Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - Configuring BGP over IPsec VPN for SRX devices

0

0

Article ID: KB36805 KB Last Updated: 24 May 2021Version: 1.0
Summary:

This article uses an example to describe how to configure border gateway protocol (BGP) over IPsec VPN on SRX Series devices. 

Solution:

In BGP over IPsec VPN, you will be running the BGP on top of an st0 tunnel interface, so the BGP packet will be encapsulated in the ESP payload. 

Topology

Assume the below topology for illustration. 

  • The SRX-A and SRX-B devices are connected via an IPsec VPN.

  • eBGP neighborship is formed between these SRX devices by using the st0 IP addresses. 

CLI Configuration

SRX-A VPN Configuration

set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL dh-group group14
set security ike proposal IKE-PROPOSAL authentication-algorithm sha-256
set security ike proposal IKE-PROPOSAL encryption-algorithm aes-256-cbc
set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals IKE-PROPOSAL
set security ike policy IKE-POLICY pre-shared-key ascii-text Juniper
set security ike gateway IKE-GATEWAY ike-policy IKE-POLICY
set security ike gateway IKE-GATEWAY address 1.1.1.2
set security ike gateway IKE-GATEWAY external-interface ge-0/0/0.0
set security ike gateway IKE-GATEWAY version v1-only

set security ipsec proposal IPSEC-PROPOSAL protocol esp
set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
set security ipsec vpn IPSEC-VPN bind-interface st0.0
set security ipsec vpn IPSEC-VPN ike gateway IKE-GATEWAY
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY
set security ipsec vpn IPSEC-VPN establish-tunnels immediately

SRX-A BGP Configuration

set protocols bgp group EBGP type external
set protocols bgp group EBGP peer-as 200
set protocols bgp group EBGP neighbor 10.0.0.2
set routing-options autonomous-system 100

SRX-A Interfaces and Zones Configuration

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/24
set interfaces st0 unit 0 family inet address 10.0.0.1/24

set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic protocols bgp
set security zones security-zone UNTRUST interfaces st0.0 host-inbound-traffic system-services ping
set security zones security-zone UNTRUST interfaces st0.0 host-inbound-traffic protocols bgp

SRX-B VPN Configuration

set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL dh-group group14
set security ike proposal IKE-PROPOSAL authentication-algorithm sha-256
set security ike proposal IKE-PROPOSAL encryption-algorithm aes-256-cbc
set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals IKE-PROPOSAL
set security ike policy IKE-POLICY pre-shared-key ascii-text Juniper
set security ike gateway IKE-GATEWAY ike-policy IKE-POLICY
set security ike gateway IKE-GATEWAY address 1.1.1.1
set security ike gateway IKE-GATEWAY external-interface ge-0/0/0.0
set security ike gateway IKE-GATEWAY version v1-only

set security ipsec proposal IPSEC-PROPOSAL protocol esp
set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
set security ipsec vpn IPSEC-VPN bind-interface st0.0
set security ipsec vpn IPSEC-VPN ike gateway IKE-GATEWAY
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY

SRX-B BGP Configuration

set protocols bgp group EBGP type external
set protocols bgp group EBGP peer-as 100
set protocols bgp group EBGP neighbor 10.0.0.1
set routing-options autonomous-system 200

SRX-B Interfaces and Zones Configuration

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24
set interfaces st0 unit 0 family inet address 10.0.0.2/24

set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic protocols bgp
set security zones security-zone UNTRUST interfaces st0.0 host-inbound-traffic system-services ping
set security zones security-zone UNTRUST interfaces st0.0 host-inbound-traffic protocols bgp

Verification

On SRX-A

root@SRX-A> show security ike security-associations
Apr 09 19:38:09
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
4398146 UP     f1e858dea6f26493  4622741bb587cce2  Main           1.1.1.2

root@SRX-A> show security ipsec security-associations
Apr 09 19:38:12
  Total active tunnels: 1     Total Ipsec sas: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-cbc-256/sha256 192ac6b9 1324/ unlim - root 500 1.1.1.2
  >131073 ESP:aes-cbc-256/sha256 4dda5e0 1324/ unlim - root 500 1.1.1.2

root@SRX-A> show bgp summary
Apr 09 19:38:19
Threading mode: BGP I/O
Groups: 1 Peers: 1 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0
                       0          0          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
10.0.0.2                200        118        122       0       0       52:27 Establ
  inet.0: 0/0/0/0

On SRX-B

root@SRX-B> show security ike security-associations
Apr 09 19:47:52
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
3035558 UP     f1e858dea6f26493  4622741bb587cce2  Main           1.1.1.1

root@SRX-B> show security ipsec security-associations
Apr 09 19:47:59
  Total active tunnels: 1     Total Ipsec sas: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-cbc-256/sha256 4dda5e0 1257/ unlim - root 500 1.1.1.1
  >131073 ESP:aes-cbc-256/sha256 192ac6b9 1257/ unlim - root 500 1.1.1.1

root@SRX-B> show bgp summary
Apr 09 19:48:06
Threading mode: BGP I/O
Groups: 1 Peers: 1 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0
                       1          1          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
10.0.0.1                100        126        121       0       0       53:33 Establ
  inet.0: 1/1/1/0

Route Advertisement from SRX-A to SRX-B

set interfaces lo0 unit 0 family inet address 192.168.1.1/32
set policy-options policy-statement BGP-EXPORT term 1 from route-filter 192.168.1.1/32 exact
set policy-options policy-statement BGP-EXPORT term 1 then accept
set protocols bgp group EBGP export BGP-EXPORT
root@SRX-A> show route advertising-protocol bgp 10.0.0.2
Apr 09 19:42:10

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 192.168.1.1/32          Self                                    I

root@SRX-B> show route receive-protocol bgp 10.0.0.1
Apr 09 19:51:04

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 192.168.1.1/32          10.0.0.1                                100 I

root@SRX-B> show route protocol bgp
Apr 09 19:51:32

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.1/32     *[BGP/170] 00:28:45, localpref 100
                      AS path: 100 I, validation-state: unverified
                    >  to 10.0.0.1 via st0.0

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search