Configuring an ES Tunnel Interface for Layer 3 VPNs

An ES tunnel interface allows you to configure an IP Security (IPsec) tunnel between the PE and CE routers of a Layer 3 VPN. The IPsec tunnel can include one or more hops.

The following sections explain how to configure an ES tunnel interface between the PE and CE routers of a Layer 3 VPN:

Configuring the ES Tunnel Interface on the PE Router

To configure the ES tunnel interface on the PE router, include the unit statement:

unit logical-unit-number {tunnel {source source-address;destination destination-address;}family inet {address address;ipsec-sa security-association-name;}}

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name]
[edit logical-systems logical-system-name interfaces interface-name]

By default, the tunnel destination address is assumed to be in the default Internet routing table, inet.0. For IPsec tunnels using manual security association (SA), if the tunnel destination address is not in the default inet.0 routing table, you need to specify which routing table to search for the tunnel destination address by configuring the routing-instance statement. This is the case if the tunnel encapsulating interface is also configured under the routing instance.

unit logical-unit-number {tunnel {source address;destination address;routing-instance {destination routing-instance-name;}family inet {address address;ipsec-sa security-association-name;}family mpls;}}

You can include these statements at the following hierarchy levels:

[edit interfaces interface-name]
[edit logical-systems logical-system-name interfaces interface-name]
Note: For IPsec tunnels using dynamic SA, the tunnel destination address must be in the default Internet routing table, inet.0.

To complete the ES tunnel interface configuration, include the interface statement for the ES interface under the appropriate routing instance:

interface interface-name;

You can include this statement at the following hierarchy levels:

[edit routing-instances routing-instance-name]
[edit logical-systems logical-system-name routing-instances routing-instance-name]

Configuring the ES Tunnel Interface on the CE Router

To configure the ES tunnel interface on the CE router, include the unit statement:

unit 0 {tunnel {source address;destination address;}family inet {address address;ipsec-sa security-association-name;}}

You can include this statement at the following hierarchy levels:

[edit interfaces interface-name]
[edit logical-systems logical-system-name interfaces interface-name]

For more information about how to configure tunnel interfaces, see the Junos Services Interfaces Configuration Guide.

For more information about how to configure IPsec interfaces, see the Junos System Basics Configuration Guide.