Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: ES PIC Manual SA Configuration

Figure 1: ES PIC Manual SA Topology DiagramES PIC Manual SA Topology Diagram

Figure 1 shows an IPSec topology containing a group of four routers. Routers 2 and 3 establish an IPSec tunnel using an ES PIC and manual SA settings. Routers 1 and 4 provide basic connectivity and are used to verify that the IPSec tunnel is operational.

On Router 1, provide basic OSPF connectivity to Router 2.

Router 1

On Router 2, enable OSPF as the underlying routing protocol to connect to Routers 1 and 3. Configure a bidirectional manual SA called sa-manual at the [edit security ipsec security-association] hierarchy level. Use AH for the protocol, 400 for the SPI, HMAC-MD5-96 for authentication, and a 32-bit hexadecimal authentication key for the MD5 authentication key. (For more information about key length, see Authentication and Encryption Key Lengths.) Because you are using AH, there is no need to configure encryption.

To direct traffic into the ES PIC and the IPSec tunnel, create two firewall filters. The es-traffic filter matches inbound traffic from Router 1 destined for Router 4, whereas the es-return filter matches the return path from Router 4 to Router 1. Apply the es-traffic filter to the so-0/0/0 interface; then apply both the es-return filter and the sa-manual SA to the es-0/3/0 interface.

Router 2

On Router 3, enable OSPF as the underlying routing protocol to connect to Routers 2 and 4. Configure a bidirectional manual SA called sa-manual at the [edit security ipsec security-association] hierarchy level. Use the exact same specifications that you used for the SA on Router 2: AH for the protocol, 400 for the SPI, HMAC-MD5-96 for authentication, and a 32-bit hexadecimal authentication key of abcdef01abcdef01abcdef01abcdef01 for the MD5 authentication key. (For more information about authentication key length, see Authentication and Encryption Key Lengths.) Because you are using AH, there is no need to configure an encryption algorithm.

To direct traffic into the ES PIC and the IPSec tunnel, create two firewall filters. The es-traffic filter matches inbound traffic from Router 4 destined for Router 1, whereas the es-return filter matches the return path from Router 1 to Router 4. Apply the es-traffic filter to the so-0/0/0 interface; then apply both the es-return filter and the sa-manual SA to the es-0/3/0 interface.

Router 3

 

On Router 4, provide basic OSPF connectivity to Router 3.

Router 4

Verifying Your Work

To verify proper operation of a manual IPSec SA on the ES PIC, use the following commands:

  • ping

  • show ipsec security-associations (detail)

  • traceroute

The following sections show the output of these commands used with the configuration example:

Router 1

On Router 1, issue a ping command to the so-0/0/0 interface of Router 4 to send traffic across the IPsec tunnel.

You can also issue the traceroute command to verify that traffic to 10.1.56.2 travels over the IPsec tunnel between Router 2 and Router 3. Notice that the second hop does not reference 10.1.15.2—the physical interface on Router 3. Instead, the loopback address of 10.0.0.3 on Router 3 appears as the second hop. This indicates that the IPSec tunnel is operating correctly.

Router 2

Another way to verify that matched traffic is being diverted to the bidirectional IPsec tunnel is to view the firewall filter counter. After you issue the ping command from Router 1 (three packets), the es-traffic firewall filter counter looks like this:

After you issue the ping command from both Router 1 (three packets) and Router 4 (two packets), the es-traffic firewall filter counter looks like this:

To verify that the IPsec security association is active, issue the show ipsec security-associations detail command. Notice that the SA contains the settings you specified, such as AH for the protocol and HMAC-MD5-96 for the authentication algorithm.

Router 3

View the firewall filter counter to continue verifying that matched traffic is being diverted to the bidirectional IPsec tunnel. After you issue the ping command from Router 1 (three packets), the es-traffic firewall filter counter looks like this:

After you issue the ping command from both Router 1 (three packets) and Router 4 (two packets), the es-traffic firewall filter counter looks like this:

To verify that the IPsec security association is active, issue the show ipsec security-associations detail command. Notice that the SA on Router 3 contains the same settings you specified on Router 2.

Router 4

On Router 4, issue a ping command to the so-0/0/0 interface of Router 1 to send traffic across the IPsec tunnel.

You can also issue the traceroute command to verify that traffic to 10.1.12.2 travels over the IPsec tunnel between Router 3 and Router 2. Notice that the second hop does not reference 10.1.15.1—the physical interface on Router 2. Instead, the loopback address of 10.0.0.2 on Router 2 appears as the second hop. This indicates that the IPSec tunnel is operating correctly.