Technical Documentation

Example: Configuring PIM Sparse Mode over an IPsec VPN

IPsec VPNs create secure point-to-point connections between sites over the Internet. The Junos implementation of IPsec VPNs supports multicast and unicast traffic. The following example shows how to configure PIM sparse mode for the multicast solution and how to configure IPsec to secure your traffic.

The configuration shown in this example works on the following platforms:

  • M Series and T Series routers with one of the following PICs:
    • Adaptive Services (AS) PIC
    • Multiservices (MS) PIC
  • JCS1200 platform with a Multiservices PIC (MS-500)

The tunnel endpoints need not be the same platform type. For example, the device on one end of the tunnel can be a JCS1200 router, while the device on the other end can be a standalone T Series router. The two routers that are the tunnel endpoints can be in the same autonomous system (AS) or in different ASs.

In the configuration shown in this example, OSPF is configured between the tunnel endpoints. In Figure 1, the tunnel endpoints are R0 and R1. The network that contains the multicast source is connected to R0. The network that contains the multicast receivers is connected to R1. R1 serves as the statically configured rendezvous point (RP).

Figure 1: PIM Sparse Mode over an IPsec VPN

Image g040520.gif

To configure PIM sparse mode with IPsec:

  1. On R0, configure the incoming Gigabit Ethernet interface.
    [edit]user@host# set interfaces ge-0/1/1 description "incoming interface"user@host# set interfaces ge-0/1/1 unit 0 family inet address 10.20.0.1/30
  2. On R0, configure the outgoing Gigabit Ethernet interface.
    [edit]user@host# set interfaces ge-0/0/7 description "outgoing interface"user@host# set interfaces ge-0/0/7 unit 0 family inet address 10.10.1.1/30
  3. On R0, configure unit 0 on the sp- interface. Junos OS uses unit 0 for service logging and other communication from the services PIC.
    [edit]user@host# set interfaces sp-0/2/0 unit 0 family inet
  4. On R0, configure the logical interfaces that participate in the IPsec services. In this example, unit 1 is the inward-facing interface. Unit 1001 is the interface that faces the remote IPsec site.
    [edit]user@host# set interfaces sp-0/2/0 unit 1 family inetuser@host# set interfaces sp-0/2/0 unit 1 service-domain insideuser@host# set interfaces sp-0/2/0 unit 1001 family inetuser@host# set interfaces sp-0/2/0 unit 1001 service-domain outside
  5. On R0, direct OSPF traffic into the IPsec tunnel.
    [edit]user@host# set protocols ospf area 0.0.0.0 interface sp-0/2/0.1user@host# set protocols ospf area 0.0.0.0 interface ge-0/1/1.0 passiveuser@host# set protocols ospf area 0.0.0.0 interface lo0.0
  6. On R0, configure PIM sparse mode. This example uses static RP configuration. R0 is a non-RP router, so configure the address of the RP router, which is the routable address assigned to the loopback interface on R1.
    [edit]user@host# set protocols pim rp static address 10.255.0.156user@host# set protocols pim interface sp-0/2/0.1user@host# set protocols pim interface ge-0/1/1.0user@host# set protocols pim interface lo0.0
  7. On R0, create a rule for a bidirectional dynamic IKE security association (SA) that references the IKE policy and the IPsec policy.
    [edit services ipsec-vpn rule ipsec_rule]user@host# set term ipsec_dynamic then remote-gateway 10.10.1.2user@host# set term ipsec_dynamic then dynamic ike-policy ike_policyuser@host# set term ipsec_dynamic then dynamic ipsec-policy ipsec_policyuser@host# set match-direction input
  8. On R0, configure the IPsec proposal. This example uses the Authentication Header (AH) Protocol.
    [edit services ipsec-vpn ipsec proposal ipsec_prop]user@host# set protocol ahuser@host# set authentication-algorithm hmac-md5-96
  9. On R0, define the IPsec policy.
    [edit services ipsec-vpn ipsec policy ipsec_policy]user@host# set perfect-forward-secrecy keys group1user@host# set proposals ipsec_prop
  10. On R0, configure IKE authentication and encryption details.
    [edit services ipsec-vpn ike proposal ike_prop]user@host# set authentication-method pre-shared-keysuser@host# set dh-group group1user@host# set authentication-algorithm md5user@host# set encryption-algorithm 3des-cbc
  11. On R0, define the IKE policy.
    [edit services ipsec-vpn ike policy ike_policy]user@host# set proposals ike_propuser@host# set pre-shared-key ascii-text "$9$nuDo6CuREyvWxO1LNbsZGFn/AOR8LNws4"
  12. On R0, create a service set that defines IPsec-specific information. The first command associates the IKE SA rule with IPsec. The second command defines the address of the local end of the IPsec security tunnel. The last two commands configure the logical interfaces that participate in the IPsec services. Unit 1 is for the IPsec inward-facing traffic. Unit 1001 is for the IPsec outward-facing traffic.
    [edit services service-set ipsec_svc]user@host# set ipsec-vpn-rules ipsec_ruleuser@host# set ipsec-vpn-options local-gateway 10.10.1.1user@host# set next-hop-service inside-service-interface sp-0/2/0.1user@host# set next-hop-service outside-service-interface sp-0/2/0.1001
  13. On R1, configure the incoming Gigabit Ethernet interface.
    [edit]user@host# set interfaces ge-2/0/1 description "incoming interface"user@host# set interfaces ge-2/0/1 unit 0 family inet address 10.10.1.2/30
  14. On R1, configure the outgoing Gigabit Ethernet interface.
    [edit]user@host# set interfaces ge-2/0/0 description "outgoing interface"user@host# set interfaces ge-2/0/0 unit 0 family inet address 10.20.0.5/30
  15. On R1, configure the loopback interface.
    [edit]user@host# set interfaces lo0.0 family inet address 10.255.0.156
  16. On R1, configure unit 0 on the sp- interface. Junos OS uses unit 0 for service logging and other communication from the services PIC.
    [edit]user@host# set interfaces sp-2/1/0 unit 0 family inet
  17. On R1, configure the logical interfaces that participate in the IPsec services. In this example, unit 1 is the inward-facing interface. Unit 1001 is the interface that faces the remote IPsec site.
    [edit]user@host# set interfaces sp-2/1/0 unit 1 family inetuser@host# set interfaces sp-2/1/0 unit 1 service-domain insideuser@host# set interfaces sp-2/1/0 unit 1001 family inetuser@host# set interfaces sp-2/1/0 unit 1001 service-domain outside
  18. On R1, direct OSPF traffic into the IPsec tunnel.
    [edit]user@host# set protocols ospf area 0.0.0.0 interface sp-2/1/0.1user@host# set protocols ospf area 0.0.0.0 interface ge-2/0/0.0 passiveuser@host# set protocols ospf area 0.0.0.0 interface lo0.0
  19. On R1, configure PIM sparse mode. R1 is an RP router. When you configure the local RP address, use the shared address, which is the address of R1’s loopback interface.
    [edit]user@host# set protocols pim rp local address 10.255.0.156user@host# set protocols pim interface sp-2/1/0.1user@host# set protocols pim interface ge-2/0/0.0user@host# set protocols pim interface lo0.0 family inet
  20. On R1, create a rule for a bidirectional dynamic IKE SA that references the IKE policy and the IPsec policy.
    [edit services ipsec-vpn rule ipsec_rule]user@host# set term ipsec_dynamic from source-address 192.168.195.34/32user@host# set term ipsec_dynamic then remote-gateway 10.10.1.1user@host# set term ipsec_dynamic then dynamic ike-policy ike_policyuser@host# set term ipsec_dynamic then dynamic ipsec-policy ipsec_policyuser@host# set match-direction input
  21. On R1, define the IPsec proposal for the dynamic SA.
    [edit services ipsec-vpn ipsec proposal ipsec_prop]user@host# set protocol ahuser@host# set authentication-algorithm hmac-md5-96
  22. On R1, define the IPsec policy.
    [edit services ipsec-vpn ipsec policy ipsec_policy]user@host# set perfect-forward-secrecy keys group1user@host# set proposals ipsec_prop
  23. On R1, configure IKE authentication and encryption details.
    [edit services ipsec-vpn ike proposal ike_prop]user@host# set authentication-method pre-shared-keysuser@host# set dh-group group1user@host# set authentication-algorithm md5user@host# set encryption-algorithm 3des-cbc
  24. On R0, define the IKE policy.
    [edit services ipsec-vpn ike policy ike_policy]user@host# set proposals ike_propuser@host# set pre-shared-key ascii-text "$9$twR6pORrlMxNbhSds4aHkCtuBhr-dsoaU"
  25. On R1, create a service set that defines IPsec-specific information. The first command associates the IKE SA rule with IPsec. The second command defines the address of the local end of the IPsec security tunnel. The last two commands configure the logical interfaces that participate in the IPsec services. Unit 1 is for the IPsec inward-facing traffic. Unit 1001 is for the IPsec outward-facing traffic.
    [edit services service-set ipsec_svc]user@host# set ipsec-vpn-rules ipsec_ruleuser@host# set ipsec-vpn-options local-gateway 10.10.1.2user@host# set next-hop-service inside-service-interface sp-2/1/0.1user@host# set next-hop-service outside-service-interface sp-2/1/0.1001

Verify the configuration by checking which RPs the various routers have learned about.

  • user@host> show pim rps extensive inet

  • Check that the IPsec SA negotiation is successful.

    user@host> show services ipsec-vpn ipsec security-associations

  • Check that the IKE SA negotiation is successful.

    user@host> show services ipsec-vpn ike security-associations

  • Check that traffic is traveling over the IPsec tunnel.

    user@host> show services ipsec-vpn ipsec statistics

Related Topics

Published: 2010-07-19

Help
|
My Account
|
Log Out