Example: Configuring Junos VPN Site Secure on MS-MIC and MS-MPC

 
Note

You can follow the same procedure and use the same configuration given in this example, to configure Junos VPN Site Secure (previously known as IPsec features) on MS-MPCs.

This example contains the following sections:

Requirements

This example uses the following hardware and software components:

  • Two MX Series routers with MS-MICs

  • Junos OS Release 13.2 or later

Overview

Junos OS Release 13.2, extends support for Junos VPN Site Secure (formerly known as IPsec features) to the newly-introduced Multiservices MIC and MPC (MS-MIC and MS-MPC) on MX Series routers. The Junos OS extension-provider packages come preinstalled and preconfigured on the MS-MIC and MS-MPC.

The following Junos VPN Site Secure features are supported on the MS-MIC and MS-MPC in Release 13.2:

  • Dynamic End Points (DEP)

  • Encapsulating Security Payload (ESP) protocol

  • Dead Peer Detection (DPD) trigger messages

  • Sequence Number Rollover notifications

  • Static IPsec tunnels with next-hop-style and interface-style service sets

However, in Junos OS Release 13.2, the Junos VPN Site Secure support on the MS-MIC and MS-MPC is limited to IPv4 traffic. Passive module tunneling is not supported on MS-MICs and MS-MPCs.

Figure 1 shows the IPsec VPN tunnel topology.

Figure 1: IPsec VPN Tunnel Topology
 IPsec VPN Tunnel
Topology

This example shows configuration of two routers, Router 1 and Router 2, that have an IPsec VPN tunnel configured between them.

While configuring the routers, note the following points:

  • The IP address you configure for source-address under the [edit services ipsec-vpn rule name term term from] hierarchy level on Router 1 must be the same as the IP address you configure for destination-address under the same hierarchy on Router 2, and vice versa.

  • The IP address of the remote-gateway you configure under the [edit services ipsec-vpn rule name term term then] hierarchy level should match the IP address of the local-gateway you configure under the [edit services service-set name ipsec-vpn-options] hierarchy level of Router 2, and vice versa.

Configuration

This section contains:

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Configuring Interfaces on Router 1

Configuring IPsec VPN Service on Router 1

Configuring a Service Set on Router 1

Configuring Routing Options on Router 1

Configuring Interfaces on Router 2

Configuring IPsec VPN Service on Router 2

Configuring a Service Set on Router 2

Configuring Routing Options on Router 2

Configuring Router 1

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

Note

Starting with Release 13.2, the Junos OS extension-provider packages come preinstalled on multiservices MICs and MPCs (MS-MICs and MS-MPCs). The adaptive-services configuration at the [edit chassis fpc number pic number] hierarchy level is preconfigured on these cards.

  1. Configure the interface properties such as family, service-domain, and unit.
  2. Configure IPsec properties such as address, remote-gateway, policies, match-direction, protocol, replay window size, algorithm details, secrecy keys, proposal, authentication method, groups, and version.
  3. Configure a service set, the ipsec-vpn options, and rules.
  4. Configure routing options static route and next hop.

Results

From the configuration mode of Router 1, confirm your configuration by entering the show interfaces, show services ipsec-vpn, and show services service-set commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Configuring Router 2

Step-by-Step Procedure

  1. Configure the interface properties such as family, service-domain, and unit.
  2. Configure IPsec properties such as address, remote-gateway, policies, match-direction, protocol, replay window size, algorithm details, secrecy keys, proposal, authentication method, groups, and version.
  3. Configure a service set such as next-hop-service, and the ipsec-vpn-options.
  4. Configure routing options static route and the next hop.

Results

From the configuration mode of Router 2, confirm your configuration by entering the show interfaces, show services ipsec-vpn, and show services service-set commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Verification

Verifying Tunnel Creation

Purpose

Verify that Dynamic End Points are created.

Action

Run the following command on Router 1:

user@router1 >show services ipsec-vpn ipsec security-associations detail

Meaning

The output shows that the IPSec SAs are up on the router with their state as Installed. The IPSec tunnel is up and ready to send traffic over the tunnel.

Verifying Traffic Flow Through the DEP Tunnel

Purpose

Verify traffic flow across the newly-created DEP tunnel.

Action

Run the following command on Router 2:

user@router2> show services ipsec-vpn ipsec statistics

Verifying IPsec Security Associations for the Service Set

Purpose

Verify that the security associations configured for the service set are functioning correctly.

Action

Run the following command on Router 2:

user@router2> show services ipsec-vpn ipsec security-associations ipsec_ss_ms_5_2_01