[Contents] [Prev] [Next] [Index] [Report an Error]

Example: ES PIC Manual SA Configuration

Figure 64: ES PIC Manual SA Topology Diagram

Image g015518.gif

Figure 64 shows an IPSec topology containing a group of four routers. Routers 2 and 3 establish an IPSec tunnel using an ES PIC and manual SA settings. Routers 1 and 4 provide basic connectivity and are used to verify that the IPSec tunnel is operational.

On Router 1, provide basic OSPF connectivity to Router 2.

Router 1



[edit]
interfaces {


so-0/0/0 {
description "To R2 so-0/0/0";


unit 0 {


family inet {
address 10.1.12.2/30;
}


}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.1/32;
}


}


}


}
routing-options {
router-id 10.0.0.1;
}
protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
}


}


}

On Router 2, enable OSPF as the underlying routing protocol to connect to Routers 1 and 3. Configure a bidirectional manual SA called sa-manual at the [edit security ipsec security-association] hierarchy level. Use AH for the protocol, 400 for the SPI, HMAC-MD5-96 for authentication, and a 32-bit hexadecimal authentication key for the MD5 authentication key. (For more information about key length, see Table 53.) Because you are using AH, there is no need to configure encryption.

To direct traffic into the ES PIC and the IPSec tunnel, create two firewall filters. The es-traffic filter matches inbound traffic from Router 1 destined for Router 4, whereas the es-return filter matches the return path from Router 4 to Router 1. Apply the es-traffic filter to the so-0/0/0 interface; then apply both the es-return filter and the sa-manual SA to the es-0/3/0 interface.

Router 2



[edit]
interfaces {


so-0/0/0 {
description "To R1 so-0/0/0";


unit 0 {


family inet {


filter {
                       
input es-traffic; # Apply a filter that sends traffic to the IPSec tunnel here.
}


address 10.1.12.1/30;
}


}


}




so-0/0/1 {
description "To R3 so-0/0/1";


unit 0 {


family inet {
address 10.1.15.1/30;
}


}


}




es-0/3/0 {


unit 0 {


                     
tunnel { # Specify the IPSec tunnel endpoints here.
source 10.1.15.1;
destination 10.1.15.2;
}




family inet {
                     
ipsec-sa sa-manual; # Apply the manual SA here.


filter {
                       
input es-return; # Apply the filter that matches return IPSec traffic here.
}


}


}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.2/32;
}


}


}


}
routing-options {
router-id 10.0.0.2;
}
protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface so-0/0/1.0;
interface lo0.0;
}


}


}
security {


ipsec {


                   
security-association sa-manual
{ # Define the manual SA specifications here.
                   
mode tunnel;


                     
manual {


                       
direction bidirectional {
                       
protocol ah;
                       
spi 400;


                         
authentication {
                         
algorithm hmac-md5-96;
                         
key hexadecimal "$9$rO/eK8x7VY2ahSvL7-2gfTQF9Apu1EhrmfF/CtI

                         RlKMW7-VwYg4ZhSeW8XbwoJGjHmP5QF69wY4Zjif5369ApBSyKv8XRE";                       

}


}


}


}


}


}



# The 32-bit unencrypted hexadecimal key is abcdef01abcdef01abcdef01abcdef01.
firewall {


                 
filter es-traffic { # Define a filter that sends traffic to the IPSec tunnel here.


term to-es {


from {


source-address {
10.1.12.0/24;
}




destination-address {
10.1.56.0/24;
}


}




then {
count ipsec-tunnel;
ipsec-sa sa-manual;
}


}




term other {
then accept;
}


}




                 
filter es-return { # Define a filter that matches return IPSec traffic here.


term return {


from {


source-address {
10.1.56.0/24;
}




destination-address {
10.1.12.0/24;
}


}


then accept;
}


}


}

On Router 3, enable OSPF as the underlying routing protocol to connect to Routers 2 and 4. Configure a bidirectional manual SA called sa-manual at the [edit security ipsec security-association] hierarchy level. Use the exact same specifications that you used for the SA on Router 2: AH for the protocol, 400 for the SPI, HMAC-MD5-96 for authentication, and a 32-bit hexadecimal authentication key of abcdef01abcdef01abcdef01abcdef01 for the MD5 authentication key. (For more information about authentication key length, see Table 53.) Because you are using AH, there is no need to configure an encryption algorithm.

To direct traffic into the ES PIC and the IPSec tunnel, create two firewall filters. The es-traffic filter matches inbound traffic from Router 4 destined for Router 1, whereas the es-return filter matches the return path from Router 1 to Router 4. Apply the es-traffic filter to the so-0/0/0 interface; then apply both the es-return filter and the sa-manual SA to the es-0/3/0 interface.

Router 3



[edit]
interfaces {


so-0/0/0 {
description "To R4 so-0/0/0";


unit 0 {


family inet {


filter {
                       
input es-traffic; # Apply a filter that sends traffic to the IPSec tunnel here.
}


address 10.1.56.1/30;
}


}


}




so-0/0/1 {
description "To R2 so-0/0/1";


unit 0 {


family inet {
address 10.1.15.2/30;
}


}


}




es-0/3/0 {


unit 0 {


                     
tunnel { # Specify the IPSec tunnel endpoints here.
                     
source 10.1.15.2;                   

destination 10.1.15.1;
}




family inet {
                     
ipsec-sa sa-manual; # Apply the manual SA here.


filter {
                       
input es-return; # Apply the filter that matches return IPSec traffic here.
}


}


}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.3/32;
}


}


}


}
routing-options {
router-id 10.0.0.3;
}
protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface so-0/0/1.0;
interface lo0.0;
}


}


}
security {


ipsec {


                   
security-association sa-manual { # Define the manual SA specifications here.
                   
mode tunnel;                 



                     
manual {


                       
direction bidirectional {
                       
protocol ah;
                       
spi 400;


                         
authentication {
                         
algorithm hmac-md5-96;
                         
key hexadecimal "$9$KMfMWx-ds4oGyl87dboaQF36tuOBESyK5Q6

                         Ap0hcvWLXdbs24aJDylMXxNY2ZUjk.5Tz36Ct24JDkqQz/CtuORleW8xNcS";
}


}


}


}


}


}



## The 32-bit unencrypted hexadecimal key is abcdef01abcdef01abcdef01abcdef01.
firewall {


                 
filter es-traffic { # Define a filter that sends traffic to the IPSec tunnel here.


term to-es {


from {


source-address {
10.1.56.0/24;
}




destination-address {
10.1.12.0/24;
}


}




then {
count ipsec-tunnel;
ipsec-sa sa-manual;
}


}




term other {
then accept;
}


}




                 
filter es-return { # Define a filter that matches return IPSec traffic here.


term return {


from {


source-address {
10.1.12.0/24;
}




destination-address {
10.1.56.0/24;
}


}


then accept;
}


}


}

On Router 4, provide basic OSPF connectivity to Router 3.

Router 4



[edit]
interfaces {


so-0/0/0 {
description "To R3 so-0/0/0";


unit 0 {


family inet {
address 10.1.56.2/30;
}


}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.4/32;
}


}


}


}
routing-options {
    router-id 10.0.0.4;
}
protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.ping
}


}


}

[Contents] [Prev] [Next] [Index] [Report an Error]