Just to help you out too, here is a sample config from the chapter. 1)Create GRE Interface
[EMAIL PROTECTED] show interfaces gr-0/0/0 unit 0 { tunnel { source 172.16.1.2; destination 128.3.3.4; } family inet; } 2)Map Traffic to the GRE tunnel [EMAIL PROTECTED] show routing-options static route 128.3.3.0/24 next-hop gr-0/0/0.0; 3)Create Unique proposals ipsec { proposal cisco-interop { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm des-cbc; } policy ipsecgre { perfect-forward-secrecy { keys group1; } proposals cisco-interop; } } ike { proposal cisco-interop-ike { authentication-method pre-shared-keys; dh-group group1; authentication-algorithm md5; encryption-algorithm des-cbc; } policy main_ike { proposals cisco-interop-ike; pre-shared-key ascii-text "$9$JhUi.QF/0BEP5BEcyW8ZUjHP5z 36AuO"; ## SECRET-DATA } } 4) Create IpSec Rule [EMAIL PROTECTED] show services | find ipsec-vpn ipsec-vpn { rule map-gre { term 1 { from { source-address { 172.16.1.2/32; } destination-address { 128.3.3.4/32; } } then { remote-gateway 128.3.3.4; dynamic { ike-policy main_ike; ipsec-policy ipsecgre; } } } match-direction output; } 5) Create Service Set [EMAIL PROTECTED] show services service-set ipsec-gre { interface-service { service-interface sp-0/0/0.0; } ipsec-vpn-options { local-gateway 172.16.1.2; } ipsec-vpn-rules map-gre; } 6) Apply to interfaces [EMAIL PROTECTED] show interfaces fe-0/0/0 { vlan-tagging; unit 412 { description PBR-to-Wheat; vlan-id 412; family inet { service { input { service-set ipsec-gre } output { service-set ipsec-gre } } address 172.16.1.2/24; } } 7) Create Service Filters [EMAIL PROTECTED]> show configuration firewall family inet { service-filter match-vpn-input { term service { from { source-address { 128.3.3.4/32; } destination-address { 172.16.1.2/32; } } then service; } term skip { then skip; } } service-filter match-vpn-output { term service { from { source-address { 172.16.1.2/32; } destination-address { 128.3.3.4/32; } } then service; } term skip { then skip; } } } 8) Apply Service Filters [EMAIL PROTECTED]> show configuration interfaces fe-0/0/0 unit 412 description PBR-to-Wheat; vlan-id 412; family inet { service { input { service-set ipsec-gre service-filter match-vpn-input; } output { service-set ipsec-gre service-filter match-vpn-output; } } address 172.16.1.2/24; 9) Verify it all works [EMAIL PROTECTED] run show services ipsec-vpn ipsec statistics PIC: sp-0/0/0, Service set: ipsec-gre ESP Statistics: Encrypted bytes: 11200 Decrypted bytes: 11200 Encrypted packets: 100 Decrypted packets: 100 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 For reference purposes only, here is an example of what the configuration may look like on the Cisco side in the extranet: crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key test address 172.16.1.2 crypto isakmp keepalive 10 2 periodic ! ! crypto ipsec transform-set esp_des_set esp-des esp-md5-hmac ! ! crypto map gre-to-ipsec 1 ipsec-isakmp set peer 172.16.1.2 set transform-set esp_des_set set pfs group1 match address 110 access-list 110 permit ip host 128.3.3.4 host 172.16.1.2 interface tunnel1 tunnel mode gre ip tunnel destination 172.16.1.2 tunnel source 128.3.3.4 interface fast0 crypto map gre-to-ipsec Doug Marschke Principal Technologist Strategic Networks Training JNCIE-ER #3, JNCIE-M/T #41, JNCIS-FW, JNAT www.ietraining.net (415)902-5702 -----Original Message----- From: Doug Marschke Sent: Wednesday, February 06, 2008 9:57 AM To: 'Jonathan Looney'; Massimiliano Galizia Cc: juniper-nsp@puck.nether.net Subject: RE: [j-nsp] Encrypt a GRE tunnels between CSCO and JNPR M7i I also have an example in here but you might not be able to wait that long: http://www.amazon.com/JUNOS-Enterprise-Routing-Practical-Certification/d p/0596514425/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1202320197&sr=8-1 In general, steps are: 1) Create GRE interface 2) Map Traffic to GRE tunnel 3) Create IPSec Tunnel (may need to create custom proposals) 4) Create Service Filters to Map GRE packets to the IPsec tunnel 5) Optional: Create service filters if any SFW are applied to bypass traffic Doug Marschke Principal Technologist Strategic Networks Training JNCIE-ER #3, JNCIE-M/T #41, JNCIS-FW, JNAT www.ietraining.net (415)902-5702 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Looney Sent: Wednesday, February 06, 2008 6:45 AM To: Massimiliano Galizia Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Encrypt a GRE tunnels between CSCO and JNPR M7i Juniper has an example of this in the "Advanced Juniper Networks Routing in the Enterprise" course. This is an instructor-led class, which I would recommend. However, if you cannot attend the class, you can download the class materials for free as part of the Fast Track program. There is a link to this program on Juniper's "Education" webpage. -Jon On Feb 6, 2008 6:29 AM, Massimiliano Galizia <[EMAIL PROTECTED]> wrote: > Hello all, > I'm been requested to bring up a test plant with two CSCOs and two M7i > in this fashion: > > ______ _____ > PCs |-----|CSCO|--|---|JNPR|-----|PCs > | > ______ | _____ > PCs |-----|CSCO|--|---|JNPR|-----|PCs > > My customer want to encrypt with IPSEC the GRE tunnels between the > boxes. I don't find anything related in KB or doc sites. > Any suggestion? > Many thanks in advance > > Regards > > Max > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp