[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring IPSec Instead of MPLS Between PE Routers

A conventional Layer 3 BGP/MPLS VPN requires the configuration of MPLS label-switched paths (LSPs) between the PE routers. When a PE router receives a packet from a CE router, it performs a lookup in a specific VRF table for the IP destination address and obtains a corresponding MPLS label stack. The label stack is used to forward the packet to the egress PE router, where the bottom label is removed and the packet is forwarded to the specified CE router.

You can provide Layer 3 BGP/MPLS VPN service without an MPLS backbone. Instead of configuring MPLS LSPs between the PE routers, you configure GRE and IPSec tunnels between the PE routers. The MPLS information for the VPN (the VPN label) is encapsulated within an IP header and an IPSec header. The source address of the IP header is the address of the ingress PE router. The destination address has the BGP next hop, the address of the egress PE router.

Note: The IPSec tunnel requires the use of an ES PIC. The GRE tunnel requires the use of a Tunnel Services PIC.

To configure IPSec between PE routers, follow these steps:

  1. Configure an IPSec tunnel between the PE routers. The source address is that of the ingress PE router, and the destination address is that of the egress PE router:
    es-interface-name {
    unit unit-number {
    tunnel {
    source source-address;
    destination destination-address;
    }
    family inet {
    ipsec-sa sa-esp-dynamic;
    address address;
    }
    family mpls;
    }
    }

    You can include these statements at the following hierarchy levels:

  2. Configure IPSec on the PE router. For information about how to configure IPSec, see the JUNOS System Basics Configuration Guide.
  3. Configure a GRE tunnel between the PE routers. Again, the source address is that of the ingress PE router, and the destination address is that of the egress PE router:
    gr-interface-name {
    unit unit-number {
    family inet {
    address address;
    }
    family mpls;
    tunnel {
    source source-address;
    destination destination-address;
    }
    }
    }

    You can include these statements at the following hierarchy levels:

  4. Configure BGP between the PE routers:
    bgp {
    group pe {
    type internal;
    local-address local-address;
    family inet {
    unicast;
    }
    family inet-vpn {
    unicast;
    }
    peer-as as-number;
    neighbor address;
    }
    }

    You can include these statements at the following hierarchy levels:

  5. Configure the routing instance:
    instance-type vrf;
    interface interface-name;
    route-distinguisher address;
    vrf-import import-policy-name;
    vrf-export export-policy-name;
    protocols {
    bgp {
    group routing-instance-name {
    type external;
    peer-as as-number;
    as-override;
    neighbor address;
    }
    }
    }

    You can include these statements at the following hierarchy levels:

  6. Configure the policy options:
    policy-statement import-policy-name {
    term 1 {
    from {
    protocol bgp;
    community community-name;
    }
    then accept;
    }
    term 2 {
    then reject;
    }
    }
    policy-statement export-policy-name {
    term 1 {
    from protocol [ bgp direct ];
    then {
    community add community-name;
    accept;
    }
    }
    term 2 {
    then reject;
    }
    }
    community community-name members target:target;

    You can include these statements at the following hierarchy levels:

  7. Configure routing table groups to enable VPN route resolution in the inet.3 routing table:
    interface-routes {
    rib-group inet if-rib;
    }
    rib inet.3 {
    static {
    route BGP-address-for-remote-PE next-hop gre-interface-name;
    }
    }
    rib-groups {
    if-rib {
    import-rib [ inet.0 inet.3 ];
    }
    }

    You can include these statements at the following hierarchy levels:

[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.