> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:juniper-nsp- > [EMAIL PROTECTED] On Behalf Of Jonathan Looney > Sent: 30 October 2007 06:06 PM > To: Roman Shibrick > Cc: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] GRE over IPsec on J-series > > Roman, > > On newer versions of IOS (12.3(14)T or 12.4(2)T, for example), I > understand that IOS supports treating IPSec tunnels as interfaces. > That makes all of this a lot easier, since you can just configure > IPSec tunnels (without configuring an additional GRE interface). > However, I can not help you with the Cisco configuration syntax for > that feature, as I've never configured it.
Hi sample Cisco config RTRA(config)# crypto isakmp policy 10 RTRA(config-isakmp)# encryption aes 128 RTRA(config-isakmp)# hash sha RTRA(config-isakmp)# authentication pre-share RTRA(config-isakmp)# group 2 RTRA(config-isakmp)# exit RTRA(config)# crypto isakmp key cisco123 address 192.168.37.1255.255.255.255 no-xauth RTRA(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac RTRA(cfg-crypto-trans)# exit RTRA(config)# crypto ipsec profile VTI RTRA(ipsec-profile)# set transform-set RTRtran RTRA(ipsec-profile)# exit RTRA(config)# interface tunnel 0 RTRA(config-if)# ip address 10.1.1.1 255.255.255.252 RTRA(config-if)# tunnel source 172.17.38.4 RTRA(config-if)# tunnel destination 192.168.37.1 RTRA(config-if)# tunnel mode ipsec ipv4 RTRA(config-if)# tunnel protection ipsec VTI RTRA(config)# interface Fa0/0 RTRA(config-if)# ip address 172.17.38.4 255.255.255.0 RTRA(config-if)# description Connection to ISP RTRA(config-if)# exit RTRA(config)# ip route x.x.x.x x.x.x.x tunnel0 Cheers, --------------------------------------------------------- Peter Nyamukusa MCSE, MCSA:Messaging, CCIP, CCNA, A+, JNCIA-ER, JNCIS-ER Technical Manager Africa Online Swaziland > > To configure a GRE tunnel, which will be encapsulated within IPSec, > you configure an IPSec tunnel and then a GRE tunnel. The exact > details depend on whether you will be using the same IP address for > both the GRE and IPSec tunnel endpoints. It is slightly more > straightforward if you use different addresses, so I will use that as > an example. > > In this case, we have two routers (aptly named juniper and cisco), > configured with the following addresses: > > juniper > ISP interface: 172.17.37.4 > lo0.0: 192.168.37.1 > > cisco > ISP interface: 172.17.38.4 > loopback0: 192.168.38.1 > > We will use the ISP interfaces as the endpoints for the IPSec tunnel > and use the loopback interfaces as the endpoints for the GRE tunnel. > > On the Juniper side, we'll start by configuring the IPSec tunnel, as > follows: > > [edit interfaces] > [EMAIL PROTECTED] show sp-0/0/0 > unit 0 { > family inet; > } > unit 1 { > family inet; > service-domain outside; > } > unit 2 { > family inet; > service-domain inside; > } > > [edit security] > [EMAIL PROTECTED] show > service-set gre-vpn { > next-hop-service { > inside-service-interface sp-0/0/0.2; > outside-service-interface sp-0/0/0.1; > > } > ipsec-vpn-options { > local-gateway 172.17.37.4; > } > ipsec-vpn-rules vpn-to-cisco; > } > ipsec-vpn { > rule vpn-to-cisco { > term gre-tunnel { > from { > source-address { > 192.168.37.1/32; > } > destination-address { > 192.168.38.1/32; > } > } > then { > remote-gateway 172.17.38.4; > dynamic { > ike-policy main_mode_ike_policy; > ipsec-policy dynamic_ipsec_policy; > } > } > } > match-direction output; > } > ipsec { > proposal cisco_compat { > protocol esp; > authentication-algorithm hmac-md5-96; > encryption-algorithm des-cbc; > } > policy dynamic_ipsec_policy { > perfect-forward-secrecy { > keys group1; > } > proposals cisco_compat; > } > } > ike { > proposal cisco-compat { > authentication-method pre-shared-keys; > authentication-algorithm md5; > dh-group group1; > encryption-algorithm des-cbc; > } > policy main_mode_ike_policy { > proposals cisco-compat; > pre-shared-key ascii-text use-a-really-secure-key; > > } > } > establish-tunnels immediately; > } > > You should customize the above to fit your environment. In particular: > A) change the IKE/IPSec policies/proposals to use security parameters > acceptable to your situation. > B) change the local IKE/IPSec endpoint defined in the [edit security > service-set gre-vpn ipsec-vpn-options] section. > C) change the remote IKE/IPSec endpoint defined in the [edit security > rule vpn-to-gre term gre-tunnel then] section. > D) change the GRE endpoints defined in the [edit security rule > vpn-to-gre term gre-tunnel from] section. Like the IOS configuration, > you only define the outbound matching parameters and the inbound > traffic will be automatically allowed. The source/destination address > here must exactly match the source/destination allowed by the > access-list you use in your crypto-map on the IOS side. > E) change the services interface unit #s, if necessary. > > Now, we can configure the GRE tunnel: > > > [edit] > [EMAIL PROTECTED] show interfaces gr-0/0/0 > unit 0 { > tunnel { > source 192.168.37.1; > destination 192.168.38.1; > } > family inet { > address 192.168.25.129/30; > } > } > Again, you should customize this: > A) Use the correct tunnel endpoints. > B) Use an appropriate IP address. If you want to do the equivalent of > "ip unnumbered" from the Cisco router, simply configure "family inet" > with no address. > C) Change the GRE tunnel interface unit # if necessary. > > Now, we configure a route to ensure the traffic to the remote GRE > endpoint will be encrypted: > > [edit routing-options] > [EMAIL PROTECTED] show static > route 192.168.38.1/32 next-hop sp-0/0/0.2; > > Again, you should customize this: > A) Use the correct tunnel endpoint. > B) Use the 'inside' services interface used for the IPSec service set. > > At this point, your GRE and IPSec tunnels should come up (assuming a > compatible configuration on the Cisco side). Once you've confirmed IP > connectivity, you can configure OSPF to run over the GRE interface by > simply including the GRE interface in an OSPF area configuration. For > example: > > [edit] > [EMAIL PROTECTED] show protocols ospf > area 0.0.0.0 { > interface gr-0/0/0.0; > } > > > > For reference, I believe a compatible Cisco configuration would be: > > crypto isakmp policy 1 > hash md5 > authentication pre-share > crypto isakmp key test address 172.17.37.4 > crypto isakmp keepalive 10 2 periodic > > ! > ! > crypto ipsec transform-set esp_des_set esp-des esp-md5-hmac > ! > ! > crypto map gre-to-juniper 1 ipsec-isakmp > set peer 172.17.37.4 > set transform-set esp_des_set > set pfs group1 > match address 110 > > access-list 110 permit ip host 192.168.38.1 host 192.168.37.1 > > interface tunnel1 > ip address 192.168.25.130 255.255.255.252 > tunnel mode gre ip > tunnel destination 192.168.37.1 > tunnel source 192.168.38.1 > > interface <to provider> > crypto map gre-to-juniper > > router ospf 1 > network 192.168.25.128 0.0.0.3 area 0 > > > Of course, I provide no guarantees for the Cisco side of the config. :- > ) > > I hope this helps. > > -Jon > > On 10/30/07, Roman Shibrick <[EMAIL PROTECTED]> wrote: > > Ok. I understand. > > Then I shall formulate a question differently. > > > > There is a way to make IPsec the tunnel between Juniper J-series and > Cisco's router with an opportunity of routing on the given tunnel, for > example OSPF? > > If somebody saw examples of a configuration give please the > reference. > > > > -----Original Message----- > > From: Sabri Berisha <[EMAIL PROTECTED]> > > To: Roman Shibrick <[EMAIL PROTECTED]> > > Date: Tue, 30 Oct 2007 10:13:53 +0100 > > Subject: Re: [j-nsp] GRE over IPsec on J-series > > > > > > > > On Tue, Oct 30, 2007 at 11:36:35AM +0300, Roman Shibrick wrote: > > > > > > Hi, > > > > > > > Whether there is a given feature on routers of a J-series? I have > found the documentation only for an E-series: > > > > > > > > http://www.juniper.net/techpubs/software/erx/junose82/swconfig- > ip-services/html/l2tp-over-ipsec-config6.html > > > > > > > > It means, what J - a series does not support the given feature? > > > > > > The E-series and the J-series are completely different products. > The > > > documentation for the J-series is at > > > http://www.juniper.net/techpubs/software/jseries/junos84/index.html > > > > > > Thanks, > > > > > > -- > > > Sabri > > > > > _______________________________________________ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp