Configuring IPsec Tunnels Instead of MPLS LSPs Between PE Routers in Layer 3 VPNs
A conventional Layer 3 BGP/MPLS VPN requires the configuration of MPLS label-switched paths (LSPs) between the PE routers. When a PE router receives a packet from a CE router, it performs a lookup in a specific VRF table for the IP destination address and obtains a corresponding MPLS label stack. The label stack is used to forward the packet to the egress PE router, where the bottom label is removed and the packet is forwarded to the specified CE router.
You can provide Layer 3 BGP/MPLS VPN service without an MPLS backbone. Instead of configuring MPLS LSPs between the PE routers, you configure GRE and IPsec tunnels between the PE routers. The MPLS information for the VPN (the VPN label) is encapsulated within an IP header and an IPsec header. The source address of the IP header is the address of the ingress PE router. The destination address has the BGP next hop, the address of the egress PE router.
 | Note: The IPsec tunnel requires the use of an ES PIC. The GRE tunnel requires the use of a Tunnel Services PIC. |
To configure IPsec between PE routers, follow these steps:
- Configure an IPsec tunnel between the PE routers. The
source address is that of the ingress PE router, and the destination
address is that of the egress PE router:es-interface-name {unit unit-number {tunnel {source source-address;destination destination-address;}family inet {ipsec-sa sa-esp-dynamic;address address;}family mpls;}}
You can include these statements at the following hierarchy levels:
- [edit interfaces]
- [edit logical-systems logical-system-name interfaces]
- Configure IPsec on the PE router. For information about how to configure IPsec, see the Junos OS Administration Library for Routing Devices.
- Configure a GRE tunnel between the PE routers. Again,
the source address is that of the ingress PE router, and the destination
address is that of the egress PE router:gr-interface-name {unit unit-number {family inet {address address;}family mpls;tunnel {source source-address;destination destination-address;}}}
You can include these statements at the following hierarchy levels:
- [edit interfaces]
- [edit logical-systems logical-system-name interfaces]
- Configure BGP between the PE routers:bgp {group pe {type internal;local-address local-address;family inet {unicast;}family inet-vpn {unicast;}peer-as as-number;neighbor address;}}
You can include these statements at the following hierarchy levels:
- [edit protocols]
- [edit logical-systems logical-system-name protocols]
- Configure the routing instance:instance-type vrf;interface interface-name;route-distinguisher address;vrf-import import-policy-name;vrf-export export-policy-name;protocols {bgp {group routing-instance-name {type external;peer-as as-number;as-override;neighbor address;}}}
You can include these statements at the following hierarchy levels:
- [edit routing-instances routing-instance-name]
- [edit logical-systems logical-system-name routing-instances routing-instance-name]
- Configure the policy options:policy-statement import-policy-name {term 1 {from {protocol bgp;community community-name;}then accept;}term 2 {then reject;}}policy-statement export-policy-name {term 1 {from protocol [ bgp direct ];then {community add community-name;accept;}}term 2 {then reject;}}community community-name members target:target;
You can include these statements at the following hierarchy levels:
- [edit policy-options]
- [edit logical-systems logical-system-name policy-options]
- Configure routing table groups to enable VPN route resolution
in the inet.3 routing table:interface-routes {rib-group inet if-rib;}rib inet.3 {static {route BGP-address-for-remote-PE next-hop gre-interface-name;}}rib-groups {if-rib {import-rib [ inet.0 inet.3 ];}}
You can include these statements at the following hierarchy levels:
- [edit routing-options]
- [edit logical-systems logical-system-name routing-options]
