Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Supported Platforms

Configuring IPsec Service Sets

IPsec service sets require additional specifications that you configure at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level:

[edit services service-set service-set-name ipsec-vpn-options]anti-replay-window-size bits;clear-dont-fragment-bit;ike-access-profile profile-name;local-gateway address;no-anti-replay;passive-mode-tunneling;trusted-ca [ ca-profile-names ];tunnel-mtu bytes;

Configuration of these statements is described in the following sections:

Configuring the Local Gateway Address for IPsec Service Sets

If you configure an IPsec service set, you must also configure a local IPv4 or IPv6 address by including the local-gateway statement:

  • If the Internet Key Exchange (IKE) gateway IP address is in inet.0 (the default situation), you configure the following statement:
    local-gateway address;
  • If the IKE gateway IP address is in a VPN routing and forwarding (VRF) instance, you configure the following statement:
    local-gateway address routing-instance instance-name;

You can configure all the link-type tunnels that share the same local gateway address in a single next-hop-style service set. The value you specify for the inside-service-interface statement at the [edit services service-set service-set-name] hierarchy level should match the ipsec-inside-interface value, which you configure at the [edit services ipsec-vpn rule rule-name term term-name from] hierarchy level. For more information about IPsec configuration, see Configuring IPsec Rules.

IKE Addresses in VRF Instances

You can configure Internet Key Exchange (IKE) gateway IP addresses that are present in a VPN routing and forwarding (VRF) instance as long as the peer is reachable through the VRF instance.

For next-hop service sets, the key management process (kmd) places the IKE packets in the routing instance that contains the outside-service-interface value you specify, as in this example:

routing-instances vrf-nxthop {instance-type vrf;interface sp-1/1/0.2;...}
services service-set service-set-1 {next-hop-service {inside-service-interface sp-1/1/0.1;outside-service-interface sp-1/1/0.2;}...}

For interface service sets, the service-interface statement determines the VRF, as in this example:

routing-instances vrf-intf {instance-type vrf;interface sp-1/1/0.3;interface ge-1/2/0.1; # interface on which service set is applied...}
services service-set service-set-2 {interface-service {service-interface sp-1/1/0.3;}...}

Configuring IKE Access Profiles for IPsec Service Sets

For dynamic endpoint tunneling only, you need to reference the IKE access profile configured at the [edit access] hierarchy level. To do this, include the ike-access-profile statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level:

[edit services service-set service-set-name ipsec-vpn-options]ike-access-profile profile-name;

The ike-access-profile statement must reference the same name as the profile statement you configured for IKE access at the [edit access] hierarchy level. You can reference only one access profile in each service set. This profile is used to negotiate IKE and IPsec security associations with dynamic peers only.

Note: If you configure an IKE access profile in a service set, no other service set can share the same local-gateway address.

Also, you must configure a separate service set for each VRF. All interfaces referenced by the ipsec-inside-interface statement within a service set must belong to the same VRF.

Configuring Certification Authorities for IPsec Service Sets

You can specify one or more trusted certification authorities by including the trusted-ca statement:

trusted-ca [ ca-profile-names ];

When you configure public key infrastructure (PKI) digital certificates in the IPsec configuration, each service set can have its own set of trusted certification authorities. The names you specify for the trusted-ca statement must match profiles configured at the [edit security pki] hierarchy level; for more information, see the Junos OS System Basics Configuration Guide. For more information about IPsec digital certificate configuration, see Configuring IPsec Rules.

Configuring or Disabling Antireplay Service

You can include the anti-replay-window-size statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level to specify the size of the antireplay window.

anti-replay-window-size bits;

This statement is useful for dynamic endpoint tunnels for which you cannot configure the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

For static IPsec tunnels, this statement sets the antireplay window size for all the static tunnels within this service set. If a particular tunnel needs a specific value for antireplay window size, set the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. If antireplay check has to be disabled for a particular tunnel in this service set, set the no-anti-replay statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

Note: The anti-replay-window-size and no-anti-replay settings at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level override the settings specified at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

You can also include the no-anti-replay statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level to disable IPsec antireplay service. It occasionally causes interoperability issues for security associations.

no-anti-replay;

This statement is useful for dynamic endpoint tunnels for which you cannot configure the no-anti-reply statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

For static IPsec tunnels, this statement disables the antireplay check for all the tunnels within this service set. If antireplay check has to be enabled for a particular tunnel, then set the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

Note: Setting the anti-replay-window-size and no-anti-replay statements at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level overrides the settings specified at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

Clearing the Don’t-Fragment Bit

You can include the clear-dont-fragment-bit statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level to clear the Don’t Fragment (DF) bit on all IP version 4 (IPv4) packets entering the IPsec tunnel. If the encapsulated packet size exceeds the tunnel maximum transmission unit (MTU), the packet is fragmented before encapsulation.

clear-dont-fragment-bit;

This statement is useful for dynamic endpoint tunnels, for which you cannot configure the clear-dont-fragment-bit statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

For static IPsec tunnels, setting this statement clears the DF bit on packets entering all the static tunnels within this service set. If you want to clear the DF bit on packets entering a specific tunnel, set the clear-dont-fragment-bit statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

Configuring Passive-Mode Tunneling

You can include the passive-mode-tunneling statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level to enable the service set to tunnel malformed packets.

[edit services service-set service-set-name ipsec-vpn-options]passive-mode-tunneling;

This functionality bypasses the active IP checks, such as version, TTL, protocol, options, address and other land attack checks, and tunnels the packets as is. If this statement is not configured, packets failing the IP checks are dropped in the PIC. In passive mode, the inner packet is not touched; hence, an ICMP error is not generated, if the packet size exceeds the tunnel MTU value.

The IPsec tunnel is not treated as a next hop and TTL is not decremented. Because an ICMP error is not generated if the packet size exceeds the tunnel MTU value, the packet will be tunnelled even if it crosses the tunnel MTU threshold.

Note: This functionality is similar to that provided by the no-ipsec-tunnel-in-traceroute statement, described in Disabling IPsec Tunnel Endpoint in Traceroute.

Configuring the Tunnel MTU Value

You can include the tunnel-mtu statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level to set the maximum transmission unit (MTU) value for IPsec tunnels.

tunnel-mtu bytes;

This statement is useful for dynamic endpoint tunnels for which you cannot configure the tunnel-mtu statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

For static IPsec tunnels, this statement sets the tunnel MTU value for all the tunnels within this service set. If you need a specific value for a particular tunnel, then set the tunnel-mtu statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.

Note: The tunnel-mtu setting at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level overrides the value specified at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

Published: 2013-02-15

Supported Platforms

Published: 2013-02-15

Previous Page Next Page