Example: IKE Dynamic SA Between an AS PIC
and an ES PIC Configuration
Figure 60 shows a hybrid configuration that allows you to create an IPSec tunnel between the AS PIC and the ES PIC. Router 2 contains an AS PIC at sp-1/2/0 and Router 3 has an ES PIC at es-0/3/0. To establish an IPSec tunnel using an IKE dynamic SA, the key is to learn the default IKE SA and IPSec SA settings built into the AS PIC and configure them explicitly on the ES PIC. Routers 1 and 4 again provide basic connectivity and are used to verify that the IPSec tunnel is operational.
On Router 1, provide basic OSPF connectivity to Router 2.
Router 1
[edit]
interfaces {
so-0/0/0 {
description "To R2 so-0/0/0";
unit 0 {
family inet {
address 10.1.12.2/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.1/32;
}
}
}
}
routing-options {
router-id 10.0.0.1;
}
protocols {
ospf {
area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
}
}
}
On Router 2, enable OSPF as the underlying routing protocol to connect to Routers 1 and 3. Configure a bidirectional IKE dynamic SA in a rule called rule-ike at the [edit ipsec-vpn rule] hierarchy level. Reference this rule in a service set called service-set-dynamic-BiEspsha3des at the [edit services service-set] hierarchy level.
Using default values in the AS PIC, you do not need to specify an IPSec proposal, IPSec policy, or IKE proposal. However, you do need to configure a preshared key in an IKE policy with the pre-shared-key statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level. (For more information about default IKE and IPSec policies and proposals on the AS PIC, see Table 42.)
To direct traffic into the AS PIC and the IPSec tunnel, include match conditions in the rule-ike IPSec VPN rule to match inbound traffic from Router 1 that is destined for Router 4. Because the rule is already referenced by the service set, apply the service set to the so-0/0/1 interface. To count the amount of traffic that enters the IPSec tunnel, configure a firewall filter called ipsec-tunnel and apply it to the sp-1/2/0 interface.
Router 2
[edit]
interfaces {
so-0/0/0 {
description "To R1 so-0/0/0";
unit 0 {
family inet {
address 10.1.12.1/30;
}
}
}
so-0/0/1 {
description "To R3 so-0/0/1";
unit 0 {
family inet {
service { # Apply the service set here.
input {
service-set service-set-dynamic-BiEspsha3des;
}
output {
service-set service-set-dynamic-BiEspsha3des;
}
}
address 10.1.15.1/30;
}
}
}
sp-1/2/0 {
services-options {
syslog {
host local {
services info;
}
}
}
unit 0 {
family inet {
filter {
input ipsec-tunnel; # Apply the firewall filter with the counter here.
}
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.2/32;
}
}
}
}
routing-options {
router-id 10.0.0.2;
}
protocols {
ospf {
area 0.0.0.0 {
interface so-0/0/0.0;
interface so-0/0/1.0;
interface lo0.0;
}
}
}
firewall {
filter ipsec-tunnel { # Configure a firewall filter to count IPSec traffic here.
term 1 {
then {
count ipsec-tunnel;
accept;
}
}
}
}
services {
service-set service-set-dynamic-BiEspsha3des { # Define your service set here.
interface-service {
service-interface sp-1/2/0; # Specify an interface to process IPSec.
}
ipsec-vpn-options {
local-gateway 10.1.15.1; # Specify the local IP address of the IPSec tunnel.
}
ipsec-vpn-rules rule-ike; # Reference your IPSec VPN rule here.
}
ipsec-vpn {
rule rule-ike { # Define your IPSec VPN rule here.
term term-ike {
from {
source-address {
10.1.12.0/24;
}
destination-address {
10.1.56.0/24;
}
}
then {
remote-gateway 10.1.15.2; # The remote IP address of the IPSec tunnel.
dynamic { # This creates a dynamic SA.
ike-policy ike-policy-preshared; # Reference your IKE proposal here.
}
}
}
match-direction output; # Specify in which direction the rule should match.
}
ike {
policy ike-policy-preshared { # Define your IKE policy specifications here.
pre-shared-key ascii-text "$9$KtKWX-YgJHqfVwqfTzCAvWL";
## The unencrypted preshared key for this example is juniper.
}
} # Using default values, you do not need to specify an IPSec proposal,
} # IPSec policy, or IKE proposal.
}
On Router 3, enable OSPF as the underlying routing protocol to connect to Routers 2 and 4. Configure a bidirectional IKE dynamic SA called sa-dynamic at the [edit security ipsec security-association] hierarchy level. To allow the ES PIC to communicate with the IKE dynamic SA established on Router 2, you must explicitly configure the same policies and proposals on the ES PIC that are available by default on the AS PIC. (For more information about default IKE and IPSec policies and proposals on the AS PIC, see Table 42.)
For your IKE policy and proposal, use preshared keys for the authentication method, SHA-1 for the authentication algorithm, 3DES-CBC for encryption, group 2 for the Diffie-Hellman group, main mode, 3600 seconds for the lifetime, and a preshared key of juniper for the initial IKE negotiation. For your IPSec policy and proposal, use ESP for the protocol, HMAC-SHA1-96 for authentication, 3DES-CBC for encryption, 28800 seconds for the lifetime, and group 2 for the PFS group.
To direct traffic into the ES PIC and the IPSec tunnel, create two firewall filters. Thees-trafficfilter matches inbound traffic from Router 4 destined for Router 1, whereas thees-returnfilter matches the return path from Router 1 to Router 4. Apply thees-trafficfilter to theso-0/0/0interface, then apply both thees-returnfilter and thesa-dynamicSA to thees-0/3/0interface.
Router 3
[edit]
interfaces {
so-0/0/0 {
description "To R4 so-0/0/0";
unit 0 {
family inet {
filter {
input es-traffic; # Apply a filter that sends traffic to the IPSec tunnel here.
}
address 10.1.56.1/30;
}
}
}
so-0/0/1 {
description "To R2 so-0/0/1";
unit 0 {
family inet {
address 10.1.15.2/30;
}
}
}
es-0/3/0 {
unit 0 {
tunnel { # Specify the IPSec tunnel endpoints here.
source 10.1.15.2;
destination 10.1.15.1;
}
family inet {
ipsec-sa sa-dynamic; # Apply the dynamic SA here.
filter {
input es-return; # Apply the filter that matches return IPSec traffic here.
}
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.3/32;
}
}
}
}
routing-options {
router-id 10.0.0.3;
}
protocols {
ospf {
area 0.0.0.0 {
interface so-0/0/0.0;
interface so-0/0/1.0;
interface lo0.0;
}
}
}
security {
ipsec {
proposal es-ipsec-proposal { # Define your IPSec proposal specifications here.
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy es-ipsec-policy { # Define your IPSec policy specifications here.
perfect-forward-secrecy {
keys group2;
}
proposals es-ipsec-proposal; # Reference the IPSec proposal here.
}
security-association sa-dynamic { # Define your dynamic SA here.
mode tunnel;
dynamic {
ipsec-policy es-ipsec-policy; # Reference the IPSec policy here.
}
}
}
ike {
proposal es-ike-proposal { # Define your IKE proposal specifications here.
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy 10.1.15.1 { # Define your IKE policy specifications here.
mode main;
proposals es-ike-proposal; # Reference the IKE proposal here.
pre-shared-key ascii-text "$9$TF6ABIcvWxp0WxNdg4QFn";
## The unencrypted preshared key for this example is juniper.
}
}
}
firewall {
filter es-traffic { # Define a filter that sends traffic to the IPSec tunnel here.
term to-es {
from {
source-address {
10.1.56.0/24;
}
destination-address {
10.1.12.0/24;
}
}
then {
count ipsec-tunnel;
ipsec-sa sa-dynamic;
}
}
term other {
then accept;
}
}
filter es-return { # Define a filter that matches return IPSec traffic here.
term return {
from {
source-address {
10.1.12.0/24;
}
destination-address {
10.1.56.0/24;
}
}
then accept;
}
}
}
On Router 4, provide basic OSPF connectivity to Router 3.
Router 4
[edit]
interfaces {
so-0/0/0 {
description "To R3 so-0/0/0";
unit 0 {
family inet {
address 10.1.56.2/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.4/32;
}
}
}
}
routing-options {
router-id 10.0.0.4;
}
protocols {
ospf {
area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
}
}
}
