Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration

 
Figure 1: AS PIC to ES PIC IKE Dynamic SA Topology Diagram
AS PIC to ES PIC IKE Dynamic SA Topology Diagram

Figure 1 shows a hybrid configuration that allows you to create an IPSec tunnel between the AS PIC and the ES PIC. Router 2 contains an AS PIC at sp-1/2/0 and Router 3 has an ES PIC at es-0/3/0. To establish an IPSec tunnel using an IKE dynamic SA, the key is to learn the default IKE SA and IPSec SA settings built into the AS PIC and configure them explicitly on the ES PIC. Routers 1 and 4 again provide basic connectivity and are used to verify that the IPSec tunnel is operational.

On Router 1, provide basic OSPF connectivity to Router 2.

Router 1

On Router 2, enable OSPF as the underlying routing protocol to connect to Routers 1 and 3. Configure a bidirectional IKE dynamic SA in a rule called rule-ike at the [edit ipsec-vpn rule] hierarchy level. Reference this rule in a service set called service-set-dynamic-BiEspsha3des at the [edit services service-set] hierarchy level.

Using default values in the AS PIC, you do not need to specify an IPSec proposal, IPSec policy, or IKE proposal. However, you do need to configure a preshared key in an IKE policy with the pre-shared-key statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level. (For more information about default IKE and IPSec policies and proposals on the AS PIC, see Configuring IKE Dynamic SAs.)

To direct traffic into the AS PIC and the IPSec tunnel, include match conditions in the rule-ike IPSec VPN rule to match inbound traffic from Router 1 that is destined for Router 4. Because the rule is already referenced by the service set, apply the service set to the so-0/0/1 interface. To count the amount of traffic that enters the IPsec tunnel, configure a firewall filter called ipsec-tunnel and apply it to the sp-1/2/0 interface.

Router 2

Router 2

Verifying Your Work

To verify proper operation of an IKE-based dynamic SA on the AS PIC, use the following commands:

  • ping

  • show services ipsec-vpn ike security-associations (detail)

  • show services ipsec-vpn ipsec security-associations (detail)

  • traceroute

To verify proper operation of an IKE-based dynamic SA on the ES PIC, use the following commands:

  • ping

  • show ike security-associations (detail)

  • show ipsec security-associations (detail)

  • traceroute

The following sections show the output of these commands used with the configuration example:

Router 1

On Router 1, issue a ping command to the so-0/0/0 interface of Router 4 to send traffic across the IPSec tunnel.

user@R1> ping 10.1.56.2

You can also issue the traceroute command to verify that traffic to 10.1.56.2 travels over the IPsec tunnel between Router 2 and Router 3. Notice that the traced path does not reference 10.1.15.2—the physical interface on Router 3. Instead, traffic arriving at Router 2 is immediately filtered into the IPSec tunnel and the path is listed as unknown with the *** notation. This indicates that the IPSec tunnel is operating correctly.

user@R1> traceroute 10.1.56.2

Router 2

One way to verify that matched traffic is being diverted to the bidirectional IPSec tunnel is to view the firewall filter counter. Before any traffic flows, the ipsec-tunnel firewall filter counter looks like this:

user@R2> show firewall filter ipsec-tunnel

After you issue the ping command from Router 1 (four packets) to 10.1.56.2, the ipsec-tunnel firewall filter counter looks like this:

user@R2> show firewall filter ipsec-tunnel

After you issue the ping command from both Router 1 to 10.1.56.2 (four packets) and from Router 4 to 10.1.12.2 (six packets), the ipsec-tunnel firewall filter counter looks like this:

user@R2> show firewall filter ipsec-tunnel

To verify that the IKE SA negotiation is successful, issue the show services ipsec-vpn ike security-associations detail command. Notice that the SA contains the default IKE settings inherent in the AS PIC, such as SHA-1 for the authentication algorithm and 3DES-CBC for the encryption algorithm.

user@R2> show services ipsec-vpn ike security-associations detail

To verify that the IPsec security association is active, issue the show services ipsec-vpn ipsec security-associations detail command. Notice that the SA contains the default settings inherent in the AS PIC, such as ESP for the protocol and HMAC-SHA1-96 for the authentication algorithm.

user@R2> show services ipsec-vpn ipsec security-associations detail

Router 3

View the firewall filter counter to continue verifying that matched traffic is being diverted to the bidirectional IPsec tunnel. After you issue the ping command from Router 1 (four packets), the es-traffic firewall filter counter looks like this:

user@R3> show firewall filter es-traffic

After you issue the ping command from both Router 1 (four packets) and Router 4 (six packets), the es-traffic firewall filter counter looks like this:

user@R3> show firewall filter es-traffic

To verify the success of the IKE security association on the ES PIC, issue the show ike security-associations detail command. Notice that the IKE SA on Router 3 contains the same settings you specified on Router 2.

user@R3> show ike security-associations detail

To verify that the IPsec security association is active, issue the show ipsec security-associations detail command. Notice that the IPsec SA on Router 3 contains the same settings you specified on Router 2.

user@R3> show ipsec security-associations detail

Router 4

On Router 4, issue a ping command to the so-0/0/0 interface on Router 1 to send traffic across the IPsec tunnel.

user@R4> ping 10.1.12.2

Again, the traceroute command verifies that traffic to 10.1.12.2 travels over the IPsec tunnel between Router 3 and Router 2. Notice that the second hop does not reference 10.1.15.1—the physical interface on Router 2. Instead, the second hop is listed as unknown with the *** notation. This indicates that the IPsec tunnel is operating correctly.

user@R4> traceroute 10.1.12.2