Junos OS

Expand all | Collapse all

VRF Aware IPSec VPN on Junos possible?

Jump to Best Answer
  • 1.  VRF Aware IPSec VPN on Junos possible?

    Posted 06-27-2020 07:46

    Hello

    Have stolen the name "VRF Aware IPSec VPN" on a Cisco documentation. Is it possible to achieve the same effect on Junos devices? The concept is best described by a sketch below, essentially you have remote sites accessible via IPSec site-to-site vpn intergrated to L3 MPLS VPN.

     

     

    vpn_ipsec_vrfaware.gif



  • 2.  RE: VRF Aware IPSec VPN on Junos possible?

    Posted 06-27-2020 10:48

    If I have understood it correctly, the you need to aggregate and terminate IPSEC tunnels from different customer on a MPLS PE in their respective VRFs. Below is the example for the same:

    https://www.juniper.net/documentation/en_US/junos/topics/example/ipsec-statically-assigned-tunnels-over-vrf-configuring.html

     



  • 3.  RE: VRF Aware IPSec VPN on Junos possible?

    Posted 06-27-2020 13:37

    Thanks,

    I struggle to understand however. The example only shows one vrf, it's kinda hard to corelate the mapping of the 3 units being used for the ms-1/2/0 interface like that. How do you add another vrf to this scheme? Do you need additional 3 units or another ms interface? if you are well versed with this.



  • 4.  RE: VRF Aware IPSec VPN on Junos possible?

    Posted 06-27-2020 14:30

    You can ignore ms-1/2/0.0. For every IPSEC tunnel you need one inside interface specified for inside domain and another one for outside domain. Simply saying, you need to create 2 units under same ms-* interface for next IPSEC tunnel. ms-* interface fpc/pic/port mapping depends on the multiservices MIC placement in your chassis. There is no need to use another MIC slot for another ms-* interface for IPSEC. Depending on the scaling number(which would be quite high), you can create multiple IPSEC tunnel using the same ms-*



  • 5.  RE: VRF Aware IPSec VPN on Junos possible?
    Best Answer

    Posted 06-28-2020 10:57

    I have tried the config from the link (shared above) but didn't work as is, upon troubleshooting noticed the config is missing the line

     

    set services ipsec-vpn rule demo-rule term demo-term then dynamic ipsec-policy demo_ipsec_policy 

     

    Also I have had to use inline service interface si-* in place of ms-* since I was trying out on vMX 18

     

    Here is my full config in case someone needs a reference

     

    set chassis fpc 0 pic 0 tunnel-services bandwidth 10g
    set chassis fpc 0 pic 0 inline-services bandwidth 10g
    
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ipsec proposal IPVPN-IPSEC-PROPOSAL protocol esp
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ipsec proposal IPVPN-IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ipsec proposal IPVPN-IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ipsec proposal IPVPN-IPSEC-PROPOSAL lifetime-seconds 3600
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ipsec policy IPVPN-IPSEC-POLICY perfect-forward-secrecy keys group14
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ipsec policy IPVPN-IPSEC-POLICY proposals IPVPN-IPSEC-PROPOSAL
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ike proposal IPVPN-IKE-PROPOSAL authentication-method pre-shared-keys
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ike proposal IPVPN-IKE-PROPOSAL dh-group group2
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ike proposal IPVPN-IKE-PROPOSAL authentication-algorithm sha1
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ike proposal IPVPN-IKE-PROPOSAL encryption-algorithm 3des-cbc
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ike proposal IPVPN-IKE-PROPOSAL lifetime-seconds 28800
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ike policy IPVPN-IKE-POLICY version 2
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ike policy IPVPN-IKE-POLICY proposals IPVPN-IKE-PROPOSAL
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ike policy IPVPN-IKE-POLICY local-id ipv4_addr 172.16.0.1
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ike policy IPVPN-IKE-POLICY remote-id ipv4_addr 172.17.0.1
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ike policy IPVPN-IKE-POLICY remote-id ipv4_addr 172.19.0.1
    set groups IPVPN-PARAMEMTERS services ipsec-vpn ike policy IPVPN-IKE-POLICY pre-shared-key ascii-text "$9$acUDHzF6AuBEc-bY4Djp0BRSeN-wsgJSrYo"
    
    set groups IPVPN-SITE1 services ipsec-vpn rule SITE1-RULE term 1 then remote-gateway 172.17.0.1
    set groups IPVPN-SITE1 services ipsec-vpn rule SITE1-RULE term 1 then dynamic ike-policy IPVPN-IKE-POLICY
    set groups IPVPN-SITE1 services ipsec-vpn rule SITE1-RULE term 1 then dynamic ipsec-policy IPVPN-IPSEC-POLICY
    set groups IPVPN-SITE1 services ipsec-vpn rule SITE1-RULE match-direction input
    set groups IPVPN-SITE1 services service-set SERVICESET-SITE1 next-hop-service inside-service-interface si-0/0/0.1
    set groups IPVPN-SITE1 services service-set SERVICESET-SITE1 next-hop-service outside-service-interface si-0/0/0.2
    set groups IPVPN-SITE1 services service-set SERVICESET-SITE1 ipsec-vpn-options local-gateway 172.16.0.1
    set groups IPVPN-SITE1 services service-set SERVICESET-SITE1 ipsec-vpn-rules SITE1-RULE 
    set groups IPVPN-SITE1 interfaces si-0/0/0 unit 1 description "to remote internet site 1 via IPSec"
    set groups IPVPN-SITE1 interfaces si-0/0/0 unit 1 family inet address 172.18.0.1/30
    set groups IPVPN-SITE1 interfaces si-0/0/0 unit 1 service-domain inside
    set groups IPVPN-SITE1 interfaces si-0/0/0 unit 2 description "to remote internet site 1 via IPSec"
    set groups IPVPN-SITE1 interfaces si-0/0/0 unit 2 family inet
    set groups IPVPN-SITE1 interfaces si-0/0/0 unit 2 service-domain outside
    set groups IPVPN-SITE1 routing-instances IPVPN interface si-0/0/0.1
    set groups IPVPN-SITE1 routing-instances IPVPN routing-options static route 10.10.2.0/30 next-hop si-0/0/0.1
    
    set groups IPVPN-SITE2 services ipsec-vpn rule SITE2-RULE term 1 then remote-gateway 172.19.0.1
    set groups IPVPN-SITE2 services ipsec-vpn rule SITE2-RULE term 1 then dynamic ike-policy IPVPN-IKE-POLICY
    set groups IPVPN-SITE2 services ipsec-vpn rule SITE2-RULE term 1 then dynamic ipsec-policy IPVPN-IPSEC-POLICY
    set groups IPVPN-SITE2 services ipsec-vpn rule SITE2-RULE match-direction input
    set groups IPVPN-SITE2 services service-set SERVICESET-SITE2 next-hop-service inside-service-interface si-0/0/0.3
    set groups IPVPN-SITE2 services service-set SERVICESET-SITE2 next-hop-service outside-service-interface si-0/0/0.4
    set groups IPVPN-SITE2 services service-set SERVICESET-SITE2 ipsec-vpn-options local-gateway 172.16.0.1
    set groups IPVPN-SITE2 services service-set SERVICESET-SITE2 ipsec-vpn-rules SITE2-RULE
    set groups IPVPN-SITE2 interfaces si-0/0/0 unit 3 description "to remote internet site 2 via IPSec"
    set groups IPVPN-SITE2 interfaces si-0/0/0 unit 3 family inet address 172.20.0.1/30
    set groups IPVPN-SITE2 interfaces si-0/0/0 unit 3 service-domain inside
    set groups IPVPN-SITE2 interfaces si-0/0/0 unit 4 description "to remote internet site 2 via IPSec"
    set groups IPVPN-SITE2 interfaces si-0/0/0 unit 4 family inet
    set groups IPVPN-SITE2 interfaces si-0/0/0 unit 4 service-domain outside
    set groups IPVPN-SITE2 routing-instances IPVPN interface si-0/0/0.3
    set groups IPVPN-SITE2 routing-instances IPVPN routing-options static route 10.10.3.0/30 next-hop si-0/0/0.3
    
    set apply-groups IPVPN-PARAMEMTERS
    set apply-groups IPVPN-SITE1
    set apply-groups IPVPN-SITE2
    
    set interfaces ge-0/0/0 unit 0 description "to internet"
    set interfaces ge-0/0/0 unit 0 family inet address 172.16.0.1/30
    set interfaces ge-0/0/1 unit 0 description "to ce"
    set interfaces ge-0/0/1 unit 0 family inet address 10.10.1.1/30
    set routing-options static route 0.0.0.0/0 next-hop 172.16.0.2
    set routing-instances IPVPN instance-type vrf
    set routing-instances IPVPN interface ge-0/0/1.0
    set routing-instances IPVPN route-distinguisher 100:100
    set routing-instances IPVPN vrf-target target:100:100
    set routing-instances IPVPN vrf-table-label