Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] IPsec over GRE with the MS-MIC/MS-MPC or MS-DPC

0

0

Article ID: KB31971 KB Last Updated: 10 Jul 2017Version: 1.0
Summary:

This article explains how to configure IPSec over GRE tunnel between Juniper MX devices.

Symptoms:

Topology

 
+------------------+                       +-----------------+
|                  |                       |                 |
|     R1           +-----------------------+        R2       |
| lo0 1.0.0.1/32   |                       |lo0: 2.0.0.1/32  |
+------------------+ 20.0.0.13   20.0.0.14 +-----------------+‚Äč
 
 
In the above topology both devices R1 and R2 terminate GRE and IPsec tunnel:
 
  1. GRE between R1 and R2 Router
  2. Form IPsec over GRE tunnel
 
Solution:

Configuration on R1:

GRE Configuration

A /30 to use for the GRE tunnel itself (10.10.10.0/30). Should be routable via Internet.
 
set interfaces gr-5/0/0 unit 0 tunnel source 20.0.0.13
set interfaces gr-5/0/0 unit 0 tunnel destination 20.0.0.14
set interfaces gr-5/0/0 unit 0 family inet address 10.10.10.1/30
set interfaces lo0 unit 0 family inet address 1.0.0.1/32
 
Configure interfaces on the MS-MIC:
 
set interfaces ms-2/0/0 unit 0 family inet
set interfaces ms-2/0/0 unit 1 family inet
set interfaces ms-2/0/0 unit 1 service-domain inside
set interfaces ms-2/0/0 unit 2 family inet
set interfaces ms-2/0/0 unit 2 service-domain outside
 
Configure the IPSec rules to encrypt traffic over GRE tunnel:
 
set services ipsec-vpn rule IPSec term 1 from source-address 1.0.0.1/32
set services ipsec-vpn rule IPSec term 1 from destination-address 2.0.0.1/32
set services ipsec-vpn rule IPSec term 1 then remote-gateway 10.10.10.2
set services ipsec-vpn rule IPSec term 1 then dynamic ike-policy IKE-Policy
set services ipsec-vpn rule IPSec term 1 then dynamic ipsec-policy IPSec_policy
set services ipsec-vpn rule IPSec term 1 then initiate-dead-peer-detection
set services ipsec-vpn rule IPSec match-direction input
set services ipsec-vpn ipsec proposal IPSec-proposal protocol esp
set services ipsec-vpn ipsec proposal IPSec-proposal authentication-algorithm hmac-sha1-96
set services ipsec-vpn ipsec proposal IPSec-proposal encryption-algorithm aes-128-cbc
set services ipsec-vpn ipsec policy IPSec_policy perfect-forward-secrecy keys group19
set services ipsec-vpn ipsec policy IPSec_policy proposals IPSec-proposal
set services ipsec-vpn ike proposal IKE-Proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal IKE-Proposal dh-group group19
set services ipsec-vpn ike proposal IKE-Proposal authentication-algorithm sha-256
set services ipsec-vpn ike proposal IKE-Proposal encryption-algorithm aes-128-cbc
set services ipsec-vpn ike proposal IKE-Proposal lifetime-seconds 14400
set services ipsec-vpn ike policy IKE-Policy proposals IKE-Proposal
set services ipsec-vpn ike policy IKE-Policy pre-shared-key ascii-text "$9$1IZhlM7-wsgJSrYoGUmPFn/tpBRhrW87yl-wYgUDO1R"
set services ipsec-vpn traceoptions file ipsec-vadi
set services ipsec-vpn traceoptions flag all
 
Bind the service sets to the service interfaces to passthrough GRE tunnel:
 
set services service-set IPSec_SS next-hop-service inside-service-interface ms-2/0/0.1
set services service-set IPSec_SS next-hop-service outside-service-interface ms-2/0/0.2
set services service-set IPSec_SS ipsec-vpn-options local-gateway 10.10.10.1
set services service-set IPSec_SS ipsec-vpn-rules IPSec

Troubleshooting

1. Check to see if GRE is up:
 
R1> show interfaces terse | match gr 
gr-5/0/0                up    up
gr-5/0/0.0              up    up   inet     10.10.10.1/30
 
labroot@R1> show interfaces gr-5/0/0 extensive 
Physical interface: gr-5/0/0, Enabled, Physical link is Up
  Interface index: 223, SNMP ifIndex: 696, Generation: 226
  Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 100000mbps
  Hold-times     : Up 0 ms, Down 0 ms
  Device flags   : Present Running
  Interface flags: Point-To-Point SNMP-Traps
  Statistics last cleared: Never
  Traffic statistics:
   Input  bytes  :               185174                  224 bps
   Output bytes  :                 2584                    0 bps
   Input  packets:                 1923                    0 pps
   Output packets:                   17                    0 pps
   IPv6 transit statistics:
    Input  bytes  :                   0
    Output bytes  :                   0
    Input  packets:                   0
    Output packets:                   0
 
  Logical interface gr-5/0/0.0 (Index 321) (SNMP ifIndex 784) (Generation 307)
    Flags: Up Point-To-Point SNMP-Traps 0x4000 IP-Header 20.0.0.14:20.0.0.13:47:df:64:0000000000000000 Encapsulation: GRE-NULL
    Copy-tos-to-outer-ip-header: Off
    Gre keepalives configured: On, Gre keepalives adjacency state: up
    Traffic statistics:
     Input  bytes  :               150408
     Output bytes  :               155008
     Input  packets:                 1589
     Output packets:                 1175
    Local statistics:
     Input  bytes  :               124696
     Output bytes  :               152424
     Input  packets:                 1159
     Output packets:                 1158
    Transit statistics:
     Input  bytes  :                25712                  224 bps
     Output bytes  :                 2584                    0 bps
     Input  packets:                  430                    0 pps
     Output packets:                   17                    0 pps
    Protocol inet, MTU: 1476
    Max nh cache: 0, New hold nh limit: 0, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0
    Generation: 415, Route table: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 10.10.10.0/30, Local: 10.10.10.1, Broadcast: 10.10.10.3, Generation: 243
 
R1> ping 10.10.10.2 detail count 2 
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2 via gr-5/0/0.0: icmp_seq=0 ttl=64 time=1.584 ms
64 bytes from 10.10.10.2 via gr-5/0/0.0: icmp_seq=1 ttl=64 time=1.798 ms
 
--- 10.10.10.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.584/1.691/1.798/0.107 ms
 
2. Initiate interesting traffic to bring up the IPsec tunnel over GRE:
 
@R1> ping 2.0.0.1 source 1.0.0.1 routing-instance ipsec-gre count 2  
PING 2.0.0.1 (2.0.0.1): 56 data bytes
64 bytes from 2.0.0.1: icmp_seq=0 ttl=64 time=34.386 ms
64 bytes from 2.0.0.1: icmp_seq=1 ttl=64 time=1.458 ms
--- 2.0.0.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.458/17.922/34.386/16.464 ms
 
 
3. Check to see that IPsec phase 1 and phase 2 are up:
 
R1> show services ipsec-vpn ike sa 
Remote Address  State         Initiator cookie  Responder cookie  Exchange type
10.10.10.2      Matured       1270fe9dfc046371  a57abf93d8fd19f6  Main         
 
R1> show services ipsec-vpn ike sa detail 
IKE peer 10.10.10.2
  Role: Responder, State: Matured
  Initiator cookie: 1270fe9dfc046371, Responder cookie: a57abf93d8fd19f6
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local gateway interface: gr-5/0/0
  Local: 10.10.10.1, Remote: 10.10.10.2
  Lifetime: Expires in 10148 seconds
  Algorithms:
   Authentication        : hmac-sha256-128 
   Encryption            : aes128-cbc
   Pseudo random function: hmac-sha256
   Diffie-Hellman group  : 19
  Traffic statistics:
   Input  bytes  :                84244
   Output bytes  :                84208
   Input  packets:                  779
   Output packets:                  778
  Flags: IKE SA created 
  IPSec security associations: 2 created, 0 deleted
 
R1> show services ipsec-vpn ipsec sa   
Service set: IPSec_SS, IKE Routing-instance: default
  Rule: IPSec, Term: 1, Tunnel index: 1
  Local gateway: 10.10.10.1, Remote gateway: 10.10.10.2
  IPSec inside interface: ms-2/0/0.1, Tunnel MTU: 1500
  UDP encapsulate: Disabled, UDP Destination port: 0
    Direction SPI         AUX-SPI     Mode       Type     Protocol
    inbound   3848071295  0           tunnel     dynamic  ESP       
    outbound  2822421208  0           tunnel     dynamic  ESP       
 
R1> show services ipsec-vpn ipsec statistics 
PIC: ms-2/0/0, Service set: IPSec_SS
ESP Statistics:
  Encrypted bytes:             2016
  Decrypted bytes:             2016
  Encrypted packets:             21
  Decrypted packets:             21
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures:     0
  ESP authentication failures:    0
  ESP decryption failures:        0
  Bad headers: 0, Bad trailers: 0
  Replay before window drops: 0, Replayed pkts: 0
  IP integrity errors: 0, Exceeds tunnel MTU: 0
  Rule lookup failures: 0, No SA errors: 0
  Flow errors: 0, Misc errors: 0
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search