Example: ES PIC IKE Dynamic SA Configuration
Figure 56 shows the same IPSec topology as seen in the ES PIC manual SA example. However, this time the configuration requires Routers 2 and 3 to establish an IPSec tunnel using an IKE dynamic SA, enhanced authentication, and stronger encryption. Routers 1 and 4 continue to provide basic connectivity and are used to verify that the IPSec tunnel is operational.
On Router 1, provide basic OSPF connectivity to Router 2.
Router 1
[edit]
interfaces {
so-0/0/0 {
description "To R2 so-0/0/0";
unit 0 {
family inet {
address 10.1.12.2/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.1/32;
}
}
}
}
routing-options {
router-id 10.0.0.1;
}
protocols {
ospf {
area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
}
}
}
On Router 2, enable OSPF as the underlying routing protocol to connect to Routers 1 and 3. Configure a bidirectional IKE dynamic SA called sa-dynamic at the [edit security ipsec security-association] hierarchy level. For your IKE policy and proposal, use preshared keys for the authentication method, SHA-1 for the authentication algorithm, 3DES-CBC for encryption, group 2 for the Diffie-Hellman group, main mode, 3600 seconds for the lifetime, and a preshared key of juniper for the initial IKE negotiation. For your IPSec policy and proposal, use ESP for the protocol, HMAC-SHA1-96 for authentication, 3DES-CBC for encryption, 28800 seconds for the lifetime, and group 2 for the PFS group.
To direct traffic into the ES PIC and the IPSec tunnel, create two firewall filters. The es-traffic filter matches inbound traffic from Router 1 destined for Router 4, whereas the es-return filter matches the return path from Router 4 to Router 1. Apply the es-traffic filter to the so-0/0/0 interface, and then apply both the es-return filter and the sa-dynamic SA to the es-0/3/0 interface.
Router 2
[edit]
interfaces {
so-0/0/0 {
description "To R1 so-0/0/0";
unit 0 {
family inet {
filter {
input es-traffic; # Apply a filter that sends traffic to the IPSec tunnel here.
}
address 10.1.12.1/30;
}
}
}
so-0/0/1 {
description "To R3 so-0/0/1";
unit 0 {
family inet {
address 10.1.15.1/30;
}
}
}
es-0/3/0 {
unit 0 {
tunnel { # Specify the IPSec tunnel endpoints here.
source 10.1.15.1;
destination 10.1.15.2;
}
family inet {
ipsec-sa sa-dynamic; # Apply the dynamic SA here.
filter {
input es-return; # Apply the filter that matches return IPSec traffic here.
}
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.2/32;
}
}
}
}
routing-options {
router-id 10.0.0.2;
}
protocols {
ospf {
area 0.0.0.0 {
interface so-0/0/0.0;
interface so-0/0/1.0;
interface lo0.0;
}
}
}
security {
ipsec {
proposal es-ipsec-proposal { # Define your IPSec proposal specifications here.
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy es-ipsec-policy { # Define your IPSec policy specifications here.
perfect-forward-secrecy {
keys group2;
}
proposals es-ipsec-proposal; # Reference the IPSec proposal here.
}
security-association sa-dynamic { # Define your dynamic SA here.
mode tunnel;
dynamic {
ipsec-policy es-ipsec-policy; # Reference the IPSec policy here.
}
}
}
ike {
proposal es-ike-proposal { # Define your IKE proposal specifications here.
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy 10.1.15.2 { # Define your IKE policy specifications here.
mode main;
proposals es-ike-proposal; # Reference the IKE proposal here.
pre-shared-key ascii-text "$9$TF6ABIcvWxp0WxNdg4QFn";
## The unencrypted preshared key for this example is juniper.
}
}
}
firewall {
filter es-traffic { # Define a filter that sends traffic to the IPSec tunnel here.
term to-es {
from {
source-address {
10.1.12.0/24;
}
destination-address {
10.1.56.0/24;
}
}
then {
count ipsec-tunnel;
ipsec-sa sa-dynamic;
}
}
term other {
then accept;
}
}
filter es-return { # Define a filter that matches return IPSec traffic here.
term return {
from {
source-address {
10.1.56.0/24;
}
destination-address {
10.1.12.0/24;
}
}
then accept;
}
}
}
On Router 3, enable OSPF as the underlying routing protocol to connect to Routers 2 and 4. Configure a bidirectional IKE dynamic SA called sa-dynamic at the [edit security ipsec security-association] hierarchy level. Use the same policies and proposals that you used on Router 2.
For your IKE policy and proposal, use preshared keys for the authentication method, SHA-1 for the authentication algorithm, 3DES-CBC for encryption, group 2 for the Diffie-Hellman group, main mode, 3600 seconds for the lifetime, and a preshared key of juniper for the initial IKE negotiation. For your IPSec policy and proposal, use ESP for the protocol, HMAC-SHA1-96 for authentication, 3DES-CBC for encryption, 28800 seconds for the lifetime, and group 2 for the PFS group.
To direct traffic into the ES PIC and the IPSec tunnel, create two firewall filters. Thees-trafficfilter matches inbound traffic from Router 4 destined for Router 1, whereas thees-returnfilter matches the return path from Router 1 to Router 4. Apply thees-trafficfilter to theso-0/0/0interface, then apply both thees-returnfilter and thesa-dynamicSA to thees-0/3/0interface.
Router 3
[edit]
interfaces {
so-0/0/0 {
description "To R4 so-0/0/0";
unit 0 {
family inet {
filter {
input es-traffic; # Apply a filter that sends traffic to the IPSec tunnel here.
}
address 10.1.56.1/30;
}
}
}
so-0/0/1 {
description "To R2 so-0/0/1";
unit 0 {
family inet {
address 10.1.15.2/30;
}
}
}
es-0/3/0 {
unit 0 {
tunnel { # Specify the IPSec tunnel endpoints here.
source 10.1.15.2;
destination 10.1.15.1;
}
family inet {
ipsec-sa sa-dynamic; # Apply the dynamic SA here.
filter {
input es-return; # Apply the filter that matches return IPSec traffic here.
}
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.3/32;
}
}
}
}
routing-options {
router-id 10.0.0.3;
}
protocols {
ospf {
area 0.0.0.0 {
interface so-0/0/0.0;
interface so-0/0/1.0;
interface lo0.0;
}
}
}
security {
ipsec {
proposal es-ipsec-proposal { # Define your IPSec proposal specifications here.
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy es-ipsec-policy { # Define your IPSec policy specifications here.
perfect-forward-secrecy {
keys group2;
}
proposals es-ipsec-proposal; # Reference the IPSec proposal here.
}
security-association sa-dynamic { # Define your dynamic SA here.
mode tunnel;
dynamic {
ipsec-policy es-ipsec-policy; # Reference the IPSec policy here.
}
}
}
ike {
proposal es-ike-proposal { # Define your IKE proposal specifications here.
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy 10.1.15.1 { # Define your IKE policy specifications here.
mode main;
proposals es-ike-proposal; # Reference the IKE proposal here.
pre-shared-key ascii-text "$9$TF6ABIcvWxp0WxNdg4QFn";
## The unencrypted preshared key for this example is juniper.
}
}
}
firewall {
filter es-traffic { # Define a filter that sends traffic to the IPSec tunnel here.
term to-es {
from {
source-address {
10.1.56.0/24;
}
destination-address {
10.1.12.0/24;
}
}
then {
count ipsec-tunnel;
ipsec-sa sa-dynamic;
}
}
term other {
then accept;
}
}
filter es-return { # Define a filter that matches return IPSec traffic here.
term return {
from {
source-address {
10.1.12.0/24;
}
destination-address {
10.1.56.0/24;
}
}
then accept;
}
}
}
On Router 4, provide basic OSPF connectivity to Router 3.
Router 4
[edit]
interfaces {
so-0/0/0 {
description "To R3 so-0/0/0";
unit 0 {
family inet {
address 10.1.56.2/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.4/32;
}
}
}
}
routing-options {
router-id 10.0.0.4;
}
protocols {
ospf {
area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
}
}
}