close
keyboard_arrow_left
Table of Contents
- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
list Table of Contents
Using IPsec with a Layer 3 VPN
date_range
24-Nov-23
Some key concepts to keep in mind when configuring IPsec within a VPN include the following:
Add the inside services interface for a next-hop style service set into the routing instance by including the
interface sp-fpc/pic/portstatement at the[edit routing-instances instance-name]hierarchy level.For interface style service sets, add the interface on which you apply the service set and the services interface by including both interfaces at the
[edit routing-instances instance-name]hierarchy level.To define a routing instance for the local gateway within the service set, include the routing-instance instance-name option at the
[edit services service-set service-set-name ipsec-vpn-options local-gateway address]hierarchy level.
The following configuration for an AS PIC on a provider edge (PE) router demonstrates the use of next-hop service sets with an IKE dynamic SA in a VPN routing and forwarding (VRF) routing instance.
content_copy zoom_out_map
[edit]
interfaces {
so-0/0/0 {
description "Interface connected to the customer edge (CE) router";
unit 0 {
family inet {
address 10.6.6.6/32;
}
}
}
so-2/2/0 {
description "Source IPsec tunnel interface to the network core";
unit 0 {
family inet {
address 10.10.1.1/30;
}
}
}
sp-3/1/0 {
description "AS PIC interface";
unit 0 {
family inet {
address 10.7.7.7/32;
}
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
}
policy-options {
policy-statement vpn-export-policy {
then {
community add community-name;
accept;
}
}
policy-statement vpn-import-policy {
term term-name {
from community community-name;
then accept;
}
}
community community-name members target:100:20;
}
routing-instances {
vrf {
instance-type vrf;
interface sp-3/1/0.1; # Inside sp interface.
interface so-0/0/0.0; # Interface that connects to the CE router.
route-distinguisher route-distinguisher;
vrf-import vpn-import-policy;
vrf-export vpn-export-policy;
routing-options {
static {
route ip-address/prefix next-hop so-0/0/0.0; # Routes for the CE router.
route ip-address/prefix next-hop sp-3/1/0.1; # Routes for IPsec.
}
}
}
}
services {
service-set service-set-name {
next-hop-service {
inside-service-interface sp-3/1/0.1;
outside-service-interface sp-3/1/0.2;
}
ipsec-vpn-options {
local-gateway 10.10.1.1;
}
ipsec-vpn-rules rule-name;
}
ipsec-vpn {
rule rule-name {
term term-name {
from {
source-address {
source-ip-address;
}
}
then {
remote-gateway 10.10.1.2;
dynamic {
ike-policy ike-policy-name;
}
}
}
match-direction direction;
}
ike {
policy ike-policy-name {
pre-shared-key ascii-text preshared-key;
}
}
}
}
For more information on VRF routing instances, see the Junos VPNs Configuration Guide. For more information on next-hop service sets, see the Junos Services Interfaces Configuration Guide.
