[Contents] [Prev] [Next] [Index] [Report an Error]

Example: AS PIC IKE Dynamic SA Configuration

Figure 67: AS PIC IKE Dynamic SA Topology Diagram

Image g015519.gif

Figure 67 shows the same IPSec topology as seen in the AS PIC manual SA example. However, this configuration requires Routers 2 and 3 to establish an IPSec tunnel using an IKE dynamic SA, enhanced authentication, and stronger encryption. Routers 1 and 4 continue to provide basic connectivity and are used to verify that the IPSec tunnel is operational.

Note: When you do not specify an IKE proposal, an IPSec proposal, and an IPSec policy on an AS PIC, the JUNOS software defaults to the highest level of encryption and authentication. As a result, the default authentication protocol is ESP, the default authentication mode is HMAC-SHA1-96, and the default encryption mode is 3DES-CBC. For more information about default IKE and IPSec policies and proposals on the AS PIC, see Table 55.

On Router 1, provide basic OSPF connectivity to Router 2.

Router 1



[edit]
interfaces {


so-0/0/0 {
description "To R2 so-0/0/0";


unit 0 {


family inet {
address 10.1.12.2/30;
}


}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.1/32;
}


}


}


}
routing-options {
router-id 10.0.0.1;
}
protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
}


}


}

On Router 2, enable OSPF as the underlying routing protocol to connect to Routers 1 and 3. Configure a bidirectional IKE dynamic SA in a rule called rule-ike at the [edit ipsec-vpn rule] hierarchy level. Reference this rule in a service set called service-set-dynamic-BiEspsha3des at the [edit services service-set] hierarchy level.

Using default values in the AS PIC, you do not need to specify an IPSec proposal, IPSec policy, or IKE proposal. However, you do need to configure a preshared key in an IKE policy with the pre-shared-key statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level. (For more information about default IKE and IPSec policies and proposals on the AS PIC, see Table 55.)

To direct traffic into the AS PIC and the IPSec tunnel, configure a next-hop style service set and add the adaptive services logical interface used as the IPSec inside interface into the OSPF configuration.

Router 2



[edit]
interfaces {


so-0/0/0 {
description "To R1 so-0/0/0";


unit 0 {


family inet {
address 10.1.12.1/30;
}


}


}




so-0/0/1 {
description "To R3 so-0/0/1";


unit 0 {


family inet {
address 10.1.15.1/30;
}


}


}




sp-1/2/0 {


services-options {


syslog {


host local {
services info;
}


}


}




unit 0 {


family inet {
}




                     
unit 1 { # sp-1/2/0.1 is the IPSec inside interface.
family inet;
service-domain inside;
}




                     
unit 2 { # sp-1/2/0.2 is the IPSec outside interface.
family inet;
service-domain outside;
}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.2/32;
}


}


}


}




routing-options {
router-id 10.0.0.2;
}




protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
                     
interface sp-1/2/0.1; # This sends OSPF traffic over the IPSec tunnel.
}


}


}




services {


                   
service-set service-set-dynamic-BiEspsha3des
{ # Define your service set here.


                     
next-hop-service { # Required for dynamic routing protocols such as OSPF.
inside-service-interface sp-1/2/0.1;
outside-service-interface sp-1/2/0.2;
}




ipsec-vpn-options {
                     
local-gateway 10.1.15.1; # Specify the local IP address of the IPSec tunnel.
}


                   
ipsec-vpn-rules rule-ike; # Reference your IPSec VPN rule here.
}




ipsec-vpn {


                     
rule rule-ike { # Define your IPSec VPN rule here.


term term-ike {


then {
                         
remote-gateway 10.1.15.2; # The remote IP address of the IPSec tunnel.


                           
dynamic { # This creates a dynamic SA.
                           
ike-policy ike-policy-preshared; # Reference your IKE policy here.
}


}


}


                     
match-direction input; # Specify in which direction the rule should match.
}




ike {


                       
policy ike-policy-preshared
{ # Define your IKE policy specifications here.
                       
pre-shared-key ascii-text
"$9$KtKWX-YgJHqfVwqfTzCAvWL";                     

## The unencrypted preshared key for this example is juniper.
}


}


}


}


}

On Router 3, enable OSPF as the underlying routing protocol to connect to Routers 2 and 4. Configure a bidirectional IKE dynamic SA in a rule called rule-ike at the [edit ipsec-vpn rule] hierarchy level. Reference this rule in a service set called service-set-dynamic-BiEspsha3des at the [edit services service-set] hierarchy level.

Again, use the same default policies and proposals that you used on Router 2. However, remember to configure a preshared key in an IKE policy with the pre-shared-key statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level. The key must match the one you specified on Router 2. (For more information about default IKE and IPSec policies and proposals on the AS PIC, see Table 55.)

Router 3



[edit]
interfaces {


so-0/0/0 {
description "To R4 so-0/0/0";


unit 0 {


family inet {
address 10.1.56.1/30;
}


}


}




so-0/0/1 {
description "To R2 so-0/0/1";


unit 0 {


family inet {
address 10.1.15.2/30;
}


}


}




sp-1/2/0 {


services-options {


syslog {


host local {
services info;
}


}


}




unit 0 {


family inet {
}




                     
unit 1 { # sp-1/2/0.1 is the IPSec inside interface.
family inet;
service-domain inside;
}




                     
unit 2 { # sp-1/2/0.2 is the IPSec outside interface.
family inet;
service-domain outside;
}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.3/32;
}


}


}


}




routing-options {
router-id 10.0.0.3;
}




protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
                     
interface sp-1/2/0.1; # This sends OSPF traffic over the IPSec tunnel.
}


}


}




services {


                   
service-set service-set-dynamic-BiEspsha3des
{ # Define your service set here.


                     
next-hop-service { # Required for dynamic routing protocols such as OSPF.
inside-service-interface sp-1/2/0.1;
outside-service-interface sp-1/2/0.2;
}




ipsec-vpn-options {
                     
local-gateway 10.1.15.2; # Specify the local IP address of the IPSec tunnel.
}


                   
ipsec-vpn-rules rule-ike; # Reference your IPSec VPN rule here.
}




ipsec-vpn {


                     
rule rule-ike { # Define your IPSec VPN rule here.


term term-ike {


then {
                         
remote-gateway 10.1.15.1; # The remote IP address of the IPSec tunnel.


                           
dynamic { # This creates a dynamic SA.
                           
ike-policy ike-policy-preshared; # Reference your IKE policy here.
}


}


}


                     
match-direction input; # Specify in which direction the rule should match.
}




ike {


                       
policy ike-policy-preshared
{ # Define your IKE policy specifications here.
                       
pre-shared-key ascii-text
"$9$KtKWX-YgJHqfVwqfTzCAvWL";                     

## The unencrypted preshared key for this example is juniper.
}


}


}


}


}

On Router 4, provide basic OSPF connectivity to Router 3.

Router 4



[edit]
interfaces {


so-0/0/0 {
description "To R3 so-0/0/0";


unit 0 {


family inet {
address 10.1.56.2/30;
}


}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.4/32;
}


}


}


}
routing-options {
    router-id 10.0.0.4;
}
protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
}


}


}

[Contents] [Prev] [Next] [Index] [Report an Error]