[Contents] [Prev] [Next] [Index] [Report an Error]

Dynamically Assigned Tunnels

The following examples are based on this network configuration (see Figure 3):

A local network N-1 behind security gateway SG-1, a Juniper Networks router terminating static as well as dynamic peer endpoints. The tunnel termination address on SG-1 is 10.1.1.1 and the local network address is 172.16.1.0/24.
Two remote peer routers that obtain addresses from an ISP pool and run RFC-compliant IKE. Remote network N-2 has address 172.16.2.0/24 and resides behind security gateway SG-2 with tunnel termination address 10.2.2.2. Remote network N-3 has address 172.16.3.0/24 and resides behind security gateway SG-3 with tunnel termination address 10.3.3.3.

Figure 3: IPSec Dynamic Endpoint Tunneling Topology

Image g017076.gif

The examples in this section show the following configurations:

Note: All the configurations are given for the Juniper Networks router terminating dynamic endpoint connections.

Configuring a Next-Hop Style Service Set with Link-Type Tunnels



access {


profile demo-access-profile client * {


ike {


allowed-proxy-pair {
remote 0.0.0.0/0 local 0.0.0.0/0;    # ANY to ANY
}




pre-shared-key {
ascii-text keyfordynamicpeers;
}


interface-id demo-ipsec-interface-id;
}


}




services {


service-set demo-service-set {


next-hop-service {
inside-service-interface sp-1/0/0.1;
outside-service-interface sp-1/0/0.2;
}




ipsec-vpn-options {
local-gateway 10.1.1.1;
ike-access-profile demo-ike-access-profile;
}


}


}


}

Note: Including the ike-access-profile statement enables the software to incorporate implicit proposals for dynamic endpoint authentication. You do not need to configure IKE or IPSec proposals explicitly.



interfaces {


sp-0/0/0 {


unit 0 {
family inet;
}




unit 1 {
family inet;
service-domain inside;
}




unit 2 {
family inet;
service-domain outside;
}




unit 3 {
family inet;
service-domain inside;


dial-options {
ipsec-interface-id demo-ipsec-interface-id;
dedicated;
}


}




unit 4 {
family inet;
service-domain inside;


dial-options {
ipsec-interface-id demo-ipsec-interface-id;
dedicated;
}


}


}


}

The following results are obtained:

Reverse routes inserted after successful negotiation:
None
Routes learned by routing protocol:
172.16.2.0/24

172.16.3.0/24
Dynamic implicit rules created after successful negotiation: rule: junos-dynamic-rule-0 term: term-0 local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.2.2.2 #Tunnel termination address on SG-2 source-address : 0.0.0.0/0 destination-address : 0.0.0.0/0 ipsec-inside-interface: sp-0/0/0.3 term: term-1 local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.3.3.3 #Tunnel termination address on SG-3 source-address : 0.0.0.0/0 destination-address : 0.0.0.0/0 ipsec-inside-interface: sp-0/0/0.4 match-direction: input

Configuring a Next-Hop Style Service-Set with Policy-Based Tunnels



access {


profile demo-access-profile client * {


ike {


allowed-proxy-pair {
remote 172.16.2.0/24 local 172.16.1.0/24; #N-2 <==>
#N-1
remote 172.16.3.0/24 local 172.16.1.0/24; #N-3 <==>
#N-1
}




pre-shared-key {
ascii-text keyfordynamicpeers;
}


interface-id demo-ipsec-interface-id;
}


}


}
services {


service-set demo-service-set {


next-hop-service {
inside-service-interface sp-1/0/0.1;
outside-service-interface sp-1/0/0.2;
}




ipsec-vpn-options {
local-gateway 10.1.1.1;
}


ike-access-profile demo-ike-access-profile;
}


}



interfaces {


sp-0/0/0 {


unit 0 {
family inet;
}




unit 1 {
family inet;
service-domain inside;
}




unit 2 {
family inet;
service-domain outside;
}




unit 3 {
family inet;
service-domain inside;


dial-options {
ipsec-interface-id demo-ipsec-interface-id;
mode shared;
}


}


}


}
# VRF configuration, if not inet.0
routing-instances {


demo-vrf {
instance-type vrf;
interface sp-0/0/0.1;
interface sp-0/0/0.3;
.....
}


}

The following results are obtained:

Reverse routes injected after successful negotiationdemo-vrf.inet.0: .... # Routing instance 172.11.0.0/24 *[Static/1].. > via sp-0/0/0.3 172.12.0.0/24 *[Static/1].. > via sp-0/0/0.3
Dynamic implicit rules created after successful negotiation: rule: junos-dynamic-rule-0 term: term-0 local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.2.2.2 #Tunnel termination address on SG-2 source-address : 172.16.1.0/24 destination-address : 172.16.2.0/24 ipsec-inside-interface: sp-0/0/0.3 term: term-1 local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.3.3.3 #Tunnel termination address on SG-3 source-address : 172.16.1.0/24 destination-address : 172.16.3.0/24 ipsec-inside-interface: sp-0/0/0.3 match-direction: input

[Contents] [Prev] [Next] [Index] [Report an Error]