Configuration on R1:
GRE Configuration
A /30 to use for the GRE tunnel itself (10.10.10.0/30). Should be routable via Internet.
set interfaces gr-5/0/0 unit 0 tunnel source 20.0.0.13
set interfaces gr-5/0/0 unit 0 tunnel destination 20.0.0.14
set interfaces gr-5/0/0 unit 0 family inet address 10.10.10.1/30
set interfaces lo0 unit 0 family inet address 1.0.0.1/32
Configure interfaces on the MS-MIC:
set interfaces ms-2/0/0 unit 0 family inet
set interfaces ms-2/0/0 unit 1 family inet
set interfaces ms-2/0/0 unit 1 service-domain inside
set interfaces ms-2/0/0 unit 2 family inet
set interfaces ms-2/0/0 unit 2 service-domain outside
Configure the IPSec rules to encrypt traffic over GRE tunnel:
set services ipsec-vpn rule IPSec term 1 from source-address 1.0.0.1/32
set services ipsec-vpn rule IPSec term 1 from destination-address 2.0.0.1/32
set services ipsec-vpn rule IPSec term 1 then remote-gateway 10.10.10.2
set services ipsec-vpn rule IPSec term 1 then dynamic ike-policy IKE-Policy
set services ipsec-vpn rule IPSec term 1 then dynamic ipsec-policy IPSec_policy
set services ipsec-vpn rule IPSec term 1 then initiate-dead-peer-detection
set services ipsec-vpn rule IPSec match-direction input
set services ipsec-vpn ipsec proposal IPSec-proposal protocol esp
set services ipsec-vpn ipsec proposal IPSec-proposal authentication-algorithm hmac-sha1-96
set services ipsec-vpn ipsec proposal IPSec-proposal encryption-algorithm aes-128-cbc
set services ipsec-vpn ipsec policy IPSec_policy perfect-forward-secrecy keys group19
set services ipsec-vpn ipsec policy IPSec_policy proposals IPSec-proposal
set services ipsec-vpn ike proposal IKE-Proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal IKE-Proposal dh-group group19
set services ipsec-vpn ike proposal IKE-Proposal authentication-algorithm sha-256
set services ipsec-vpn ike proposal IKE-Proposal encryption-algorithm aes-128-cbc
set services ipsec-vpn ike proposal IKE-Proposal lifetime-seconds 14400
set services ipsec-vpn ike policy IKE-Policy proposals IKE-Proposal
set services ipsec-vpn ike policy IKE-Policy pre-shared-key ascii-text "$9$1IZhlM7-wsgJSrYoGUmPFn/tpBRhrW87yl-wYgUDO1R"
set services ipsec-vpn traceoptions file ipsec-vadi
set services ipsec-vpn traceoptions flag all
Bind the service sets to the service interfaces to passthrough GRE tunnel:
set services service-set IPSec_SS next-hop-service inside-service-interface ms-2/0/0.1
set services service-set IPSec_SS next-hop-service outside-service-interface ms-2/0/0.2
set services service-set IPSec_SS ipsec-vpn-options local-gateway 10.10.10.1
set services service-set IPSec_SS ipsec-vpn-rules IPSec
Troubleshooting
1. Check to see if GRE is up:
R1> show interfaces terse | match gr
gr-5/0/0 up up
gr-5/0/0.0 up up inet 10.10.10.1/30
labroot@R1> show interfaces gr-5/0/0 extensive
Physical interface: gr-5/0/0, Enabled, Physical link is Up
Interface index: 223, SNMP ifIndex: 696, Generation: 226
Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 100000mbps
Hold-times : Up 0 ms, Down 0 ms
Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps
Statistics last cleared: Never
Traffic statistics:
Input bytes : 185174 224 bps
Output bytes : 2584 0 bps
Input packets: 1923 0 pps
Output packets: 17 0 pps
IPv6 transit statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Logical interface gr-5/0/0.0 (Index 321) (SNMP ifIndex 784) (Generation 307)
Flags: Up Point-To-Point SNMP-Traps 0x4000 IP-Header 20.0.0.14:20.0.0.13:47:df:64:0000000000000000 Encapsulation: GRE-NULL
Copy-tos-to-outer-ip-header: Off
Gre keepalives configured: On, Gre keepalives adjacency state: up
Traffic statistics:
Input bytes : 150408
Output bytes : 155008
Input packets: 1589
Output packets: 1175
Local statistics:
Input bytes : 124696
Output bytes : 152424
Input packets: 1159
Output packets: 1158
Transit statistics:
Input bytes : 25712 224 bps
Output bytes : 2584 0 bps
Input packets: 430 0 pps
Output packets: 17 0 pps
Protocol inet, MTU: 1476
Max nh cache: 0, New hold nh limit: 0, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0
Generation: 415, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 10.10.10.0/30, Local: 10.10.10.1, Broadcast: 10.10.10.3, Generation: 243
R1> ping 10.10.10.2 detail count 2
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2 via gr-5/0/0.0: icmp_seq=0 ttl=64 time=1.584 ms
64 bytes from 10.10.10.2 via gr-5/0/0.0: icmp_seq=1 ttl=64 time=1.798 ms
--- 10.10.10.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.584/1.691/1.798/0.107 ms
2. Initiate interesting traffic to bring up the IPsec tunnel over GRE:
@R1> ping 2.0.0.1 source 1.0.0.1 routing-instance ipsec-gre count 2
PING 2.0.0.1 (2.0.0.1): 56 data bytes
64 bytes from 2.0.0.1: icmp_seq=0 ttl=64 time=34.386 ms
64 bytes from 2.0.0.1: icmp_seq=1 ttl=64 time=1.458 ms
--- 2.0.0.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.458/17.922/34.386/16.464 ms
3. Check to see that IPsec phase 1 and phase 2 are up:
R1> show services ipsec-vpn ike sa
Remote Address State Initiator cookie Responder cookie Exchange type
10.10.10.2 Matured 1270fe9dfc046371 a57abf93d8fd19f6 Main
R1> show services ipsec-vpn ike sa detail
IKE peer 10.10.10.2
Role: Responder, State: Matured
Initiator cookie: 1270fe9dfc046371, Responder cookie: a57abf93d8fd19f6
Exchange type: Main, Authentication method: Pre-shared-keys
Local gateway interface: gr-5/0/0
Local: 10.10.10.1, Remote: 10.10.10.2
Lifetime: Expires in 10148 seconds
Algorithms:
Authentication : hmac-sha256-128
Encryption : aes128-cbc
Pseudo random function: hmac-sha256
Diffie-Hellman group : 19
Traffic statistics:
Input bytes : 84244
Output bytes : 84208
Input packets: 779
Output packets: 778
Flags: IKE SA created
IPSec security associations: 2 created, 0 deleted
R1> show services ipsec-vpn ipsec sa
Service set: IPSec_SS, IKE Routing-instance: default
Rule: IPSec, Term: 1, Tunnel index: 1
Local gateway: 10.10.10.1, Remote gateway: 10.10.10.2
IPSec inside interface: ms-2/0/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
Direction SPI AUX-SPI Mode Type Protocol
inbound 3848071295 0 tunnel dynamic ESP
outbound 2822421208 0 tunnel dynamic ESP
R1> show services ipsec-vpn ipsec statistics
PIC: ms-2/0/0, Service set: IPSec_SS
ESP Statistics:
Encrypted bytes: 2016
Decrypted bytes: 2016
Encrypted packets: 21
Decrypted packets: 21
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0
ESP authentication failures: 0
ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
Replay before window drops: 0, Replayed pkts: 0
IP integrity errors: 0, Exceeds tunnel MTU: 0
Rule lookup failures: 0, No SA errors: 0
Flow errors: 0, Misc errors: 0