Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Configuring IKE Dynamic SAs

This example shows how to configure IKE dynamic SAs and contains the following sections.

Requirements

This example uses the following hardware and software components:

  • Four M Series, MX Series, or T Series routers with multiservices interfaces installed in them.
  • Junos OS Release 9.4 or later.

No special configuration beyond device initiation is required before you can configure this feature.

Overview and Topology

A security association (SA) is a simplex connection that enables two hosts to securely communicate with each other by means of IPsec.

Dynamic SAs are best suited for large-scale, geographically distributed networks where manual distribution, maintenance, and tracking of keys are difficult tasks. Dynamic SAs are configured with a set of proposals that are negotiated by the security gateways. The keys are generated as part of the negotiation and do not need to be specified in the configuration. A dynamic SA includes one or more proposals that allow you to prioritize a list of protocols and algorithms to be negotiated with the peer.

Figure 1 shows an IPsec topology that contains a group of four routers. This configuration requires Routers 2 and 3 to establish an IPsec tunnel by using an IKE dynamic SA, enhanced authentication, and encryption. Routers 1 and 4 provide basic connectivity and are used to verify that the IPsec tunnel is operational.

Figure 1: IKE Dynamic SAs

IKE Dynamic SAs

Note: When you do not specify an IKE proposal, an IPsec proposal, and an IPsec policy on a MultiServices PIC, the Junos OS defaults to the highest level of encryption and authentication. As a result, the default authentication protocol is ESP, the default authentication mode is HMAC-SHA1-96, and the default encryption mode is 3DES-CBC.

Configuration

To configure IKE dynamic SA, perform these tasks:

Note: The interface types shown in this example are for indicative purpose only. For example, you can use so- interfaces instead of ge- and sp- instead of ms-.

Configuring Router 1

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI, at the [edit] hierarchy level, of Router 1.

set interfaces ge-0/0/0 description "to R2 ge-0/0/0"set interfaces ge-0/0/0 unit 0 family inet address 10.1.12.2/30set interfaces lo0 unit 0 family inet address 10.0.0.1/32set routing-options router-id 10.0.0.1set protocols ospf area 0.0.0.0 interface ge-0/0/0set protocols ospf area 0.0.0.0 interface lo0.0

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Router 1 for OSPF connectivity with Router 2:

  1. Configure an Ethernet interface and a loopback interface.
    [edit interfaces]user@router1# set ge-0/0/0 description "to R2 ge-0/0/0"user@router1# set ge-0/0/0 unit 0 family inet address 10.1.12.2/30user@router1# set lo0 unit 0 family inet address 10.0.0.1/32
  2. Specify the OSPF area and associate the interfaces with the OSPF area.
    [edit interfaces]user@router1# set ospf area 0.0.0.0 interface ge-0/0/0.0user@router1# set ospf area 0.0.0.0 interface lo0.0
  3. Configure the router ID.
    [edit routing-options]user@router1# set router-id 10.0.0.1
  4. Commit the configuration.
    [edit]user@router1# commit

Results

From configuration mode, confirm your configuration by entering the show interfaces, show protocols ospf, and show routing-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration

user@router1# show interfaces
interfaces {ge-0/0/0 {description "To R2 ge-0/0/0";unit 0 {family inet {address 10.1.12.2/30;}}}lo0 {unit 0 {family inet {address 10.0.0.1/32;}}}}
user@router1# show protocols ospf
protocols {ospf {area 0.0.0.0 {interface ge-0/0/0.0;interface lo0.0;}}}
user@router1# show routing-options
routing-options {router-id 10.0.0.1;}

Configuring Router 2

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI, at the [edit] hierarchy level, of Router 2.

set interfaces ge-0/0/0 description "to R1 ge-0/0/0"set interfaces ge-0/0/0 unit 0 family inet address 10.1.12.1/30set interfaces ge-0/0/1 description "to R3 ge-0/0/1"set interfaces ge-0/0/1 unit 0 family inet address 10.1.15.1/30set interfaces ms-1/2/0 services-options syslog host local services infoset interfaces ms-1/2/0 unit 0 family inetset interfaces ms-1/2/0 unit 1 family inetset interfaces ms-1/2/0 unit 1 service-domain insideset interfaces ms-1/2/0 unit 2 family inetset interfaces ms-1/2/0 unit 2 service-domain outsideset interfaces lo0 unit 0 family inet address 10.0.0.2/32set protocols ospf area 0.0.0.0 interface ge-0/0/0.0set protocols ospf area 0.0.0.0 interface lo0.0set protocols ospf area 0.0.0.0 interface ms-1/2/0.1set routing-options router-id 10.0.0.2set services ipsec-vpn rule rule-ike term term-ike then remote-gateway 10.1.15.2set services ipsec-vpn rule rule-ike term term-ike then dynamic ike-policy ike-demo-policyset services ipsec-vpn rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policyset services ipsec-vpn rule match-direction inputset services ipsec-vpn ike proposal ike-demo-proposal authentication-method pre-shared-keysset services ipsec-vpn ike proposal ike-demo-proposal dh-group group2set services ipsec-vpn ike policy ike-demo-policy pre-shared proposals demo-proposalset services ipsec-vpn ike policy ike-demo-policy pre-shared pre-shared-key ascii-text keyfordemoset services ipsec-vpn ipsec proposal ipsec-demo-proposal protocol espset services ipsec-vpn ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96set services ipsec-vpn ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbcset services ipsec-vpn ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2set services ipsec-vpn ipsec proposals ipsec-demo-proposalset services service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1set services service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2set services service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.1set services service-set demo-service-set ipsec-vpn-rules rule-ike

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure OSPF connectivity and IPsec tunnel parameters on Router 2:

  1. Configure interface properties. In this step, you configure two Ethernet interfaces (ge-1/0/0 and ge-1/0/1), a loopback interface, and a multiservices interface (ms-1/2/0).
    [edit interfaces]user@router2# set ge-0/0/0 description "to R1 ge-0/0/0"user@router2# set ge-0/0/0 unit 0 family inet address 10.1.12.1/30user@router2# set ge-0/0/1 description "to R3 ge-0/0/1"user@router2# set ge-0/0/1 unit 0 family inet address 10.1.15.1/30user@router2# set ms-1/2/0 services-options syslog host local services infouser@router2# set ms-1/2/0 unit 0 family inetuser@router2# set ms-1/2/0 unit 1 family inetuser@router2# set ms-1/2/0 unit 1 service-domain insideuser@router2# set ms-1/2/0 unit 2 family inetuser@router2# set ms-1/2/0 unit 2 service-domain outsideuser@router2# set lo0 unit 0 family inet address 10.0.0.2/32
  2. Specify the OSPF area and associate the interfaces with the OSPF area.
    [edit protocols]user@router2# set ospf area 0.0.0.0 interface ge-0/0/0.0user@router2# set ospf area 0.0.0.0 interface lo0.0user@router2# set ospf area 0.0.0.0 interface ms-1/2/0.1
  3. Configure the router ID.
    [edit routing-options]user@router2# set router-ID 10.0.0.2
  4. Configure an IPsec rule. In this step, you configure an IPsec rule, specify manual SA parameters, such as the remote gateway address, authentication and encryption properties, and so on.

    Note: By default, Junos OS uses IKE policy version 1.0. Junos OS Release 11.4 and later also support IKE policy version 2.0 which you must configure at [edit services ipsec-vpn ike policy policy-name pre-shared].

    [edit services ipsec-vpn]user@router2# set rule rule-ike term term-ike then remote-gateway 10.1.15.2user@router2# set rule rule-ike term term-ike then dynamic ike-policy ike-demo-policyuser@router2# set rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policyuser@router2# set rule match-direction inputuser@router2# set ike proposal ike-demo-proposal authentication-method pre-shared-keysuser@router2# set ike proposal ike-demo-proposal dh-group group2user@router2# set ike policy ike-demo-policy pre-shared proposals demo-proposaluser@router2# set ike policy ike-demo-policy pre-shared pre-shared-key ascii-text keyfordemouser@router2# set ipsec proposal ipsec-demo-proposal protocol espuser@router2# set ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96user@router2# set ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbcuser@router2# set ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2user@router2# set ipsec proposals ipsec-demo-proposal
  5. Configure a next-hop style service set, specify the local-gateway address, and associate the IPsec VPN rule with the service set.
    [edit services]user@router2# set service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1user@router2# set service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2user@router2# set service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.1user@router2# set service-set demo-service-set ipsec-vpn-rules rule-ike
  6. Commit the configuration.
    [edit]user@router2# commit

Results

From configuration mode, confirm your configuration by entering the show interfaces, show protocols ospf, show routing-options, and show services commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration

user@router1# show interfaces
interfaces {ge-0/0/0 {description "To R1 ge-0/0/0";unit 0 {family inet {address 10.1.12.1/30;}}}ge-0/0/1 {description "To R3 ge-0/0/1";unit 0 {family inet {address 10.1.15.1/30;}}}ms-1/2/0 {services-options {syslog {host local {services info;}}}unit 0 {family inet;}unit 1 {family inet;service-domain inside;}unit 2 {family inet;service-domain outside;}}lo0 {unit 0 {family inet {address 10.0.0.2/32;}}}}
user@router2# show protocols ospf
protocols {ospf {area 0.0.0.0 {interface ge-0/0/0.0;interface lo0.0;interface ms-1/2/0.1;}}}
user@router2# show routing-options
routing-options {router-id 10.0.0.2;}
user@router2# show services
services {ipsec-vpn {rule rule-ike {term term-ike {then {remote-gateway 10.1.15.2;dynamic {ike-policy ike-demo-policy;ipsec-policy ipsec-demo-policy;}}}match-direction input;}ike {proposal ike-demo-proposal {authentication-method pre-shared-keys;dh-group group2;}policy ike-demo-policy {proposals demo-proposal;pre-shared-key ascii-text "$9$jokmT69pRhrz3hrev7Nik"; ## SECRET-DATA}}ipsec {proposal ipsec-demo-proposal {protocol esp;authentication-algorithm hmac-sha1-96;encryption-algorithm 3des-cbc;}policy ipsec-demo-policy {perfect-forward-secrecy {keys group2;}proposals ipsec-demo-proposal;}}}
service-set demo-service-set {next-hop-service {inside-service-interface ms-1/2/0.1;outside-service-interface ms-1/2/0.2;}ipsec-vpn-options {local-gateway 10.1.15.1;}ipsec-vpn-rules rule-ike;}
service-set demo-service-set {next-hop-service {inside-service-interface ms-1/2/0.1;outside-service-interface ms-1/2/0.2;}ipsec-vpn-options {local-gateway 10.1.15.2;}ipsec-vpn-rules rule-ike;}

Configuring Router 3

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI, at the [edit] hierarchy level, of Router 3.

set interfaces ge-0/0/0 description "to R4 ge-0/0/0"set interfaces ge-0/0/0 unit 0 family inet address 10.1.56.1/30set interfaces ge-0/0/1 description "to R2 ge-0/0/1"set interfaces ge-0/0/1 unit 0 family inet address 10.1.15.2/30set interfaces ms-1/2/0 services-options syslog host local services infoset interfaces ms-1/2/0 unit 0 family inetset interfaces ms-1/2/0 unit 1 family inetset interfaces ms-1/2/0 unit 1 service-domain insideset interfaces ms-1/2/0 unit 2 family inetset interfaces ms-1/2/0 unit 2 service-domain outsideset interfaces lo0 unit 0 family inet address 10.0.0.3/32set protocols ospf area 0.0.0.0 interface ge-0/0/0.0set protocols ospf area 0.0.0.0 interface lo0.0set protocols ospf area 0.0.0.0 interface ms-1/2/0.1set routing-options router-id 10.0.0.3set services ipsec-vpn rule rule-ike term term-ike then remote-gateway 10.1.15.1set services ipsec-vpn rule rule-ike term term-ike then dynamic ike-policy ike-demo-policyset services ipsec-vpn rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policyset services ipsec-vpn rule match-direction inputset services ipsec-vpn ike proposal ike-demo-proposal authentication-method pre-shared-keysset services ipsec-vpn ike proposal ike-demo-proposal dh-group group2set services ipsec-vpn ike policy ike-demo-policy pre-shared proposals demo-proposalset services ipsec-vpn ike policy ike-demo-policy pre-shared pre-shared-key ascii-text keyfordemoset services ipsec-vpn ipsec proposal ipsec-demo-proposal protocol espset services ipsec-vpn ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96set services ipsec-vpn ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbcset services ipsec-vpn ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2set services ipsec-vpn ipsec proposals ipsec-demo-proposalset services service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1set services service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2set services service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.2set services service-set demo-service-set ipsec-vpn-rules rule-ike

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure OSPF connectivity and IPsec tunnel parameters on Router 3:

  1. Configure interface properties. In this step, you configure two Ethernet interfaces (ge-1/0/0 and ge-1/0/1), a loopback interface, and a multiservices interface (ms-1/2/0).
    [edit interfaces]user@router3# set ge-0/0/0 description "to R4 ge-0/0/0"user@router3# set ge-0/0/0 unit 0 family inet address 10.1.56.1/30user@router3# set ge-0/0/1 description "to R2 ge-0/0/1"user@router3# set ge-0/0/1 unit 0 family inet address 10.1.15.2/30user@router3# set ms-1/2/0 services-options syslog host local services infouser@router3# set ms-1/2/0 unit 0 family inetuser@router3# set ms-1/2/0 unit 1 family inetuser@router3# set ms-1/2/0 unit 1 service-domain insideuser@router3# set ms-1/2/0 unit 2 family inetuser@router3# set ms-1/2/0 unit 2 service-domain outsideuser@router3# set lo0 unit 0 family inet address 10.0.0.3/32
  2. Specify the OSPF area and associate the interfaces with the OSPF area.
    [edit protocols]user@router3# set ospf area 0.0.0.0 interface ge-0/0/0.0user@router3# set ospf area 0.0.0.0 interface lo0.0user@router3# set ospf area 0.0.0.0 interface ms-1/2/0.1
  3. Configure a router ID.
    [edit routing-options]user@router3# set router-id 10.0.0.3
  4. Configure an IPsec rule. In this step, you configure an IPsec rule and specify manual SA parameters, such as the remote gateway address, authentication and encryption properties, and so on.
    [edit services ipsec-vpn]user@router3# set rule rule-ike term term-ike then remote-gateway 10.1.15.1user@router3# set rule rule-ike term term-ike then dynamic ike-policy ike-demo-policyuser@router3# set rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policyuser@router3# set rule match-direction inputuser@router3# set ike proposal ike-demo-proposal authentication-method pre-shared-keysuser@router3# set ike proposal ike-demo-proposal dh-group group2user@router3# set ike policy ike-demo-policy pre-shared proposals demo-proposaluser@router3# set ike policy ike-demo-policy pre-shared pre-shared-key ascii-text keyfordemouser@router3# set ipsec proposal ipsec-demo-proposal protocol espuser@router3# set ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96user@router3# set ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbcuser@router3# set ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2user@router3# set ipsec proposals ipsec-demo-proposal
  5. Configure a next-hop style service set, specify the local-gateway address, and associate the IPsec VPN rule with the service set.
    [edit services]user@router3# set service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1user@router3# set service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2user@router3# set service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.2user@router3# set service-set demo-service-set ipsec-vpn-rules rule-ike
  6. Commit the configuration.
    [edit]user@router3# commit

Results

From configuration mode, confirm your configuration by entering the show interfaces, show protocols ospf, show routing-options, and show services commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration

user@router3# show interfaces
interfaces {ge-0/0/0 {description "To R4 ge-0/0/0";unit 0 {family inet {address 10.1.56.1/30;}}}ge-0/0/1 {description "To R2 ge-0/0/1";unit 0 {family inet {address 10.1.15.2/30;}}}ms-1/2/0 {services-options {syslog {host local {services info;}}}unit 0 {family inet {}unit 1 {family inet;service-domain inside;}unit 2 {family inet;service-domain outside;}}lo0 {unit 0 {family inet {address 10.0.0.3/32;}}}}}
user@router3# show protocols ospf
protocols {ospf {area 0.0.0.0 {interface ge-0/0/0.0;interface lo0.0;interface ms-1/2/0.1;}}}
user@router3# show routing-options
routing-options {router-id 10.0.0.3;}
user@router3# show services
services {ipsec-vpn {rule rule-ike {term term-ike {then {remote-gateway 10.1.15.1;dynamic {ike-policy ike-demo-policy;ipsec-policy ipsec-demo-policy;}}}match-direction input;}ike {proposal ike-demo-proposal {authentication-method pre-shared-keys;dh-group group2;}policy ike-demo-policy {proposals demo-proposal;pre-shared-key ascii-text "$9$jokmT69pRhrz3hrev7Nik"; ## SECRET-DATA}}ipsec {proposal ipsec-demo-proposal {protocol esp;authentication-algorithm hmac-sha1-96;encryption-algorithm 3des-cbc;}policy ipsec-demo-policy {perfect-forward-secrecy {keys group2;}proposals ipsec-demo-proposal;}}}

Configuring Router 4

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI, at the [edit] hierarchy level, of Router 4.

set interfaces ge-0/0/0 description "to R3 ge-0/0/0"set interfaces ge-0/0/0 unit 0 family inet address 10.1.56.2/30set interfaces lo0 unit 0 family inet address 10.0.0.4/32set protocols ospf area 0.0.0.0 interface ge-0/0/0.0set protocols ospf area 0.0.0.0 interface lo0.0set routing-options router-id 10.0.0.4

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To set up OSPF connectivity with Router 4

  1. Configure the interfaces. In this step, you configure an Ethernet interface (ge-1/0/1) and a loopback interface.
    user@router4# set interfaces ge-0/0/0 description "to R3 ge-0/0/0"user@router4# set interfaces ge-0/0/0 unit 0 family inet address 10.1.56.2/30user@router4# set interfaces lo0 unit 0 family inet address 10.0.0.4/32
  2. Specify the OSPF area and associate the interfaces with the OSPF area.
    user@router4# set protocols ospf area 0.0.0.0 interface ge-0/0/0user@router4# set protocols ospf area 0.0.0.0 interface lo0.0
  3. Configure the router ID.
    [edit routing-options]user@router4# set router-id 10.0.0.4

Results

From configuration mode, confirm your configuration by entering the show interfaces, show protocols ospf, and show routing-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration

user@router4# show interfaces
interfaces {ge-0/0/0 {description "To R3 ge-0/0/0";unit 0 {family inet {address 10.1.56.2/30;}}}lo0 {unit 0 {family inet {address 10.0.0.4/32;}}}}
user@router4# show protocols ospf
protocols {ospf {area 0.0.0.0 {interface ge-0/0/0.0;interface lo0.0;}}}
user@router4# show routing-options
routing-options {router-id 10.0.0.4;}

Verification

Verifying Your Work on Router 1

Purpose

Verify proper operation of Router 1.

Action

From operational mode, enter ping 10.1.56.2 command to the ge-0/0/0 interface on Router 4 to send traffic across the IPsec tunnel

user@router1>ping 10.1.56.2
PING 10.1.56.2 (10.1.56.2): 56 data bytes
64 bytes from 10.1.56.2: icmp_seq=0 ttl=254 time=1.351 ms
64 bytes from 10.1.56.2: icmp_seq=1 ttl=254 time=1.187 ms
64 bytes from 10.1.56.2: icmp_seq=2 ttl=254 time=1.172 ms
64 bytes from 10.1.56.2: icmp_seq=3 ttl=254 time=1.154 ms
64 bytes from 10.1.56.2: icmp_seq=4 ttl=254 time=1.156 ms
^C
--- 10.1.56.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.154/1.204/1.351/0.074 ms

Meaning

The output shows that Router 1 is able to reach Router 4 over the IPsec tunnel.

Verifying Your Work on Router 2

Purpose

Verify that the IKE SA negotiation is successful.

Action

From operational mode, enter the show services ipsec-vpn ike security-associations command.

user@router2>show services ipsec-vpn ike security-associations
Remote Address State Initiator cookie Responder cookie Exchange type
10.1.15.2 Matured 03075bd3a0000003 4bff26a5c7000003 Main

To verify that the IPsec security association is active, issue the show services ipsec-vpn ipsec security-associations detail command. Notice that the SA contains the default settings inherent in the MultiServices PIC, such as ESP for the protocol and HMAC-SHA1-96 for the authentication algorithm.

From operational mode, enter the show services ipsec-vpn ipsec security-associations detail command.

user@router2> show services ipsec-vpn ipsec security-associations detail
Service set: demo-service-set
Rule: rule-ike, Term: term-ike, Tunnel index: 1
Local gateway: 10.1.15.1, Remote gateway: 10.1.15.2
Local identity: ipv4_subnet(any:0,[0..7]=10.1.12.0/24)
Remote identity: ipv4_subnet(any:0,[0..7]=10.1.56.0/24)
Direction: inbound, SPI: 2666326758, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 26863 seconds
Hard lifetime: Expires in 26998 seconds
Anti-replay service: Enabled, Replay window size: 64
Direction: outbound, SPI: 684772754, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 26863 seconds
Hard lifetime: Expires in 26998 seconds
Anti-replay service: Enabled, Replay window size: 64

To verify that traffic is traveling through the bidirectional IPsec tunnel, issue the show services ipsec-vpn statistics command:

From operational mode, enter the show services ipsec-vpn statistics command.

user@router2> show services ipsec-vpn ipsec statistics
PIC: ms-1/2/0, Service set: demo-service-set
ESP Statistics:
Encrypted bytes: 2248
Decrypted bytes: 2120
Encrypted packets: 27
Decrypted packets: 25
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

Meaning

The show services ipsec-vpn ipsec security-associations detail command output shows the SA properties that you configured.

The show services ipsec-vpn ipsec statistics command output shows the traffic flow over the IPsec tunnel.

Verifying Your Work on Router 3

Purpose

Verify that the IKE SA negotiation is successful on Router 3.

Action

From operational mode, enter the show services ipsec-vpn ike security-associations command. To be successful, the SA on Router 3 must contain the same settings you specified on Router 2.

user@router3>show services ipsec-vpn ike security-associations
Remote Address State Initiator cookie Responder cookie Exchange type
10.1.15.1 Matured 03075bd3a0000003 4bff26a5c7000003 Main

To verify that the IPsec SA is active, issue the show services ipsec-vpn ipsec security-associations detail command. To be successful, the SA on Router 3 must contain the same settings you specified on Router 2.

From operational mode, enter the show services ipsec-vpn ipsec security-associations detail command.

user@router3>show services ipsec-vpn ipsec security-associations detail
Service set: demo-service-set
Rule: rule-ike, Term: term-ike, Tunnel index: 1
Local gateway: 10.1.15.2, Remote gateway: 10.1.15.1
Local identity: ipv4_subnet(any:0,[0..7]=10.1.56.0/24)
Remote identity: ipv4_subnet(any:0,[0..7]=10.1.12.0/24)
Direction: inbound, SPI: 684772754, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 26598 seconds
Hard lifetime: Expires in 26688 seconds
Anti-replay service: Enabled, Replay window size: 64
Direction: outbound, SPI: 2666326758, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 26598 seconds
Hard lifetime: Expires in 26688 seconds
Anti-replay service: Enabled, Replay window size: 64

To verify that traffic is traveling through the bidirectional IPsec tunnel, issue the show services ipsec-vpn statistics command:

From operational mode, enter the show services ipsec-vpn ike security-associations command.

user@router3>show services ipsec-vpn ipsec statistics
PIC: ms-1/2/0, Service set: demo-service-set
ESP Statistics:
Encrypted bytes: 2120
Decrypted bytes: 2248
Encrypted packets: 25
Decrypted packets: 27
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

Meaning

The show services ipsec-vpn ipsec security-associations detail command output shows the SA properties that you configured.

The show services ipsec-vpn ipsec statistics command output shows the traffic flow over the IPsec tunnel.

Verifying Your Work on Router 4

Purpose

Verify that that the IKE SA negotiation is successful.

Action

From operational mode, enter ping 10.1.12.2 command to the ge-0/0/0 interface on Router 1 to send traffic across the IPsec tunnel.

user@router4>ping 10.1.12.2
PING 10.1.12.2 (10.1.12.2): 56 data bytes
64 bytes from 10.1.12.2: icmp_seq=0 ttl=254 time=1.350 ms
64 bytes from 10.1.12.2: icmp_seq=1 ttl=254 time=1.161 ms
64 bytes from 10.1.12.2: icmp_seq=2 ttl=254 time=1.124 ms
64 bytes from 10.1.12.2: icmp_seq=3 ttl=254 time=1.142 ms
64 bytes from 10.1.12.2: icmp_seq=4 ttl=254 time=1.139 ms
64 bytes from 10.1.12.2: icmp_seq=5 ttl=254 time=1.116 ms
^C
--- 10.1.12.2 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.116/1.172/1.350/0.081 ms

To confirm that traffic travels through the IPsec tunnel, issue the traceroute command to the ge-0/0/0 interface on Router 1. Notice that the physical interface between Routers 2 and 3 is not referenced in the path; traffic enters the IPsec tunnel through the adaptive services IPsec inside interface on Router 3, passes through the loopback interface on Router 2, and ends at the ge-0/0/0 interface on Router 1.

From operational mode, enter the traceroute 10.1.12.2.

user@router4>traceroute 10.1.12.2
traceroute to 10.1.12.2 (10.1.12.2), 30 hops max, 40 byte packets
1 10.1.15.2 (10.1.15.2) 0.987 ms 0.630 ms 0.563 ms
2 10.0.0.2 (10.0.0.2) 1.194 ms 1.058 ms 1.033 ms
3 10.1.12.2 (10.1.12.2) 1.073 ms 0.949 ms 0.932 ms

Meaning

The ping 10.1.12.2 output shows that Router 4 is able to reach Router 1 over the IPsec tunnel.

The traceroute 10.1.12.2 output shows that traffic travels the IPsec tunnel.

 

Related Documentation

 

Published: 2013-08-29

Previous Page Next Page