Overview of VPNEP
This Extended Package (EP) describes security requirements for a VPN Gateway. This is defined to be a device at the edge of a private network that terminates an IPsec tunnel, which provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network. The EP is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats to VPN Gateway technology. However, this EP is not complete in itself, but rather extends the collaborative Protection Profile for Network Devices (NDcPPv2) and the collaborative Protection Profile for Stateful Traffic Filter Firewalls (FWcPP). This introduction will describe the features of a compliant Target of Evaluation (TOE), and will also discuss how this EP is to be used in conjunction with the NDcPPv2 and/or FWcPP

Configuring IPsec VPN Extended Package (EP)
In this section, you configure devices running Junos OS for IPsec VPN using a preshared key as the IKE authentication method.
To configure the IPsec VPN with preshared key IKE authentication on the initiator:
- Configure the IPsec rule on R0.[edit]security-administrator@host:fips# set services service-set ipsec_ss_ms_4_0_0_1 next-hop-service inside-service-interface ms-4/0/0.1security-administrator@host:fips# set services service-set ipsec_ss_ms_4_0_0_1 next-hop-service outside-service-interface ms-4/0/0.2security-administrator@host:fips# set services service-set ipsec_ss_ms_4_0_0_1 ipsec-vpn-options local-gateway 20.1.1.1security-administrator@host:fips# set services service-set ipsec_ss_ms_4_0_0_1 ipsec-vpn-rules vpn_rule_ms_4_0_0_1security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_4_0_0_1 term term1 from source-address 10.1.1.0/24security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_4_0_0_1 term term1 from destination-address 40.1.1.0/24security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_4_0_0_1 term term1 then remote-gateway 30.1.1.2security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_4_0_0_1 term term1 then dynamic ike-policy ike_policy_ms_4_0_0_1security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_4_0_0_1 term term1 then dynamic ipsec-policy ipsec_policy_ms_4_0_0_1security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_4_0_0_1 term term1 then anti-replay-window-size 4096security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_4_0_0_1 match-direction inputsecurity-administrator@host:fips# set services ipsec-vpn ipsec proposal ipsec_proposal_ms_4_0_0_1 protocol espsecurity-administrator@host:fips# set services ipsec-vpn ipsec proposal ipsec_proposal_ms_4_0_0_1 encryption-algorithm aes-192-cbcsecurity-administrator@host:fips# set services ipsec-vpn ipsec proposal ipsec_proposal_ms_4_0_0_1 lifetime-seconds 7200security-administrator@host:fips# set services ipsec-vpn ipsec policy ipsec_policy_ms_4_0_0_1 perfect-forward-secrecy keys group20security-administrator@host:fips# set services ipsec-vpn ipsec policy ipsec_policy_ms_4_0_0_1 proposals ipsec_proposal_ms_4_0_0_1security-administrator@host:fips# set services ipsec-vpn ike proposal ike_proposal_ms_4_0_0_1 authentication-method pre-shared-keyssecurity-administrator@host:fips# set services ipsec-vpn ike proposal ike_proposal_ms_4_0_0_1 lifetime-seconds 7200security-administrator@host:fips# set services ipsec-vpn ike proposal ike_proposal_ms_4_0_0_1 dh-group group20security-administrator@host:fips# set services ipsec-vpn ike proposal ike_proposal_ms_4_0_0_1 encryption-algorithm aes-192-cbcsecurity-administrator@host:fips# set services ipsec-vpn ike policy ike_policy_ms_4_0_0_1 version 2security-administrator@host:fips# set services ipsec-vpn ike policy ike_policy_ms_4_0_0_1 proposals ike_proposal_ms_4_0_0_1security-administrator@host:fips# prompt services ipsec-vpn ike policy ike_policy_ms_4_0_0_1 pre-shared-key ascii-textNew ascii-text (secret):Retype new ascii-text (secret):In FIPS mode, use prompt command for setting pre-shared-key. Type-in pre-shared-key in ASCII format when prompted for secret as below:security-administrator@host:fips# prompt services ipsec-vpn ike policy ike_policy_ms_4_0_0_1 pre-shared-key ascii-textNew ascii-text (secret): xxxxxxxxRetype new ascii-text (secret):xxxxxxxxsecurity-administrator@host:fips# set services ipsec-vpn traceoptions file ipsec_log1security-administrator@host:fips# set services ipsec-vpn traceoptions level allsecurity-administrator@host:fips# set services ipsec-vpn traceoptions flag allsecurity-administrator@host:fips# set services ipsec-vpn establish-tunnels immediately
- Configure Routing options on R0.[edit]security-administrator@host:fips# set routing-options static route 40.1.1.0/24 next-hop ms-4/0/0.security-administrator@host:fips# set routing-options static route 10.1.1.0/24 next-hop 10.1.1.2security-administrator@host:fips# set routing-options static route 30.1.1.0/24 next-hop 20.1.1.2
- Configure Interfaces on R0.[edit]security-administrator@host:fips# set interfaces ms-4/0/0 unit 0 family inetsecurity-administrator@host:fips# set interfaces ms-4/0/0 unit 1 family inetsecurity-administrator@host:fips# set interfaces ms-4/0/0 unit 1 family inet6security-administrator@host:fips# set interfaces ms-4/0/0 unit 1 service-domain insidesecurity-administrator@host:fips# set interfaces ms-4/0/0 unit 2 family inetsecurity-administrator@host:fips# set interfaces ms-4/0/0 unit 2 family inet6security-administrator@host:fips# set interfaces ms-4/0/0 unit 2 service-domain outsidesecurity-administrator@host:fips# set interfaces ge-7/0/1 unit 0 family inet address 10.1.1.2/24security-administrator@host:fips# set interfaces ge-7/0/3 unit 0 family inet address 20.1.1.1/24
- Configure Interfaces on R1.[edit]security-administrator@host:fips# set interfaces ge-2/1/2 unit 0 family inet address 20.1.1.2/24security-administrator@host:fips# set interfaces ge-2/1/3 unit 0 family inet address 30.1.1.1/24
- Configure the IPsec rule on R2.[edit]security-administrator@host:fips# set services service-set ipsec_ss_ms_3_0_0_1 next-hop-service inside-service-interface ms-3/0/0.1security-administrator@host:fips# set services service-set ipsec_ss_ms_3_0_0_1 next-hop-service outside-service-interface m s-3/0/0.2security-administrator@host:fips# set services service-set ipsec_ss_ms_3_0_0_1 ipsec-vpn-options local-gateway 30.1.1.2security-administrator@host:fips# set services service-set ipsec_ss_ms_3_0_0_1 ipsec-vpn-rules vpn_rule_ms_3_0_0_1security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_3_0_0_1 term term1 from source-address 40.1.1.0/24security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_3_0_0_1 term term1 from destination-address 10.1.1.0/24security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_3_0_0_1 term term1 then remote-gateway 20.1.1.1security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_3_0_0_1 term term1 then dynamic ike-policy ike_policy_ms_3_0_0_1security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_3_0_0_1 term term1 then dynamic ipsec-policy ipsec_policy_ms_3_0_0_1security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_3_0_0_1 term term1 then anti-replay-window-size 4096security-administrator@host:fips# set services ipsec-vpn rule vpn_rule_ms_3_0_0_1 match-direction input[edit]security-administrator@host:fips# set services ipsec-vpn ipsec proposal ipsec_proposal_ms_3_0_0_1 protocol espsecurity-administrator@host:fips# set services ipsec-vpn ipsec proposal ipsec_proposal_ms_3_0_0_1 encryption-algorithm aes-192-cbcsecurity-administrator@host:fips# set services ipsec-vpn ipsec proposal ipsec_proposal_ms_3_0_0_1 lifetime-seconds 7200security-administrator@host:fips# set services ipsec-vpn ipsec policy ipsec_policy_ms_3_0_0_1 perfect-forward-secrecy keys group20security-administrator@host:fips# set services ipsec-vpn ipsec policy ipsec_policy_ms_3_0_0_1 proposals ipsec_proposal_ms_3_0_0_1security-administrator@host:fips# set services ipsec-vpn ike proposal ike_proposal_ms_3_0_0_1 authentication-method pre-shared-keyssecurity-administrator@host:fips# set services ipsec-vpn ike proposal ike_proposal_ms_3_0_0_1 lifetime-seconds 7200security-administrator@host:fips# set services ipsec-vpn ike proposal ike_proposal_ms_3_0_0_1 dh-group group20security-administrator@host:fips# set services ipsec-vpn ike proposal ike_proposal_ms_3_0_0_1 encryption-algorithm aes-192-cbcsecurity-administrator@host:fips# set services ipsec-vpn ike policy ike_policy_ms_3_0_0_1 version 2security-administrator@host:fips# set services ipsec-vpn ike policy ike_policy_ms_3_0_0_1 proposals ike_proposal_ms_3_0_0_1security-administrator@host:fips# prompt services ipsec-vpn ike policy ike_policy_ms_4_0_0_1 pre-shared-key ascii-textNew ascii-text (secret):Retype new ascii-text (secret):In FIPS mode, use prompt command for setting pre-shared-key. Type-in pre-shared-key in ASCII format when prompted for secret as below:security-administrator@host:fips# prompt services ipsec-vpn ike policy ike_policy_ms_4_0_0_1 pre-shared-key ascii-textNew ascii-text (secret): xxxxxxxxRetype new ascii-text (secret):xxxxxxxxsecurity-administrator@host:fips# set services ipsec-vpn traceoptions file ipsec_log1security-administrator@host:fips# set services ipsec-vpn traceoptions level allsecurity-administrator@host:fips# set services ipsec-vpn traceoptions flag allsecurity-administrator@host:fips# set services ipsec-vpn establish-tunnels immediately
- Configure Routing options on R2.[edit]security-administrator@host:fips# set routing-options static route 10.1.1.0/24 next-hop ms-3/0/0.1.security-administrator@host:fips# set routing-options static route 40.1.1.0/24 next-hop 40.1.1.1security-administrator@host:fips# set routing-options static route 20.1.1.0/24 next-hop 30.1.1.1
- Configure interfaces on R2.[edit]security-administrator@host:fips# set interfaces ge-0/0/1 unit 0 family inet address 30.1.1.2/24.security-administrator@host:fips# set interfaces ge-0/0/4 unit 0 family inet address 40.1.1.1/24security-administrator@host:fips# set interfaces ms-3/0/0 unit 0 family inetsecurity-administrator@host:fips# set interfaces ms-3/0/0 unit 1 family inetsecurity-administrator@host:fips# set interfaces ms-3/0/0 unit 1 family inet6security-administrator@host:fips# set interfaces ms-3/0/0 unit 1 service-domain insidesecurity-administrator@host:fips# set interfaces ms-3/0/0 unit 2 family inetsecurity-administrator@host:fips# set interfaces ms-3/0/0 unit 2 family inet6security-administrator@host:fips# set interfaces ms-3/0/0 unit 2 service-domain outside
Sample output for IPsec VPN:
security-administrator@host:fips>show services
ipsec-vpn ike security-associations
Remote Address State Initiator cookie Responder cookie Exchange type 30.1.1.2 Matured be51a9075821ab2a 26887fa8c98a9f45 IKEv2
security-administrator@host:fips>show services
ipsec-vpn ipsec security-associations
Service set: ipsec_ss_ms_4_0_0_1, IKE Routing-instance: default Rule: vpn_rule_ms_4_0_0_1, Term: term1, Tunnel index: 1 Local gateway: 20.1.1.1, Remote gateway: 30.1.1.2 IPSec inside interface: ms-4/0/0.1, Tunnel MTU: 1500 UDP encapsulate: Disabled, UDP Destination port: 0 NATT Detection: Not Detected, NATT keepalive interval: 0 Direction SPI AUX-SPI Mode Type Protocol inbound 3602080831 0 tunnel dynamic ESP outbound 2594649153 0 tunnel dynamic ESP
Supported encryption algorithms for IPsec:
aes-128-cbc AES-CBC 128-bit encryption algorithm aes-128-gcm AES-GCM 128-bit encryption algorithm with 16 octet ICV aes-192-cbc AES-CBC 192-bit encryption algorithm aes-192-gcm AES-GCM 192-bit encryption algorithm with 16 octet ICV aes-256-cbc AES-CBC 256-bit encryption algorithm aes-256-gcm AES-GCM 256-bit encryption algorithm with 16 octet ICV
Supported encryption algorithms for IKE:
aes-128-cbc AES-CBC 128-bit encryption algorithm aes-192-cbc AES-CBC 192-bit encryption algorithm aes-256-cbc AES-CBC 256-bit encryption algorithm
IKE DH groups supported:
group14 Diffie-Hellman Group14 group19 Diffie-Hellman Group19 group20 Diffie-Hellman Group20
IPsec authentication algorithm:
hmac-sha256-128 HMAC-SHA256-128 authentication algorithm
IKE authentication algorithms:
sha256 SHA 256-bit authentication algorithm sha-384 SHA 384-bit authentication algorithm sha1 SHA1 authentication algorithm
Supported authentication methods:
ecdsa-signatures-256 ECDSA signatures (254 bit modulus) ecdsa-signatures-384 ECDSA signatures (384 bit modulus) pre-shared-keys Preshared keys rsa-signatures RSA signatures
For more information on IKE/IPsec lifetime, see https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/lifetime-seconds-edit-services.html.
IPsec VPN Configuration with Reference Identifier
MX devices support the following reference identifiers for IPsec VPN configuration:
IP address
FQDN
Distinguished Name
Sample IPsec VPN Configuration with IPv4 Address as Reference Identifier
DUT:
R2:
Sample IPsec VPN Configuration with FQDN as Reference Identifier
R2:
DUT:
Sample Configuration for Distinguished Name as Reference Identifier
DUT:
R2:
Generating Certificate Signing Request (CSR)
Sample commands for generating key-pair and CSR:
Configuring Firewall Rules
MX devices allow configuring firewall filter to allow or reject specific traffic.

The following procedures explain how to configure IPSec VPN and firewall rules:
- Configure IPsec VPN between R0-R1.
R0:
[edit]security-administrator@host:fips# show services | display setset services service-set ipsec_ss_ms_2_1_0_1 next-hop-service inside-service-interface ms-2/1/0.1 set services service-set ipsec_ss_ms_2_1_0_1 next-hop-service outside-service-interface ms-2/1/0.2 set services service-set ipsec_ss_ms_2_1_0_1 ipsec-vpn-options local-gateway 20.0.0.1 set services service-set ipsec_ss_ms_2_1_0_1 ipsec-vpn-rules vpn_rule_ms_2_1_0_1 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 term term1 from source-address 10.1.0.0/16 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 term term1 from destination-address 30.1.0.0/16 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 term term1 then remote-gateway 20.0.0.2 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 term term1 then dynamic ike-policy ike_policy_ms_2_1_0_1 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 term term1 then dynamic ipsec-policy ipsec_policy_ms_2_1_0_1 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 term term1 then anti-replay-window-size 4096 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 match-direction input set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_1_0_1 protocol esp set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_1_0_1 authentication-algorithm hmac-sha-256-128 set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_1_0_1 encryption-algorithm aes-256-cbc set services ipsec-vpn ipsec policy ipsec_policy_ms_2_1_0_1 perfect-forward-secrecy keys group20 set services ipsec-vpn ipsec policy ipsec_policy_ms_2_1_0_1 proposals ipsec_proposal_ms_2_1_0_1 set services ipsec-vpn ike proposal ike_proposal_ms_2_1_0_1 authentication-method pre-shared-keys set services ipsec-vpn ike proposal ike_proposal_ms_2_1_0_1 dh-group group20 set services ipsec-vpn ike proposal ike_proposal_ms_2_1_0_1 encryption-algorithm aes-256-cbc set services ipsec-vpn ike policy ike_policy_ms_2_1_0_1 version 2 set services ipsec-vpn ike policy ike_policy_ms_2_1_0_1 proposals ike_proposal_ms_2_1_0_1[edit]security-administrator@host:fips# prompt services ipsec-vpn ike policy ike_policy_ms_2_1_0_1 pre-shared-key ascii-textNew ascii-text (secret):Retype new ascii-text (secret):[edit]security-administrator@host:fips# set services ipsec-vpn traceoptions file ipsec_fw_log1security-administrator@host:fips# set services ipsec-vpn traceoptions level allsecurity-administrator@host:fips# set services ipsec-vpn traceoptions flag allsecurity-administrator@host:fips# set services ipsec-vpn establish-tunnels immediately[edit]security-administrator@host:fips# show interfaces | display setset interfaces ge-0/0/2 unit 0 family inet address 10.1.0.2/24 set interfaces ge-0/1/3 unit 0 family inet address 20.0.0.1/30 set interfaces ms-2/1/0 unit 0 family inet set interfaces ms-2/1/0 unit 1 family inet set interfaces ms-2/1/0 unit 1 family inet6 set interfaces ms-2/1/0 unit 1 service-domain inside set interfaces ms-2/1/0 unit 2 family inet set interfaces ms-2/1/0 unit 2 family inet6 set interfaces ms-2/1/0 unit 2 service-domain outside[edit]security-administrator@host:fips# show routing-options | display setset routing-options static route 30.1.0.0/16 next-hop ms-2/1/0.1R1:
[edit]security-administrator@host:fips# show services | display setset services service-set ipsec_ss_ms_2_1_0_1 next-hop-service inside-service-interface ms-2/1/0.1 set services service-set ipsec_ss_ms_2_1_0_1 next-hop-service outside-service-interface ms-2/1/0.2 set services service-set ipsec_ss_ms_2_1_0_1 ipsec-vpn-options local-gateway 20.0.0.2 set services service-set ipsec_ss_ms_2_1_0_1 ipsec-vpn-rules vpn_rule_ms_2_1_0_1 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 term term1 from source-address 30.1.0.0/16 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 term term1 from destination-address 10.1.0.0/16 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 term term1 then remote-gateway 20.0.0.1 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 term term1 then dynamic ike-policy ike_policy_ms_2_1_0_1 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 term term1 then dynamic ipsec-policy ipsec_policy_ms_2_1_0_1 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 term term1 then anti-replay-window-size 4096 set services ipsec-vpn rule vpn_rule_ms_2_1_0_1 match-direction input set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_1_0_1 protocol esp set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_1_0_1 authentication-algorithm hmac-sha-256-128 set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_1_0_1 encryption-algorithm aes-256-cbc set services ipsec-vpn ipsec policy ipsec_policy_ms_2_1_0_1 perfect-forward-secrecy keys group20 set services ipsec-vpn ipsec policy ipsec_policy_ms_2_1_0_1 proposals ipsec_proposal_ms_2_1_0_1 set services ipsec-vpn ike proposal ike_proposal_ms_2_1_0_1 authentication-method pre-shared-keys set services ipsec-vpn ike proposal ike_proposal_ms_2_1_0_1 dh-group group20 set services ipsec-vpn ike proposal ike_proposal_ms_2_1_0_1 encryption-algorithm aes-256-cbc set services ipsec-vpn ike policy ike_policy_ms_2_1_0_1 version 2 set services ipsec-vpn ike policy ike_policy_ms_2_1_0_1 proposals ike_proposal_ms_2_1_0_1[edit]security-administrator@host:fips# prompt services ipsec-vpn ike policy ike_policy_ms_2_1_0_1 pre-shared-key ascii-textNew ascii-text (secret):Retype new ascii-text (secret):[edit]security-administrator@host:fips# set services ipsec-vpn traceoptions file ipsec_fw_log1security-administrator@host:fips# set services ipsec-vpn traceoptions level allsecurity-administrator@host:fips# set services ipsec-vpn traceoptions flag allsecurity-administrator@host:fips# set services ipsec-vpn establish-tunnels immediately[edit]security-administrator@host:fips# show interfaces | display setset interfaces ge-0/1/8 unit 0 family inet address 20.0.0.2/30 set interfaces ge-0/1/7 unit 0 family inet address 30.1.0.2/24 set interfaces ms-2/1/0 unit 0 family inet set interfaces ms-2/1/0 unit 1 family inet set interfaces ms-2/1/0 unit 1 family inet6 set interfaces ms-2/1/0 unit 1 service-domain inside set interfaces ms-2/1/0 unit 2 family inet set interfaces ms-2/1/0 unit 2 family inet6 set interfaces ms-2/1/0 unit 2 service-domain outside[edit]security-administrator@host:fips# show routing-options | display setset routing-options static route 10.1.0.0/16 next-hop ms-2/1/0.1 - Configure firewall rule.
Enable firewall filter to allow traffic from specific source and destination addresses and reject all other traffic. For example, the first rule term 1 allows traffic from source-address 30.1.0.1/32 to communicate with only 10.1.0.1/32 address. The second rule rejects all other traffic.
[edit]security-administrator@host:fips# show firewall | display setset firewall family inet filter fw_filter1 term 1 from source-address 30.1.0.1/32 set firewall family inet filter fw_filter1 term 1 from destination-address 10.1.0.1/32 set firewall family inet filter fw_filter1 term 1 then count inc1 set firewall family inet filter fw_filter1 term 1 then log set firewall family inet filter fw_filter1 term 1 then accept set firewall family inet filter fw_filter1 term 2 then count inc2 set firewall family inet filter fw_filter1 term 2 then log set firewall family inet filter fw_filter1 term 2 then reject set firewall traceoptions file firewall_log set firewall traceoptions file size 1g set firewall traceoptions file world-readable set firewall traceoptions flag all
Note The firewall rules are processed in the order they are configured.
- Apply input firewall filter on R0 router MS-MPC interface.[edit]security-administrator@host:fips# set interfaces ms-2/1/0 unit 1 family inet filter input fw_filter1
- Send traffic from H1 to H0 and monitor firewall logs based
on accept or reject rule.
Accepted traffic logs on R0:
[edit]security-administrator@host:fips# run show firewall logLog : Time Filter Action Interface Protocol Src Addr Dest Addr 20:39:20 pfe A ms-2/1/0.1 ICMP 30.1.0.1 10.1.0.1 20:39:19 pfe A ms-2/1/0.1 ICMP 30.1.0.1 10.1.0.1 20:39:18 pfe A ms-2/1/0.1 ICMP 30.1.0.1 10.1.0.1
Rejected traffic logs on R0:
[edit]security-administrator@host:fips# run show firewall logLog : Time Filter Action Interface Protocol Src Addr Dest Addr 20:43:20 pfe R ms-2/1/0.1 ICMP 30.1.0.5 10.1.0.1 20:43:19 pfe R ms-2/1/0.1 ICMP 30.1.0.5 10.1.0.1 20:43:18 pfe R ms-2/1/0.1 ICMP 30.1.0.5 10.1.0.1