Host IPSec on Junos OS Evolved
Junos OS Evolved supports control plane IPSec, also called host IPSec. This is a secure connection between the Routing Engine and an external device. You can configure a router to use IPSec to protect routing protocols (for example, BGP) or management functions (for example, Telnet) without affecting subscriber traffic traversing the router.
You configure host IPSec for Junos OS Evolved using the host-vpn
configuration statement at the [edit security]
hierarchy
level.
The following is an example host IPSec configuration, in which all traffic is protected, for a connection between a router at 10.92.240.158 and a peer at 10.92.243.153:
# IKE details set security host-vpn connections toMyServer local-address ipv4 10.92.240.158 set security host-vpn connections toMyServer remote-address ipv4 10.92.243.153 set security host-vpn connections toMyServer rekey-time 3600 set security host-vpn connections toMyServer ike-proposal 3des-sha1-modp1536 set security host-vpn connections toMyServer local id "vm1" # Child details - any traffic between the hosts set security host-vpn connections toMyServer children aes_all rekey-time 3600 set security host-vpn connections toMyServer children aes_all local-traffic-selector ipv4-prefix 10.92.240.158/32 set security host-vpn connections toMyServer children aes_all remote-traffic-selector ipv4-prefix 10.92.243.153/32 set security host-vpn connections toMyServer children aes_all esp-proposal aes256gcm128-ecp384 # IKE shared secret set security host-vpn ike-secrets ike-me id "vm1" set security host-vpn ike-secrets ike-me secret ascii-text sample_15671_Mn22 set security host-vpn ike-secrets ike-peer id "myserver" set security host-vpn ike-secrets ike-peer secret ascii-text sample_15671_Mn22
user@device# show host-vpn connections { toMyServer { local-address { ipv4 10.92.240.158; } remote-address { ipv4 10.92.243.153; } rekey-time 3600; ike-proposal 3des-sha1-modp1536; local { id vm1; } children { aes_all { rekey-time 3600; esp-proposal aes256gcm128-ecp384; local-traffic-selector { ipv4-prefix 10.92.240.158/32; } remote-traffic-selector { ipv4-prefix 10.92.243.153/32; } } } } } ike-secrets { ike-me { id vm1; secret ascii-text "$9$opGHmf5FCtO5Q0IEcvMPfTz/CO1RlvWcSbs4ZHk/9Au1hylKWX7"; ## SECRET-DATA } ike-peer { id myserver; secret ascii-text "$9$U6HPQF390BE36RSreXxzFn/p0EcyWX7eKgoGiPfpuOIclvWL7db"; ## SECRET-DATA } }