Using IPsec to Protect BGP Traffic

You can apply IPsec to BGP traffic. IPsec is a protocol suite used for protecting IP traffic at the packet level. IPsec is based on security associations (SAs). An SA is a simplex connection that provides security services to the packets carried by the SA. After configuring the SA, you can apply it to BGP peers.

To apply an SA, include the ipsec-sa statement:

For a list of hierarchy levels at which you can include this statement, see the statement summary section for this statement. The security association is identified by the SA name.

Note: For transport mode, no PIC is necessary. The SA is configured at the [edit security ipsec security-association name] hierarchy level with the mode statement set to transport. In transport mode, the Junos OS does not support authentication header (AH) or encapsulating security payload (ESP) header bundles. The Junos OS supports only the BGP protocol in transport mode. For tunnel mode, a MultiServices PIC (or MS-DPC for MX Series routers) must be used. Tunnel mode IPsec for the MS-PIC is configured at the [edit security ipsec-vpn] hierarchy level.

A more specific SA overrides a more general SA. For example, if a specific SA is applied to a specific peer, that SA overrides the SA applied to the whole peer group.

For more detailed information about configuring IPsec security associations, see the Junos System Basics Configuration Guide.