GRE/IPSec and DVMRP/IPSec Tunnels

In GRE/IPSec or DVMRP/IPSec connections, E-series routers can act as source and destination endpoints of the secure tunnel. Both sides of the connection run IPSec in transport mode with Encapsulating Security Payload (ESP) encryption and authentication.

In a GRE/IPSec or DVMRP/IPSec connection, the E-series router initiates an IPSec connection with a remote router. After establishing the IPSec connection, the E-series router establishes a GRE or DVMRP tunnel to the remote router. The tunnel is completely protected by the IPSec connection.

Setting Up the Secure GRE or DVMRP Connection

In Figure 29, a secure GRE/IPSec connection is set up between two E-series routers. To set up the secure connection:

1. Set up the IPSec connection between the two routers. IKE signals a security association (SA) between the two IPSec tunnel endpoints.

   Two unidirectional SAs are established to secure data traffic.

2. Set up a GRE tunnel between the two routers.

The GRE tunnel now runs over the SAs that IKE established.

Figure 29: GRE/IPSec Connection

Configuration Tasks

The main configuration tasks for setting up GRE or DVMRP over IPSec on E-series routers are:

• Set up the GRE or DVMRP tunnel, specifying the virtual router and destination address, and enabling IPSec support. See Configuring IP Tunnels .
• Set up digital certificates on the router, or configure preshared keys for IKE authentication.
  • To set up digital certificates, see Configuring Digital Certificates.
  • To set up preshared keys, see Configuring IPSec Parameters in Configuring IPSec.
• Create IPSec policies. See Defining an IKE Policy in Configuring IPSec.
• Configure IPSec transport profiles. See Configuring IPSec Transport Profiles .

Enabling IPSec Support for GRE and DVMRP Tunnels

To create GRE/IPSec and DVMRP/IPSec tunnels, use the ipsec-transport keyword with the interface tunnel command.

interface tunnel dvmrp

interface tunnel gre

• Use with the ipsec-transport keyword to create a GRE or DVMRP tunnel that is protected with IPSec in transport mode.

  Note: After you create a clear GRE or DVMRP tunnel, you cannot convert it to an IPSec-secured tunnel, or vice versa. You must delete the tunnel configuration, then reconfigure the tunnel as the new type.

• You can establish the tunnel on a virtual router other than the current virtual router.
• Example

  host1(config)#interface tunnel gre:denver-tunnel-5 transport-virtual-router denver ipsec-transport

  host1(config-if)#

• Use the no version to remove the tunnel.
• See interface tunnel.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.