Configure IPSec between PE Routers Instead of MPLS

A conventional Layer 3 BGP/MPLS VPN requires the configuration of MPLS LSPs between the PE routers. When a PE router receives a packet from a CE router, it performs a lookup in a specific VRF table for the IP destination address and obtains a corresponding MPLS label stack. The label stack is used to forward the packet to the egress PE router, where the bottom label is removed and the packet is forwarded to the specified CE router.

You can provide Layer 3 BGP/MPLS VPN service without an MPLS backbone. Instead of configuring MPLS LSPs between the PE routers, you configure GRE and IPSec tunnels between the PE routers. The MPLS information for the VPN (the VPN label) is encapsulated within an IP header and an IPSec header. The source address of the IP header is the address of the ingress PE router. The destination address has the BGP next hop, the address of the egress PE router.

The IPSec tunnel requires the use of an ES PIC. The GRE tunnel requires the use of a Tunnel Services PIC.

To configure IPSec between PE routers, complete the following:

1. Configure an IPSec tunnel between the PE routers. The source address is that of the ingress PE router, and the destination address is that of the egress PE router:

[edit interfaces]

es-interface-name {

    unit unit-number {

        tunnel {

            source source-address;

            destination destination-address;

        }

        family inet {

            ipsec-sa sa-esp-dynamic;

            address address;

        }

        family mpls;

    }

}

2. Configure IPSec on the PE router. For information about how to configure IPSec, see the JUNOS Internet Software Configuration Guide: Getting Started.
3. Configure a GRE tunnel between the PE routers. Again, the source address is that of the ingress PE router, and the destination address is that of the egress PE router:

[edit interfaces]

gr-interface-name {

    unit unit-number {

        family inet {

            address address;

        }

        family mpls;

        tunnel {

            source source-address;

            destination destination-address;

        }

    }

}

4. Configure BGP between the PE routers:

[edit protocols]

bgp {

    group pe {

        type internal;

        local-address local-address;

        family inet {

            unicast;

        }

        family inet-vpn {

            unicast;

        }

        peer-as as-number;

        neighbor address;

    }

}

5. Configure the routing instance:

[edit]

routing-instances {

    routing-instance-name {

        instance-type vrf;

        interface interface-name;

        route-distinguisher address;

        vrf-import import-policy-name;

        vrf-export export-policy-name;

        protocols {

            bgp {

                group routing-instance-name {

                    type external;

                    peer-as as-number;

                    as-override;

                    neighbor address;

                }

            } 

        }

    }

}

6. Configure the policy options:

[edit]

policy-options {

    policy-statement import-policy-name {

        term 1 {

            from {

                protocol bgp;

                community community-name;

            }

            then accept;

        }

        term 2 {

            then reject;

        }

    }

    policy-statement export-policy-name {

        term 1 {

            from protocol [ bgp direct ];

            then {

                community add community-name;

                accept;

            }

        }

        term 2 {

            then reject;

        }

    }

community community-name members target:target;

}