Technical Documentation

Example: Configuring Dynamically Assigned Tunnels

The following examples are based on this network configuration (see Figure 1):

  • A local network N-1 behind security gateway SG-1, a Juniper Networks router terminating static as well as dynamic peer endpoints. The tunnel termination address on SG-1 is 10.1.1.1 and the local network address is 172.16.1.0/24.
  • Two remote peer routers that obtain addresses from an ISP pool and run RFC-compliant IKE. Remote network N-2 has address 172.16.2.0/24 and resides behind security gateway SG-2 with tunnel termination address 10.2.2.2. Remote network N-3 has address 172.16.3.0/24 and resides behind security gateway SG-3 with tunnel termination address 10.3.3.3.

Figure 1: IPsec Dynamic Endpoint Tunneling Topology

Image g017076.gif

The examples in this section show the following configurations:

Note: All the configurations are given for the Juniper Networks router terminating dynamic endpoint connections.

Configuring a Next-Hop Style Service Set with Link-Type Tunnels

access {profile demo-access-profile client * {ike {allowed-proxy-pair {remote 0.0.0.0/0 local 0.0.0.0/0; # ANY to ANY}pre-shared-key {ascii-text keyfordynamicpeers;}interface-id demo-ipsec-interface-id;}}services {service-set demo-service-set {next-hop-service {inside-service-interface sp-1/0/0.1;outside-service-interface sp-1/0/0.2;}ipsec-vpn-options {local-gateway 10.1.1.1;ike-access-profile demo-ike-access-profile;}}}}

Note: Including the ike-access-profile statement enables the software to incorporate implicit proposals for dynamic endpoint authentication. You do not need to configure IKE or IPsec proposals explicitly.

interfaces {sp-0/0/0 {unit 0 {family inet;}unit 1 {family inet;service-domain inside;}unit 2 {family inet;service-domain outside;}unit 3 {family inet;service-domain inside;dial-options {ipsec-interface-id demo-ipsec-interface-id;dedicated;}}unit 4 {family inet;service-domain inside;dial-options {ipsec-interface-id demo-ipsec-interface-id;dedicated;}}}}

The following results are obtained:

  • Reverse routes inserted after successful negotiation:

    None

  • Routes learned by routing protocol:

    172.16.2.0/24

    172.16.3.0/24

  • Dynamic implicit rules created after successful negotiation:
    rule: junos-dynamic-rule-0term: term-0local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1remote-gateway-address: 10.2.2.2 #Tunnel termination address on SG-2source-address : 0.0.0.0/0destination-address : 0.0.0.0/0ipsec-inside-interface: sp-0/0/0.3term: term-1local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1remote-gateway-address: 10.3.3.3 #Tunnel termination address on SG-3source-address : 0.0.0.0/0destination-address : 0.0.0.0/0ipsec-inside-interface: sp-0/0/0.4match-direction: input

Configuring a Next-Hop Style Service-Set with Policy-Based Tunnels

access {profile demo-access-profile client * {ike {allowed-proxy-pair {remote 172.16.2.0/24 local 172.16.1.0/24; #N-2 <==> #N-1remote 172.16.3.0/24 local 172.16.1.0/24; #N-3 <==> #N-1}pre-shared-key {ascii-text keyfordynamicpeers;}interface-id demo-ipsec-interface-id;}}}services {service-set demo-service-set {next-hop-service {inside-service-interface sp-1/0/0.1;outside-service-interface sp-1/0/0.2;}ipsec-vpn-options {local-gateway 10.1.1.1;}ike-access-profile demo-ike-access-profile;}}

Note: Including the ike-access-profile statement enables the software to incorporate implicit proposals for dynamic endpoint authentication. You do not need to configure IKE or IPsec proposals explicitly.

interfaces {sp-0/0/0 {unit 0 {family inet;}unit 1 {family inet;service-domain inside;}unit 2 {family inet;service-domain outside;}unit 3 {family inet;service-domain inside;dial-options {ipsec-interface-id demo-ipsec-interface-id;mode shared;}}}}# VRF configuration, if not inet.0routing-instances {demo-vrf {instance-type vrf;interface sp-0/0/0.1;interface sp-0/0/0.3;.....}}

The following results are obtained:

  • Reverse routes injected after successful negotiation:
    demo-vrf.inet.0: .... # Routing instance172.11.0.0/24 *[Static/1].. > via sp-0/0/0.3172.12.0.0/24 *[Static/1].. > via sp-0/0/0.3
  • Dynamic implicit rules created after successful negotiation:
    rule: junos-dynamic-rule-0term: term-0local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1remote-gateway-address: 10.2.2.2 #Tunnel termination address on SG-2source-address : 172.16.1.0/24destination-address : 172.16.2.0/24ipsec-inside-interface: sp-0/0/0.3term: term-1local-gateway-address : 10.1.1.1 #Tunnel termination address on SG-1remote-gateway-address: 10.3.3.3 #Tunnel termination address on SG-3source-address : 172.16.1.0/24destination-address : 172.16.3.0/24ipsec-inside-interface: sp-0/0/0.3match-direction: input

Published: 2010-04-28