[Contents] [Prev] [Next] [Index] [Report an Error]

Example: AS PIC Manual SA Configuration

Figure 47: AS PIC Manual SA Topology Diagram

Image g015519.gif

Figure 47 shows a similar IPSec topology to the one used in the ES PIC manual SA example. The difference is that Routers 2 and 3 establish an IPSec tunnel using an AS PIC and use slightly modified manual SA settings. Routers 1 and 4 again provide basic connectivity and are used to verify that the IPSec tunnel is operational.

On Router 1, provide basic OSPF connectivity to Router 2.

Router 1



[edit]
interfaces {


so-0/0/0 {
description "To R2 so-0/0/0";


unit 0 {


family inet {
address 10.1.12.2/30;
}


}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.1/32;
}


}


}


}
routing-options {
router-id 10.0.0.1;
}
protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
}


}


}

On Router 2, enable OSPF as the underlying routing protocol to connect to Routers 1 and 3. Configure a bidirectional manual SA in a rule called rule-manual-SA-BiEspshades at the [edit ipsec-vpn rule] hierarchy level. Reference this rule in a service set called service-set-manual-BiEspshades at the [edit services service-set] hierarchy level.

Configure all specifications for your manual SA. Use ESP for the protocol, 261 for the SPI, HMAC-SHA1-96 for authentication, DES-CBC for encryption, a 20-bit ASCII authentication key for the SHA-1 authentication key, and an 8-bit ASCII encryption key for the DES-CBC authentication key. (For more information about key lengths, see Table 43.)

To direct traffic into the AS PIC and the IPSec tunnel, configure a next-hop style service set and add the adaptive services logical interface used as the IPSec inside interface into the OSPF configuration.

Router 2



[edit]
interfaces {


so-0/0/0 {
description "To R1 so-0/0/0";


unit 0 {


family inet {
address 10.1.12.1/30;
}


}


}




so-0/0/1 {
description "To R3 so-0/0/1";


unit 0 {


family inet {
address 10.1.15.1/30;
}


}


}




sp-1/2/0 {


services-options {


syslog {


host local {
services info;
}


}


}




unit 0 {


family inet {
}




                     
unit 1 { # sp-1/2/0.1 is the IPSec inside interface.
family inet;
service-domain inside;
}




                     
unit 2 { # sp-1/2/0.2 is the IPSec outside interface.
family inet;
service-domain outside;
}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.2/32;
}


}


}


}




routing-options {
router-id 10.0.0.2;
}




protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
                     
interface sp-1/2/0.1; # This sends OSPF traffic over the IPSec tunnel.
}


}


}




services {


                   
service-set service-set-manual-BiEspshades
{ # Define your service set here.


                     
next-hop-service { # Required for dynamic routing protocols such as OSPF.
inside-service-interface sp-1/2/0.1;
outside-service-interface sp-1/2/0.2;
}




ipsec-vpn-options {
                     
local-gateway 10.1.15.1; # Specify the local IP address of the IPSec tunnel.
}


                   
ipsec-vpn-rules rule-manual-SA-BiEspshades; # Reference the IPSec rule here.
}




ipsec-vpn {


                     
rule rule-manual-SA-BiEspshades
{ # Define your IPSec VPN rule here.


term term-manual-SA-BiEspshades {


then {
                         
remote-gateway 10.1.15.2; # The remote IP address of the IPSec tunnel.


                           
manual { # Define the manual SA specifications here.


                             
direction bidirectional
{                           

protocol esp;
spi 261;


authentication {
algorithm hmac-sha1-96;
key ascii-text "$9$v.s8xd24Zk.5bs.5QFAtM8XNVYJGifT3goT369
OBxNdw2ajHmFnCZUnCtuEh";
## The unencrypted key is juniperjuniperjunipe (20 characters for HMAC-SHA-1-96).
}




                               
encryption
{                             

algorithm des-cbc;
key ascii-text "$9$3LJW/A0EclLxdBIxdbsJZn/CpOR";
## The unencrypted key is juniperj (8 characters for DES-CBC).
}


}


}


}


}


                     
match-direction input; # Correct match direction for next-hop service sets.
}


}


}


}
security {


pki {


auto-re-enrollment {


certificate-id certificate-name {
ca-profile ca-profile-name;
challenge-password password;
re-enroll-trigger-time-percentage percentage; #Percentage of validity-period 
# (specified in
certificate) when automatic 
# reenrollment should
be initiated.
re-generate-keypair;
validity-period number-of-days;
}


}


}

On Router 3, enable OSPF as the underlying routing protocol to connect to Routers 2 and 4. Configure a bidirectional manual SA in a rule called rule-manual-SA-BiEspshades at the [edit ipsec-vpn rule] hierarchy level. Reference this rule in a service set called service-set-manual-BiEspshades at the [edit services service-set] hierarchy level.

Configure the same specifications for your manual SA that you specified on Router 2. Use ESP for the protocol, 261 for the SPI, HMAC-SHA1-96 for authentication, DES-CBC for encryption, a 20-bit ASCII authentication key for the SHA-1 authentication key, and an 8-bit ASCII encryption key for the DES-CBC authentication key. (For more information about key lengths, see Table 43.)

Router 3



[edit]
interfaces {


so-0/0/0 {
description "To R4 so-0/0/0";


unit 0 {


family inet {
address 10.1.56.1/30;
}


}


}




so-0/0/1 {
description "To R2 so-0/0/1";


unit 0 {


family inet {
address 10.1.15.2/30;
}


}


}




sp-1/2/0 {


services-options {


syslog {


host local {
services info;
}


}


}




unit 0 {


family inet {
}




                     
unit 1 { # sp-1/2/0.1 is the IPSec inside interface.
family inet;
service-domain inside;
}




                     
unit 2 { # sp-1/2/0.2 is the IPSec outside interface.
family inet;
service-domain outside;
}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.3/32;
}


}


}


}




routing-options {
router-id 10.0.0.3;
}




protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
                     
interface sp-1/2/0.1; # This sends OSPF traffic over the IPSec tunnel.
}


}


}




services {


                   
service-set service-set-manual-BiEspshades
{ # Define your service set here.


                     
next-hop-service { # Required for dynamic routing protocols such as OSPF.
inside-service-interface sp-1/2/0.1;
outside-service-interface sp-1/2/0.2;
}




ipsec-vpn-options {
                     
local-gateway 10.1.15.2; # Specify the local IP address of the IPSec tunnel.
}


                   
ipsec-vpn-rules rule-manual-SA-BiEspshades; # Reference the IPSec rule here.
}




ipsec-vpn {


                     
rule rule-manual-SA-BiEspshades
{ # Define your IPSec VPN rule here.


term term-manual-SA-BiEspshades {


then {
                         
remote-gateway 10.1.15.1; # The remote IP address of the IPSec tunnel.


                           
manual { # Define the manual SA specifications here.


                             
direction bidirectional
{                           

protocol esp;
spi 261;


authentication {
algorithm hmac-sha1-96;
key ascii-text "$9$v.s8xd24Zk.5bs.5QFAtM8XNVYJGifT3goT369
OBxNdw2ajHmFnCZUnCtuEh";
## The unencrypted key is juniperjuniperjunipe (20 characters for HMAC-SHA-1-96).
}




                               
encryption
{                             

algorithm des-cbc;
key ascii-text "$9$3LJW/A0EclLxdBIxdbsJZn/CpOR";
## The unencrypted key is juniperj (8 characters for DES-CBC).
}


}


}


}


}


                     
match-direction input; # Specify in which direction the rule should match.
}


}


}


}

On Router 4, provide basic OSPF connectivity to Router 3.

Router 4



[edit]
interfaces {


so-0/0/0 {
description "To R3 so-0/0/0";


unit 0 {


family inet {
address 10.1.56.2/30;
}


}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.4/32;
}


}


}


}
routing-options {
    router-id 10.0.0.4;
}
protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
}


}


}

[Contents] [Prev] [Next] [Index] [Report an Error]