Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring IKE and IPsec SAs for a VPN Tunnel

    The master administrator is responsible for assigning an st0 interface to a user logical system and configuring IKE and IPsec SAs at the root level for each VPN tunnel. This example shows how to assign an st0 interface to a user logical system and configure IKE and IPsec SA parameters.

    Requirements

    Before you begin:

    Overview

    In this example you configure a VPN tunnel for the ls-product-design user logical system. This example configures the VPN tunnel parameters described in Table 1.

    Table 1: Logical System VPN Tunnel Configuration

    Feature

    Name

    Configuration Parameters

    Tunnel interface

    st0 unit 1

    Assigned to ls-product-design logical system

    IKE proposal

    ike-phase1-proposal

    • Preshared keys authentication
    • Diffie-Hellman group 2
    • sha1 authentication algorithm
    • aes-128-cbc encryption algorithm

    IKE policy

    • Main mode
    • References IKE proposal ike-phase1-proposal
    • ASCII preshared key 395psksecr3t

    IKE gateway

    ike-gw

    • External interface ge-0/0/3.0
    • References IKE policy ike-phase1-policy
    • Address 2.2.2.2

    IPsec proposal

    ipsec-phase2-proposal

    • ESP protocol
    • hmac-sha1-96 authentication algorithm
    • aes-128-cbc encryption algorithm

    IPsec policy

    vpn-policy1

    • References ipsec-phase2-proposal
    • perfect-forward-secrecy keys group2

    VPN

    ike-vpn

    • bind-interface st0.1
    • References ike-gw gateway
    • References vpn-policy1 policy

    VPN monitoring

    For ike-vpn VPN:

    • source-interface st0.1
    • destination-ip 4.0.0.1

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set logical-systems ls-product-design interfaces st0 unit 1set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys set security ike proposal ike-phase1-proposal dh-group group2 set security ike proposal ike-phase1-proposal authentication-algorithm sha1 set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc set security ike policy ike-phase1-policy mode main set security ike policy ike-phase1-policy proposals ike-phase1-proposal set security ike policy ike-phase1-policy pre-shared-key ascii-text "$9$b92JGP5Q/ApmfIclv7NHqmfT39CuBRSAt87" set security ike gateway ike-gw ike-policy ike-phase1-policy set security ike gateway ike-gw address 2.2.2.2 set security ike gateway ike-gw external-interface ge-0/0/3.0set security ipsec proposal ipsec-phase2-proposal protocol esp set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc set security ipsec policy vpn-policy1 perfect-forward-secrecy keys group2 set security ipsec policy vpn-policy1 proposals ipsec-phase2-proposal set security ipsec vpn ike-vpn bind-interface st0.1 set security ipsec vpn ike-vpn vpn-monitor source-interface st0.1 set security ipsec vpn ike-vpn vpn-monitor destination-ip 4.0.0.1 set security ipsec vpn ike-vpn ike gateway ike-gw set security ipsec vpn ike-vpn ike ipsec-policy vpn-policy1

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To assign a VPN tunnel interface to a user logical system and configure IKE and IPsec SAs:

    1. Log in to the master logical system as the master administrator and enter configuration mode.
      [edit]admin@host> configureadmin@host#
    2. Assign a VPN tunnel interface.
      [edit logical-systems ls-product-design]admin@host# set interfaces st0 unit 1
    3. Configure an IKE proposal.
      [edit security ike]admin@host# set proposal ike-phase1-proposal authentication-method pre-shared-keysadmin@host# set proposal ike-phase1-proposal dh-group group2admin@host# set proposal ike-phase1-proposal authentication-algorithm sha1admin@host# set proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
    4. Configure an IKE policy.
      [edit security ike]admin@host# set policy ike-phase1-policy mode mainadmin@host# set policy ike-phase1-policy proposals ike-phase1-proposaladmin@host# set policy ike-phase1-policy pre-shared-key ascii-text 395psksecr3t
    5. Configure an IKE gateway.
      [edit security ike]admin@host# set gateway ike-gw external-interface ge-0/0/3.0admin@host# set gateway ike-gw ike-policy ike-phase1-policyadmin@host# set gateway ike-gw address 2.2.2.2
    6. Configure an IPsec proposal.
      [edit security ipsec]admin@host# set proposal ipsec-phase2-proposal protocol espadmin@host# set proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96admin@host# set proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
    7. Configure an IPsec policy.
      [edit security ipsec]admin@host# set policy vpn-policy1 proposals ipsec-phase2-proposaladmin@host# set policy vpn-policy1 perfect-forward-secrecy keys group2
    8. Configure the VPN.
      [edit security ipsec]admin@host# set vpn ike-vpn bind-interface st0.1admin@host# set vpn ike-vpn ike gateway ike-gwadmin@host# set vpn ike-vpn ike ipsec-policy vpn-policy1
    9. Configure VPN monitoring.
      [edit security ipsec]admin@host# set vpn ike-vpn vpn-monitor source-interface st0.1admin@host# set vpn ike-vpn vpn-monitor destination-ip 4.0.0.1

    Results

    From configuration mode, confirm your configuration by entering the show interfaces, show security ike, and show security ipsec commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

    [edit]admin@host# show interfacesst0 {unit 1;}[edit]admin@host# show security ike proposal ike-phase1-proposal {authentication-method pre-shared-keys;dh-group group2;authentication-algorithm sha1;encryption-algorithm aes-128-cbc;}policy ike-phase1-policy {mode main;proposals ike-phase1-proposal;pre-shared-key ascii-text "$9$b92JGP5Q/ApmfIclv7NHqmfT39CuBRSAt87"; ## SECRET-DATA}gateway ike-gw {ike-policy ike-phase1-policy;address 2.2.2.2;external-interface ge-0/0/3.0;}[edit]admin@host# show security ipsecproposal ipsec-phase2-proposal {protocol esp;authentication-algorithm hmac-sha1-96;encryption-algorithm aes-128-cbc;}policy vpn-policy1 {perfect-forward-secrecy {keys group2;}proposals ipsec-phase2-proposal;}vpn ike-vpn {bind-interface st0.1;vpn-monitor {source-interface st0.1;destination-ip 4.0.0.1;}ike {gateway ike-gw;ipsec-policy vpn-policy1;}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    Confirm that the configuration is working properly.

    Verifying the Configuration

    Purpose

    Verify that the IKE and IPsec SA configuration is correct.

    Action

    From operational mode, enter the show security ike and show security ipsec commands.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page