Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Configuring Encryption Interfaces

When you configure the encryption interface, you associate the configured SA with a logical interface. This configuration defines the tunnel, including the logical unit, tunnel addresses, maximum transmission unit (MTU), optional interface addresses, and the name of the IPsec SA to apply to traffic. To configure an encryption interface, include the following statements at the [edit interfaces es-fpc/pic/port unit logical-unit-number] hierarchy level:

family inet {ipsec-sa ipsec-sa; # name of security association to apply to packetaddress address; # local interface address inside local VPNdestination address; # destination address inside remote VPN}
tunnel {source source-address;destination destination-address;}

The addresses configured as the tunnel source and destination are the addresses in the outer IP header of the tunnel.

Note: You must configure the tunnel source address locally on the router, and the tunnel destination address must be a valid address for the security gateway terminating the tunnel.

The ES Physical Interface Card (PIC) is supported on M Series and T Series routers.

The SA must be a valid tunnel-mode SA. The interface address and destination address listed are optional. The destination address allows the user to configure a static route to encrypt traffic. If a static route uses that destination address as the next hop, traffic is forwarded through the portion of the tunnel in which encryption occurs.

Specifying the Security Association Name for Encryption Interfaces

The security association is the set of properties that defines the protocols for encrypting Internet traffic. To configure encryption interfaces, you specify the SA name associated with the interface by including the ipsec-sa statement at the [edit interfaces es-fpc/pic/port unit logical-unit-number family inet] hierarchy level:

ipsec-sa sa-name;

For information about configuring the security association, see Configuring Filters for Traffic Transiting the ES PIC.

Configuring the MTU for Encryption Interfaces

The protocol MTU value for encryption interfaces must always be less than the default interface MTU value of 3900 bytes; the configuration fails to commit if you select a greater value. To set the MTU value, include the mtu statement at the [edit interfaces interface-name unit logical-unit-number family inet] hierarchy level:

mtu bytes;

For more information, see the Junos OS Network Interfaces Library for Routing Devices.

Example: Configuring an Encryption Interface

Configure an IPsec tunnel as a logical interface on the ES PIC. The logical interface specifies the tunnel through which the encrypted traffic travels. The ipsec-sa statement associates the security profile with the interface.

[edit interfaces]
es-0/0/0 {unit 0 {tunnel {source 10.5.5.5; # tunnel source addressdestination 10.6.6.6; # tunnel destination address}family inet {ipsec-sa manual-sa1; # name of security association to apply to packetmtu 3800;address 10.1.1.8/32 { # local interface address inside local VPNdestination 10.2.2.254;  # destination address inside remote VPN}}}
 

Related Documentation

 

Published: 2013-08-29

Previous Page Next Page