Configure MTU for Encryption Interfaces
The protocol MTU value for encryption interfaces must always be less than the default interface MTU value of 3900 bytes; the configuration fails to commit if you select a greater value. To set the MTU value, include the
mtubytesstatement at the [edit interfacesinterface-nameunitlogical-unit-numberfamily inet] hierarchy level:[edit interfaceses-fpc/pic/portunitlogical-unit-numberfamily inet]mtubytes;For more information, see Set the Protocol MTU.
Example: Configure Encryption Interfaces
Configure two logical interfaces:
unit 0has a manual SA with static keys and algorithms, andunit 1has a dynamically negotiated SA:[edit interfaces]es-0/0/0 {unit 0 {tunnel {source 10.36.17.4;destination 10.36.15.3;}family inet {ipsec-sa manual-sa1;}}unit 1 {tunnel {source 10.36.16.4;destination 10.36.12.7;}family inet {ipsec-sa dynamic-sa1 {}}}Configure a manual SA with specified keys, including direction, protocol, Security Parameter Index (SPI), authentication, and encryption:
[edit security ipsec]security-association manual-sa1 {manual {direction bidirectional {protocol esp;spi 2312;authentication {algorithm hmac-md5-96;key ascii-text 1234123412341234;}encryption {algorithm 3des-cbc;key ascii-text 123456789009876543211234;}}}}Configure a dynamic SA with an IKE proposal, IKE policy, IPSec proposal, IPSec policy, and an SA associated with an IPSec policy:
[edit security]ike {proposal ike-proposal {authentication-method pre-shared-keys;dh-group group1;authentication-algorithm sha1;encryption-algorithm 3des-cbc;}policy 10.1.1.2 {mode main;proposal ike-proposal;pre-shared-key ascii-text example-pre-shared-key;}}ipsec {policy dynamic-policy-1{proposal [dynamic-1];}proposal dynamic-1{authentication-algorithm hmac-sha1-96;encryption-algorithm 3des-cbc;protocol esp;}security-association dynamic-sa1 {dynamic ipsec-policy dynamic-policy-1;}}Configure firewall filters that define outbound traffic for the IPSec tunnel and ensure that the tunneled traffic goes out the appropriate interface.
[edit firewall]filter ipsec-encrypt-policy-filter {term term1 {from {source-address { // local network10.1.1.0/24;}destination-address { // remote network10.2.2.0/24;}}then ipsec-sa manual-sa1; // apply SA name to packet}term term2 {then accept;}}[edit interfaces]fe-0/0/1 {unit 0 {family inet {filter {input ipsec-encrypt-policy-filter;}address 10.1.1.254/24;}}}Configure firewall filters that define inbound traffic for the IPSec tunnel and ensure that the the appropriate interface receives the tunneled traffic:
filter ipsec-decrypt-policy-filter {term term1 {from {source-address { // remote network10.2.2.0/24;}destination-address { // local network10.1.1.0/24;}}then accept;}}[edit interfaces]es-1/2/0 {unit 0 {tunnel {source 10.5.5.5; // tunnel source addressdestination 10.6.6.6; // tunnel destination address}family inet {filter {input ipsec-decrypt-policy-filter;}ipsec-sa manual-sa1; // SA name applied to packetaddress 10.1.1.8/32 { // local interface address inside local VPNdestination 10.2.2.254; // destination address inside remote VPN}}}}