-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
JUNIPER CISCO GRE IPSEC WITH OSPF
I had the privilege of introducing Cisco and Juniper into a new
relationship. They were happy, holding hands
and exchange routes, but the relationship was taboo, so they
wanted to keep it private. Solution? OSPF over
GRE/IPSec.
Here is the topology:
M I N D S A F E
M E N USearch
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
This diagram is helpful when mapping out the configuration:
Here are my notes on how to set this up:
Cisco 3845 HQ
Configure Phase 1
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 123456789 address 33.33.33.33
Configure Phase 2
ip access-list extended LOOPBACK1-TO-SRX-LOOPBACK
permit ip host 10.255.0.1 host 10.255.0.3
crypto ipsec transform-set TRANSFORM esp-aes 256
esp-sha-hmac
crypto map CRYPTO-MAP 1 ipsec-isakmp
set peer 33.33.33.33
set transform-set TRANSFORM
set pfs group2
match address LOOPBACK1-TO-SRX-LOOPBACK
Configure the Loopback (Used as the tunnel source)
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
interface Loopback1
ip address 10.255.0.1 255.255.255.255
Configure the Virtual Tunnel Interface
interface Tunnel1
description *** GRE to SRX ***
ip address 10.0.0.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf flood-reduction
ip ospf 10 area 990
keepalive 10 3
tunnel source Loopback1
tunnel destination 10.255.0.3
Configure OSPF
router ospf 10
area 990 stub
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Prevent Recursive Routing
ip route 10.255.0.3 255.255.255.255 11.11.11.1
Apply crypto-map
interface GigabitEthernet0/0
crypto map CRYPTO-MAP
Juniper SRX Remote Site
Configure Phase 1 IKE
set security ike proposal IKE-PROPOSAL authentication-method
pre-shared-keys
set security ike proposal IKE-PROPOSAL dh-group group2
set security ike proposal IKE-PROPOSAL authentication-algorithm
sha1
set security ike proposal IKE-PROPOSAL encryption-algorithm
aes-256-cbc
set security ike proposal IKE-PROPOSAL lifetime-seconds
28800
set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals IKE-PROPOSAL
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
set security ike policy IKE-POLICY pre-shared-key ascii-text
123456789
Configure Phase 1 IKE Gateways
set security ike gateway HQ-1 ike-policy IKE-POLICY
set security ike gateway HQ-1 address 11.11.11.11
set security ike gateway HQ-1 local-identity inet
33.33.33.33
set security ike gateway HQ-1 external-interface ge-0/0/0.0
Configure Phase 2 IPSec
set security ipsec proposal IPSEC-PROPOSAL protocol esp
set security ipsec proposal IPSEC-PROPOSAL
authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm
aes-256-cbc
set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds
3600
set security ipsec policy IPSEC-POLICY perfect-forward-secrecy
keys group2
set security ipsec policy IPSEC-POLICY proposals
IPSEC-PROPOSAL
Configure Phase 2 IPSec Peers
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
set security ipsec vpn HQ-1 bind-interface st0.0
set security ipsec vpn HQ-1 ike gateway HQ-1
set security ipsec vpn HQ-1 ike proxy-identity local
10.255.0.3/32
set security ipsec vpn HQ-1 ike proxy-identity remote
10.255.0.1/32
set security ipsec vpn HQ-1 ike proxy-identity service
junos-gre
set security ipsec vpn HQ-1 ike ipsec-policy IPSEC-POLICY
set security ipsec vpn HQ-1 establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350
Configure the Loopback (Used as the tunnel source)
set interfaces lo0 unit 0 family inet address 10.255.0.3/32
set security zones security-zone signaling interfaces lo0.0
Configure the Virtual Tunnel Interface
set interfaces st0 unit 0 family inet
set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 0 tunnel source 10.255.0.3
set interfaces gr-0/0/0 unit 0 tunnel destination 10.255.0.1
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 0 family inet mtu 1400
set interfaces gr-0/0/0 unit 0 family inet address
10.0.0.2/30
Configure OSPF
set protocols ospf area 0.0.3.222 stub
set protocols ospf area 0.0.3.222 interface gr-0/0/0.0
flood-reduction
set protocols ospf area 0.0.3.222 interface gr-0/0/0.1
flood-reduction
set protocols ospf area 0.0.3.222 interface vlan.1 passive
set protocols ospf area 0.0.3.222 interface vlan.1
flood-reduction
set security zones security-zone vpn host-inbound-traffic
protocols ospf
Configure Security Zones and Policies
For troubleshooting purposes, you might want to permit-all in
the default policy and apply more granular
control afterwards:
set security policies default-policy permit-all
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Sample security zones:
set security zones security-zone public host-inbound-traffic
system-services ike
set security zones security-zone signaling host-inbound-traffic
system-services ike
set security zones security-zone vpn host-inbound-traffic
protocols ospf
set security zones security-zone public interfaces ge-0/0/0.0
host-inbound-traffic system-services
any-service
set security zones security-zone vpn host-inbound-traffic
protocols ospf
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn interfaces gr-0/0/0.0
set security zones security-zone signaling interfaces lo0.0
set security policies from-zone vpn to-zone signaling policy vpn
match source-address any
set security policies from-zone vpn to-zone signaling policy vpn
match destination-address any
set security policies from-zone vpn to-zone signaling policy vpn
match application any
set security policies from-zone vpn to-zone signaling policy vpn
then permit
set policy-options prefix-list concentrators 11.11.11.11/32
set firewall family inet filter ingress-from-inet term
ipsec-allow from prefix-list concentrators
Configure Routing
set routing-options static route 10.255.0.1/32 next-hop
st0.0
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Verify
admin@SRX240# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote
Address
7251638 UP 47ffe2c472e10db5 c14aab1a09ec22b3 Main
11.11.11.11
admin@SRX240# run show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
131073 ESP:aes-256/sha1 4d1c403b 876/ 4608000 - root 4500
11.11.11.11
admin@SRX240# run show ospf neighbor
Address Interface State ID Pri Dead
10.0.0.1 gr-0/0/0.0 Full 1.1.1.7 1 38
Add a redundant tunnel? Sure!
New topology would look like this:
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Cisco 3845 Secondary
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 28800
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
crypto isakmp key 123456789 address 33.33.33.33
ip access-list extended LOOPBACK1-TO-SRX-LOOPBACK
permit ip host 10.255.0.2 host 10.255.0.3
crypto ipsec transform-set TRANSFORM esp-aes 256
esp-sha-hmac
crypto map CRYPTO-MAP 1 ipsec-isakmp
set peer 33.33.33.33
set transform-set TRANSFORM
set pfs group2
match address LOOPBACK1-TO-SRX-LOOPBACK
interface Loopback1
ip address 10.255.0.2 255.255.255.255
interface Tunnel1
description *** GRE to SRX ***
ip address 10.0.0.5 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf flood-reduction
ip ospf 10 area 990
keepalive 10 3
tunnel source Loopback1
tunnel destination 10.255.0.3
router ospf 10
area 990 stub
ip route 10.255.0.3 255.255.255.255 22.22.22.1
interface GigabitEthernet0/0
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
crypto map CRYPTO-MAP
Juniper SRX
set security ike gateway HQ-2 ike-policy IKE-POLICY
set security ike gateway HQ-2 address 22.22.22.22
set security ike gateway HQ-2 local-identity inet
33.33.33.33
set security ike gateway HQ-2 external-interface ge-0/0/0.0
set security ipsec vpn HQ-2 bind-interface st0.1
set security ipsec vpn HQ-2 ike gateway HQ-2
set security ipsec vpn HQ-2 ike proxy-identity local
10.255.0.3/32
set security ipsec vpn HQ-2 ike proxy-identity remote
10.255.0.2/32
set security ipsec vpn HQ-2 ike proxy-identity service
junos-gre
set security ipsec vpn HQ-2 ike ipsec-policy IPSEC-POLICY
set security ipsec vpn HQ-2 establish-tunnels immediately
set interfaces gr-0/0/0 unit 1 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 1 tunnel source 10.255.0.3
set interfaces gr-0/0/0 unit 1 tunnel destination 10.255.0.2
set interfaces gr-0/0/0 unit 1 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 1 family inet mtu 1400
set interfaces gr-0/0/0 unit 1 family inet address
10.0.0.6/30
set interfaces st0 unit 1 family inet
set security zones security-zone vpn interfaces st0.1
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
set security zones security-zone vpn interfaces gr-0/0/0.1
Helpful references:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB19372
http://myitnotes.info/doku.php?id=en:jobs:vpn_gre_over_ipsec_1
http://expert-mode.blogspot.ca/2013/05/juniper-srx-route-based-vpn-howto.html
http://expert-mode.blogspot.com/2013/05/juniper-srx-ospf-over-gre-over-ipsec.html
About these ads
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Configuring IP Multicast in Sparse-mode with Auto-RP Export
Check Point Policies to HTML or XML
Share this:
Email Facebook Twitter 1 LinkedIn 2 Google
Posted in Cisco, Juniper and tagged cisco, gre, ipsec, juniper,
vpn on February 1, 2014. 3 Comments
3 COMMENTS
Like
One blogger likes this.
Related
Configuring IP Multicast inSparse-mode with Auto-RP
Configuring BFD on NexusNX-OS
Configuring Netflow on NexusNXOS
In "BFD" In "CCIE Data Center"
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
bilunov77February 26, 2014 at 4:41 pm
Reblogged this on 49514262200010.
REPLY
AlexAugust 5, 2014 at 8:48 am
Wow that was really helpful as Im new to JUNOS. Thanks,
David!
REPLY
varnumdAugust 5, 2014 at 7:12 pm
Thanks for reading!
REPLY
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
LEAVE A REPLY
EMAIL SUBSCRIPTION
Enter your email address to subscribe to this
blog and receive notifications of new posts by
email.
Join 324 other followers
Enter your email address
SIGN ME UP!
Enter your comment here...
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
FOLLOW ME ON TWITTER
My Tweets
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
RECENT POSTS
The Path to CCIE Data Center
Configuring WWxN Pools in UCS
UCS Boot from iSCSI
Configuring iSLB for CCIE DC
Configuring iSCSI for CCIE DC
ARCHIVE
December 2014
November 2014
September 2014
August 2014
July 2014
June 2014
May 2014
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
March 2014
February 2014
March 2011
December 2009
May 2009
CATEGORIES
Check Point (1)
Cisco (23)
BFD (1)
CCIE Data Center (21)
FabricPath (1)
iSCSI (3)
Multicast (1)
Nexus (6)
Storage (10)
UCS (3)
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Juniper (1)
SAN (1)
TCP (1)
Uncategorized (4)
BLOGS I FOLLOW
Curious Packet
adam raffe
The CCIE R&S
Layer Zero Blog
CCIE Blog
Keeping It Classless
BRAD HEDLUND
CCIE or Null!
Jeremy Waldrop's Blog
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Follow Mind Safe
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
C R E A T E A FR E E W E B S I T E O R B LO G A T W O R D P R E
S S . C O M. T HE S U I T S T HE ME .
