 service-domain outside
Configure the IPsec rules to encrypt traffic from the lo0 interface that is destined to the peer router lo0 interface:
set services ipsec-vpn rule IPSec term 1 from source-address 1.0.0.1/32
set services ipsec-vpn rule IPSec term 1 from destination-address 2.0.0.1/32
set services ipsec-vpn rule IPSec term 1 then remote-gateway 20.0.0.14
set services ipsec-vpn rule IPSec term 1 then dynamic ike-policy IKE-Policy
set services ipsec-vpn rule IPSec term 1 then dynamic ipsec-policy IPSec_policy
set services ipsec-vpn rule IPSec term 1 then initiate-dead-peer-detection
set services ipsec-vpn rule IPSec match-direction input
set services ipsec-vpn ipsec proposal IPSec-proposal protocol esp
set services ipsec-vpn ipsec proposal IPSec-proposal authentication-algorithm hmac-sha1-96
set services ipsec-vpn ipsec proposal IPSec-proposal encryption-algorithm aes-128-cbc
set services ipsec-vpn ipsec policy IPSec_policy perfect-forward-secrecy keys group19
set services ipsec-vpn ipsec policy IPSec_policy proposals IPSec-proposal
set services ipsec-vpn ike proposal IKE-Proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal IKE-Proposal dh-group group19
set services ipsec-vpn ike proposal IKE-Proposal authentication-algorithm sha-256
set services ipsec-vpn ike proposal IKE-Proposal encryption-algorithm aes-128-cbc
set services ipsec-vpn ike proposal IKE-Proposal lifetime-seconds 14400
set services ipsec-vpn ike policy IKE-Policy proposals IKE-Proposal
set services ipsec-vpn ike policy IKE-Policy pre-shared-key ascii-text "$ABC123"
set services ipsec-vpn traceoptions file ipsec-vadi
set services ipsec-vpn traceoptions flag all
set services ipsec-vpn establish-tunnels immediately
Bind the service sets to the service interfaces:
set services service-set IPSec_SS next-hop-service inside-service-interface ms-2/0/0.1
set services service-set IPSec_SS next-hop-service outside-service-interface ms-2/0/0.2
set services service-set IPSec_SS ipsec-vpn-options local-gateway 20.0.0.13
set services service-set IPSec_SS ipsec-vpn-rules IPSec
Configure the GRE tunnel:
set interfaces gr-5/0/0 unit 0 tunnel source 1.0.0.1
set interfaces gr-5/0/0 unit 0 tunnel destination 2.0.0.1
set interfaces gr-5/0/0 unit 0 family inet address 10.10.10.1/30
Verify IPsec phase 1 and phase 2 is up:
R1> show services ipsec-vpn ike sa
Remote Address State Initiator cookie Responder cookie Exchange type
20.0.0.14 Matured 2826bd1cc712262c 07a795c489584ee8 Main
R1> show services ipsec-vpn ipsec sa
Service set: IPSec_SS, IKE Routing-instance: default
Rule: IPSec, Term: 1, Tunnel index: 3
Local gateway: 20.0.0.13, Remote gateway: 20.0.0.14
IPSec inside interface: ms-2/0/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
Direction SPI AUX-SPI Mode Type Protocol
inbound 4148274550 0 tunnel dynamic ESP
outbound 3565644226 0 tunnel dynamic ESP
R1> show services ipsec-vpn ipsec statistics
PIC: ms-2/0/0, Service set: IPSec_SS
ESP Statistics:
Encrypted bytes: 384
Decrypted bytes: 384
Encrypted packets: 4
Decrypted packets: 4
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0
ESP authentication failures: 0
ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
Replay before window drops: 0, Replayed pkts: 0
IP integrity errors: 0, Exceeds tunnel MTU: 0
Rule lookup failures: 0, No SA errors: 0
Flow errors: 0, Misc errors: 0
Check that the GRE tunnel is up:
R1#
gr-5/0/0 up up
gr-5/0/0.0 up up inet 10.10.10.1/30
Ping /30 IP from R2 to confirm that the GRE tunnel over IPsec is up:
R2> ping 1.0.0.1 source 2.0.0.1 routing-instance IPSEC-GRE
PING 1.0.0.1 (1.0.0.1): 56 data bytes
64 bytes from 1.0.0.1: icmp_seq=0 ttl=64 time=1.773 ms
64 bytes from 1.0.0.1: icmp_seq=1 ttl=64 time=1.464 ms
64 bytes from 1.0.0.1: icmp_seq=2 ttl=64 time=1.490 ms
64 bytes from 1.0.0.1: icmp_seq=3 ttl=64 time=1.453 ms
2020-10-01: Article reviewed for accuracy, no changes required; article valid and relevant