Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Using IPsec to Protect BGP Traffic

IPsec is a suite of protocols used to provide secure network connections at the IP layer. It is used to provide data source authentication, data integrity, confidentiality and packet replay protection. This example shows how to configure IPsec functionality to protect Routing Engine-to-Routing Engine BGP sessions. Junos OS supports IPsec Authentication Header (AH) and Encapsulating Security Payload (ESP) in transport and tunnel mode, as well as a utility for creating policies and manually configuring keys.

Requirements

Before you begin:

  • Configure the router interfaces.
  • Configure an interior gateway protocol (IGP).
  • Configure BGP.

For transport mode, no PIC is necessary.

Overview

The SA is configured at the [edit security ipsec security-association name] hierarchy level with the mode statement set to transport. In transport mode, Junos OS does not support authentication header (AH) or encapsulating security payload (ESP) header bundles. Junos OS supports only the BGP protocol in transport mode.

This example specifies bidirectional IPsec to decrypt and authenticate the incoming and outgoing traffic using the same algorithm, keys, and SPI in both directions, unlike inbound and outbound SAs that use different attributes in both directions.

A more specific SA overrides a more general SA. For example, if a specific SA is applied to a specific peer, that SA overrides the SA applied to the whole peer group.

Topology Diagram

Figure 1 shows the topology used in this example.

Figure 1: IPsec for BGP

IPsec for BGP

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

[edit]set security ipsec security-association test-sa mode transport set security ipsec security-association test-sa manual direction bidirectional protocol esp set security ipsec security-association test-sa manual direction bidirectional spi 1000 set security ipsec security-association test-sa manual direction bidirectional encryption algorithm 3des-cbc set security ipsec security-association test-sa manual direction bidirectional encryption key ascii-text "$9$kPT3AtO1hr6/u1IhvM8X7Vb2JGimfz.PtuB1hcs2goGDkqf5Qndb.5QzCA0BIRrvx7VsgJ"set protocols bgp group 1 neighbor 1.1.1.1 ipsec-sa test-sa

Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Router R1:

  1. Configure the SA mode.
    [edit security ipsec security-association test-sa]user@R1# set mode transport
  2. Configure the IPsec protocol to be used.
    [edit security ipsec security-association test-sa]user@R1# set manual direction bidirectional protocol esp
  3. Configure to security parameter index to uniquely identify the SA.
    [edit security ipsec security-association test-sa]user@R1# set manual direction bidirectional spi 1000
  4. Configure the encryption algorithm.
    [edit security ipsec security-association test-sa]user@R1# set manual direction bidirectional encryption algorithm 3des-cbc
  5. Configure the encryption key.
    [edit security ipsec security-association test-sa]user@R1# set manual direction bidirectional encryption key ascii-text "$9$kPT3AtO1hr6/u1IhvM8X7Vb2JGimfz.PtuB1hcs2goGDkqf5Qndb.5QzCA0BIRrvx7VsgJ"

    When you use an ASCII text key, the key must contain exactly 24 characters.

  6. Apply the SA to the BGP peer.
    [edit protocols bgp group 1 neighbor 1.1.1.1]user@R1# set ipsec-sa test-sa

Results

From configuration mode, confirm your configuration by entering the show protocols and show security commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

user@R1# show protocolsbgp {group 1 {neighbor 1.1.1.1 {ipsec-sa test-sa;}}}
user@R1# show securityipsec {security-association test-sa {mode transport;manual {direction bidirectional {protocol esp;spi 1000;encryption {algorithm 3des-cbc;key ascii-text "$9$kPT3AtO1hr6/u1IhvM8X7Vb2JGimfz.PtuB1hcs2goGDkqf5Qndb.5QzCA0BIRrvx7VsgJ"; ## SECRET-DATA}}}}}

If you are done configuring the device, enter commit from configuration mode. Repeat the configuration on Router R0, changing only the neighbor address.

Verification

Confirm that the configuration is working properly.

Verifying the Security Associaton

Purpose

Make sure that the correct settings appear in the output of the show ipsec security-associations command.

Action

From operational mode, enter the show ipsec security-associations command.

user@R1> show ipsec security-associations
Security association: test-sa
    Direction SPI         AUX-SPI     Mode       Type     Protocol
    inbound   1000        0           transport  manual   ESP       
    outbound  1000        0           transport  manual   ESP

Meaning

The output is straighforward for most fields except the AUX-SPI field. The AUX-SPI is the value of the auxiliary security parameter index. When the value is AH or ESP, AUX-SPI is always 0. When the value is AH+ESP, AUX-SPI is always a positive integer.

 

Related Documentation

 

Published: 2012-12-08

Supported Platforms

 

Related Documentation

 

Published: 2012-12-08

Previous Page Next Page