Using IPsec with a Layer 3 VPN
Some key concepts to keep in mind when configuring IPsec within a VPN include the following:
Add the inside services interface for a next-hop style service set into the routing instance by including the
interface sp-fpc/pic/port
statement at the[edit routing-instances instance-name]
hierarchy level.For interface style service sets, add the interface on which you apply the service set and the services interface by including both interfaces at the
[edit routing-instances instance-name]
hierarchy level.To define a routing instance for the local gateway within the service set, include the routing-instance instance-name option at the
[edit services service-set service-set-name ipsec-vpn-options local-gateway address]
hierarchy level.
The following configuration for an AS PIC on a provider edge (PE) router demonstrates the use of next-hop service sets with an IKE dynamic SA in a VPN routing and forwarding (VRF) routing instance.
[edit] interfaces { so-0/0/0 { description "Interface connected to the customer edge (CE) router"; unit 0 { family inet { address 10.6.6.6/32; } } } so-2/2/0 { description "Source IPsec tunnel interface to the network core"; unit 0 { family inet { address 10.10.1.1/30; } } } sp-3/1/0 { description "AS PIC interface"; unit 0 { family inet { address 10.7.7.7/32; } } unit 1 { family inet; service-domain inside; } unit 2 { family inet; service-domain outside; } } } policy-options { policy-statement vpn-export-policy { then { community add community-name; accept; } } policy-statement vpn-import-policy { term term-name { from community community-name; then accept; } } community community-name members target:100:20; } routing-instances { vrf { instance-type vrf; interface sp-3/1/0.1; # Inside sp interface. interface so-0/0/0.0; # Interface that connects to the CE router. route-distinguisher route-distinguisher; vrf-import vpn-import-policy; vrf-export vpn-export-policy; routing-options { static { route ip-address/prefix next-hop so-0/0/0.0; # Routes for the CE router. route ip-address/prefix next-hop sp-3/1/0.1; # Routes for IPsec. } } } } services { service-set service-set-name { next-hop-service { inside-service-interface sp-3/1/0.1; outside-service-interface sp-3/1/0.2; } ipsec-vpn-options { local-gateway 10.10.1.1; } ipsec-vpn-rules rule-name; } ipsec-vpn { rule rule-name { term term-name { from { source-address { source-ip-address; } } then { remote-gateway 10.10.1.2; dynamic { ike-policy ike-policy-name; } } } match-direction direction; } ike { policy ike-policy-name { pre-shared-key ascii-text preshared-key; } } } }
For more information on VRF routing instances, see the Junos VPNs Configuration Guide. For more information on next-hop service sets, see the Junos Services Interfaces Configuration Guide.