[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Examples: Configuring IPsec Services

See the following sections:

Example: Configuring Statically Assigned Tunnels

Following is the configuration of the provider edge (PE) router, demonstrating the usage of next-hop service sets and dynamic SA configuration:

[edit interfaces]
so-0/0/0 {
no-keepalives;
encapsulation cisco-hdlc;
unit 0 {
family inet {
address 10.6.6.6/32;
}
}
}
so-2/2/0 {
description "teller so-0/2/0";
no-keepalives;
encapsulation cisco-hdlc;
unit 0 {
family inet {
address 10.21.1.1/16;
}
}
}
sp-3/1/0 {
unit 0 {
family inet {
address 10.7.7.7/32;
}
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
[edit policy-options]
policy-statement vpn-export {
then {
community add vpn-comm;
accept;
}
}
policy-statement vpn-import {
term a {
from community vpn-comm;
then accept;
}
}
community vpn-comm members target:100:20;
[edit routing-instances]
vrf {
instance-type vrf;
interface sp-3/1/0.1; # Inside sp interface
interface so-0/0/0.0;
route-distinguisher 192.168.0.1:1;
vrf-import vpn-import;
vrf-export vpn-export;
routing-options {
static {
route 10.0.0.0/0 next-hop so-0/0/0.0;
route 10.11.11.1/32 next-hop so-0/0/0.0;
route 10.8.8.1/32 next-hop sp-3/1/0.1;
}
}
}
[edit services]
ipsec-vpn {
rule rule-1 {
term term-1 {
then {
remote-gateway 10.21.2.1;
dynamic {
ike-policy ike-policy;
}
}
}
match-direction input;
}
ike {
policy ike-policy {
pre-shared-key ascii-text "$9$ExmcSeMWxdVYBI";
}
}
}
service-set service-set-1 {
ipsec-vpn {
local-gateway 10.21.1.1;
}
ipsec-vpn-rules rule-1;
next-hop-service {
inside-service-interface sp-3/1/0.1;
outside-service-interface sp-3/1/0.2;
}
}

Following is an example for configuring multiple link-type tunnels to static peers using a single next-hop style service set:

services ipsec-vpn {
rule demo-rule {
term term-0 {
from {
ipsec-inside-interface sp-0/0/0.1;
}
then {
remote-gateway 10.2.2.2;
dynamic {
ike-policy demo-ike-policy;
}
}
}
term term-1 {
from {
ipsec-inside-interface sp-0/0/0.3;
}
then {
remote-gateway 10.3.3.3;
dynamic {
ike-policy demo-ike-policy;
}
}
}
}
match-direction input;
}
services {
service-set demo-service-set {
next-hop-service {
inside-service-interface sp-0/0/0.1;
outside-service-interface sp-0/0/0.2;
}
ipsec-vpn-options {
local-gateway 10.1.1.1;
}
ipsec-rules demo-rule;
}
}
interfaces sp-0/0/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
unit 3 {
family inet;
service-domain inside;
}
unit 4 {
family inet;
service-domain inside;
}
}

Example: Configuring Dynamically Assigned Tunnels

The following examples are based on this network configuration (see Figure 3):

Figure 3: IPsec Dynamic Endpoint Tunneling Topology

Image g017076.gif

The examples in this section show the following configurations:

Note: All the configurations are given for the Juniper Networks router terminating dynamic endpoint connections.

Configuring a Next-Hop Style Service Set with Link-Type Tunnels

access {
profile demo-access-profile client * {
ike {
allowed-proxy-pair {
remote 0.0.0.0/0 local 0.0.0.0/0; # ANY to ANY
}
pre-shared-key {
ascii-text keyfordynamicpeers;
}
interface-id demo-ipsec-interface-id;
}
}
services {
service-set demo-service-set {
next-hop-service {
inside-service-interface sp-1/0/0.1;
outside-service-interface sp-1/0/0.2;
}
ipsec-vpn-options {
local-gateway 10.1.1.1;
ike-access-profile demo-ike-access-profile;
}
}
}
}

Note: Including the ike-access-profile statement enables the software to incorporate implicit proposals for dynamic endpoint authentication. You do not need to configure IKE or IPsec proposals explicitly.

interfaces {
sp-0/0/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
unit 3 {
family inet;
service-domain inside;
dial-options {
ipsec-interface-id demo-ipsec-interface-id;
dedicated;
}
}
unit 4 {
family inet;
service-domain inside;
dial-options {
ipsec-interface-id demo-ipsec-interface-id;
dedicated;
}
}
}
}

The following results are obtained:

Configuring a Next-Hop Style Service-Set with Policy-Based Tunnels

access {
profile demo-access-profile client * {
ike {
allowed-proxy-pair {
remote 172.16.2.0/24 local 172.16.1.0/24; #N-2 <==> #N-1
remote 172.16.3.0/24 local 172.16.1.0/24; #N-3 <==> #N-1
}
pre-shared-key {
ascii-text keyfordynamicpeers;
}
interface-id demo-ipsec-interface-id;
}
}
}
services {
service-set demo-service-set {
next-hop-service {
inside-service-interface sp-1/0/0.1;
outside-service-interface sp-1/0/0.2;
}
ipsec-vpn-options {
local-gateway 10.1.1.1;
}
ike-access-profile demo-ike-access-profile;
}
}

Note: Including the ike-access-profile statement enables the software to incorporate implicit proposals for dynamic endpoint authentication. You do not need to configure IKE or IPsec proposals explicitly.

interfaces {
sp-0/0/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
unit 3 {
family inet;
service-domain inside;
dial-options {
ipsec-interface-id demo-ipsec-interface-id;
mode shared;
}
}
}
}
# VRF configuration, if not inet.0
routing-instances {
demo-vrf {
instance-type vrf;
interface sp-0/0/0.1;
interface sp-0/0/0.3;
.....
}
}

The following results are obtained:

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]