Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring MPLS over GRE with IPsec Fragmentation and Reassembly

 

The virtual private network (VPN) traffic forwarded over 1500-byte media is blocked because of the protocol encapsulation overhead (Layer 2, MPLS, GRE and IPsec, and GRE or IPsec).

This document provide a solution to fragment an IPsec encapsulated packet and reassemble the fragmented packets.

This example shows how to configure selective packet services using a single routing instance (the default one) without utilizing the lt interface.

You can perform IPsec encapsulated packet fragmentation on the outgoing physical interface of the sending device and reassembly on the receiving device before IPsec decryption.

Note

The reassembly of fragmented packets uses a lot of device resources, and the performance of the device will be slower than the nonfragmented traffic.

The topic includes the following sections:

Requirements

This example uses the following hardware and software components:

  • Branch SRX Series Services Gateways

  • Junos OS Release 11.4 or later

Overview and Topology

This example includes the following configurations:

  • Configure interfaces for the appropriate protocol encapsulation with a required maximum transmission unit (MTU) value.

  • Apply firewall filter on the ge-0/0/10.10 interface to set the packet mode. Configure the outgoing interface ge-0/0/14.0 with an appropriate MTU value.

  • Set the largest MTU value to GRE and IPsec logical interfaces to avoid IPsec fragmentation at logical interfaces. GRE encapsulated traffic is tunneled inside IPsec.

  • Add the MPLS family to the GRE interface gr-0/0/0 and apply a firewall filter to enable packet mode. Create firewall filters to configure interfaces to work with packet mode.

  • Perform basic IPsec tunnel configuration on the device with the df-bit clear option added in IPsec VPN configuration to allow fragmentation of oversized IPsec packets on the outgoing interface ge-0/0/14.0.

  • Configure all noncustomer- facing interfaces such as ge-0/0/14.0, gr-0/0/0.0, lo0.0, and st0.0 in a single security zone.

  • Configure a policy to permit all (intrazone) traffic.

  • Configure OSPF for lo0.0 address distribution, and LDP for label distribution. Then you configure IBGP with the inet-vpn and l2vpn families.

  • Configure two routing instances, one for Layer 3 VPN and other for VPLS application.

Figure 1 shows the topology used in this example.

Figure 1: IPsec Tunnel over the GRE Tunnel
IPsec Tunnel over the GRE Tunnel

Table 1 provides a summary of the parameters used in this topology.

Table 1: Components of the Topology

Components

Description

PE1 and PE2

PE1 AND PE2 SRX Series Firewalls:

  • IP address for PE1: 10.255.255.1/32

  • IP address for PE2: 10.255.255.2/32

ge-0/0/10.10:

  • IP address: 192.168.0.1/24

  • Customer-facing L3VPN interface

  • input packet-mode-inet: inet family in packet mode

ge-0/0/11.0:

  • Customer-facing VPLS interface

  • vlan-vpls: VPLS encapsulation

ge-0/0/14.0:

  • Outgoing interface

  • IP address: 1.1.1.1/30

  • mtu 1514: Outgoing interface MTU

gr-0/0/0:

  • Core interface connecting to MPLS

  • IP address: 172.16.255.1/30

  • input packet-mode: MPLS family in packet mode

lo0:

  • Logical Interface

  • IP address: 10.255.255.1/32

st0.0:

  • Tunnel interface

  • IP address: 172.16.0.1/30

  • df-bit clear — This option clears the do not fragment (DF) bit in the outgoing packet header

  • L3VPN— Routing instance for Layer3 VPN application

  • VPLS_VPN-1— Routing instance for VPLS application

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set interfaces ge-0/0/10.10 description "LAN Side"


set interfaces ge-0/0/10.10 vlan-tagging


set interfaces ge-0/0/10.10 mtu 9192


set interfaces ge-0/0/10.10 unit 10 description L3VPN-1


set interfaces ge-0/0/10.10 unit 10 vlan-id 10


set interfaces ge-0/0/10.10 unit 10 family inet filter input packet-mode-inet


set interfaces ge-0/0/10.10 unit 10 family inet address 192.168.0.1/24


set interfaces ge-0/0/11 description "LAN Side"


set interfaces ge-0/0/11 flexible-vlan-tagging


set interfaces ge-0/0/11 mtu 1522


set interfaces ge-0/0/11 encapsulation vlan-vpls


set interfaces ge-0/0/11 unit 0 description VPLS_VPN-1


set interfaces ge-0/0/11 unit 0 encapsulation vlan-vpls


set interfaces ge-0/0/11 unit 0 vlan-id 512


set interfaces ge-0/0/14 description Internet


set interfaces ge-0/0/14 mtu 1514


set interfaces ge-0/0/14 unit 0 family inet address 1.1.1.1/30


set interfaces gr-0/0/0 unit 0 description "MPLS core facing interface"


set interfaces gr-0/0/0 unit 0 tunnel source 172.16.0.1


set interfaces gr-0/0/0 unit 0 tunnel destination 172.16.0.2


set interfaces gr-0/0/0 unit 0 family inet mtu 9000


set interfaces gr-0/0/0 unit 0 family inet address 172.16.255.1/30


set interfaces gr-0/0/0 unit 0 family mpls mtu 9000


set interfaces gr-0/0/0 unit 0 family mpls filter input packet-mode


set interfaces lo0 unit 0 family inet address 10.255.255.1/32


set interfaces st0 unit 0 family inet mtu 9178 address 172.16.0.1/30


set firewall family inet filter packet-mode-inet term all-traffic then packet-mode


set firewall family inet filter packet-mode-inet term all-traffic then accept


set firewall family mpls filter packet-mode term all-traffic then packet-mode


set firewall family mpls filter packet-mode term all-traffic then accept


set security ike policy standard mode main


set security ike policy standard proposal-set standard


set security ike policy standard pre-shared-key ascii-text "$9$GOjkPFnCBIc5QIcylLXUjH"


set security ike gateway srx240-2 ike-policy standard


set security ike gateway srx240-2 address 1.1.1.2


set security ike gateway srx240-2 external-interface ge-0/0/14.0


set security ipsec policy standard proposal-set standard


set security ipsec vpn ipsec-vpn-1 bind-interface st0.0


set security ipsec vpn ipsec-vpn-1 df-bit clear


set security ipsec vpn ipsec-vpn-1 ike gateway srx240-2


set security ipsec vpn ipsec-vpn-1 ike ipsec-policy standard


set security ipsec vpn ipsec-vpn-1 establish-tunnels immediately


set security policies from-zone Internet to-zone Internet policy Internet match source-address any


set security policies from-zone Internet to-zone Internet policy Internet match destination-address any


set security policies from-zone Internet to-zone Internet policy Internet match application any


set security policies from-zone Internet to-zone Internet policy Internet then permit


set security zones security-zone Internet host-inbound-traffic system-services all


set security zones security-zone Internet host-inbound-traffic protocols all


set security zones security-zone Internet interfaces ge-0/0/14.0


set security zones security-zone Internet interfaces gr-0/0/0.0


set security zones security-zone Internet interfaces lo0.0


set security zones security-zone Internet interfaces st0.0


set protocols mpls interface gr-0/0/0.0


set protocols bgp tcp-mss 1200


set protocols bgp group IBGP type internal


set protocols bgp group IBGP local-address 10.255.255.1


set protocols bgp group IBGP local-as 65100


set protocols bgp group IBGP neighbor 10.255.255.2


set protocols bgp group IBGP neighbor 10.255.255.2 family inet any


set protocols bgp group IBGP neighbor 10.255.255.2 family inet-vpn any


set protocols bgp group IBGP neighbor 10.255.255.2 family l2vpn signaling


set protocols ospf traffic-engineering


set protocols ospf area 0.0.0.0 interface lo0.0


set protocols ospf area 0.0.0.0 interface lo0.0 passive


set protocols ospf area 0.0.0.0 interface gr-0/0/0.0


set protocols ldp interface gr-0/0/0.0


set protocols ldp interface lo0.0


set routing-instances L3VPN-1 instance-type vrf


set routing-instances L3VPN-1 interface ge-0/0/10.10


set routing-instances L3VPN-1 route-distinguisher 10.255.255.1:1000


set routing-instances L3VPN-1 vrf-target target:65100:1000


set routing-instances L3VPN-1 vrf-target import target:65100:1000


set routing-instances L3VPN-1 vrf-target export target:65100:1000


set routing-instances L3VPN-1 vrf-table-label


set routing-instances L3VPN-1 routing-options auto-export


set routing-instances VPLS_VPN-1 instance-type vpls


set routing-instances VPLS_VPN-1 interface ge-0/0/11.0


set routing-instances VPLS_VPN-1 route-distinguisher 10.255.255.1:1001


set routing-instances VPLS_VPN-1 vrf-target target:65100:1001


set routing-instances VPLS_VPN-1 protocols vpls no-tunnel-services


set routing-instances VPLS_VPN-1 protocols vpls site 1 site-identifier 1


set routing-instances VPLS_VPN-1 protocols vpls site 1 interface ge-0/0/11.0


set routing-instances VPLS_VPN-1 protocols vpls mac-tlv-receive


set routing-instances VPLS_VPN-1 protocols vpls mac-tlv-send


Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To fragment the MPLS frame and reassemble the packet:

  1. Configure the physical Interfaces.
  2. Configure the logical Interfaces.
  3. Configure the firewall filters that are used to configure interfaces to work with packet mode.
  4. Configure the IKE and IPsec policies.
  5. Configure all noncustomer-facing interfaces in a single security zone and a policy to permit all (intrazone) traffic.
  6. Configure the OSPF protocol for lo0.0 address distribution, and configure IBGP with the inet-vpn and l2vpn families.
  7. Configure two routing instances, one for Layer 3 VPN and the other for the VPLS application.

Results

Display the results of the configuration:

Verification

Confirm that the configuration is working properly.

Verifying That the Physical and Logical Interfaces Are Up

Purpose

Verify that the physical and logical interfaces are up on the device.

Action

From operational mode on the SRX Series Services Gateway, enter the show interfaces terse command.

user@host> show interfaces terse

Meaning

The output of the show interfaces terse command shows that all physical and logical interfaces used in this configuration are up and active.

Verifying the Fragmented IP Packet on the Outgoing Interface

Purpose

Verify that the IP packet of 1500 bytes is created and sent to the outgoing interface ge-0/0/14.0.

Action

From operational mode on the SRX Series Services Gateway, enter the show interfaces ge-0/0/14.0 extensive

user@host> show interfaces ge-0/0/14.0 extensive

Meaning

The output of the show interfaces ge-0/0/14.0 extensive command shows that the fragmented IP packet of 1500 bytes is sent to outgoing interface ge-0/0/14.