These are the steps to set up IPSEC on a Juniper MX with the MS-MIC-16G (multiservices MIC) – these instructions are for an MX80 but will work with any of the MX family with the multiservices MIC. These instructions will set up a route based VPN – you can then run GRE tunnels over the IPSEC connection and use BGP to control what is routed over IPSEC.
First you must add the inside and outside service interfaces. For this example I will create the logical interfaces 10 (inside) and 11 (outside).
set interfaces ms-0/2/0 unit 10 description "IPSEC (Inside)" set interfaces ms-0/2/0 unit 10 family inet set interfaces ms-0/2/0 unit 10 service-domain inside set interfaces ms-0/2/0 unit 11 description "IPSEC (Outside)" set interfaces ms-0/2/0 unit 11 family inet set interfaces ms-0/2/0 unit 11 service-domain outside
Next you need to define the service set. Ensure that the inside/outside interface units match the interfaces you created above.
set services service-set IPSEC next-hop-service inside-service-interface ms-0/2/0.10 set services service-set IPSEC next-hop-service outside-service-interface ms-0/2/0.11
You need to define a local gateway for the service set, this should be set to the IP address on the router that you will be connecting to from your IPSEC clients (replace 192.0.2.1 with your routers IP):
set services service-set IPSEC ipsec-vpn-options local-gateway 192.0.2.1
Next you can add your IPSEC and IKE proposals and the IPSEC policy. For this example I use the following settings:
- IKE Auth Type: Pre shared key
- IKE Proposal: DH Group 5 (1536 bit)
- IKE Auth Alogorithm: SHA1
- IKE Encryption: AES-256-CBC
- IPSEC Protocol: ESP
- IPSEC PFS Group: group5 (1536 bit)
- IPSEC Auth Alogorithm: hmac-sha1-96
- IPSEC Encryption: AES-256-CBC
The lifetime for both IPSEC and IKE is set to 3600 seconds (1 hour).
set services ipsec-vpn ipsec proposal IPSEC-Proposal protocol esp set services ipsec-vpn ipsec proposal IPSEC-Proposal authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal IPSEC-Proposal encryption-algorithm aes-256-cbc set services ipsec-vpn ipsec proposal IPSEC-Proposal lifetime-seconds 3600 set services ipsec-vpn ipsec policy IPSEC-Policy perfect-forward-secrecy keys group5 set services ipsec-vpn ipsec policy IPSEC-Policy proposals IPSEC-Proposal set services ipsec-vpn ike proposal IKE-Proposal authentication-method pre-shared-keys set services ipsec-vpn ike proposal IKE-Proposal dh-group group5 set services ipsec-vpn ike proposal IKE-Proposal authentication-algorithm sha1 set services ipsec-vpn ike proposal IKE-Proposal encryption-algorithm aes-256-cbc set services ipsec-vpn ike proposal IKE-Proposal lifetime-seconds 3600 set services ipsec-vpn establish-tunnels immediately
Next a rule needs to be created. The rule will contain the configurations for the IPSEC peers (each peer being one term). Optionally you can split the peers into different rules, later on the configuration a rule set can be defined and attached to the IPSEC service set. For this example we will name the rule “IPSEC-Rule-1” – you will need to change the following:
- some-peer-1: Change this to a short name for the peer.
- 198.51.100.1/32: This is the local prefix for the IPSEC policy. As an example, I set this to the loopback address of this router, GRE tunnels are sourced from this IP. This option MUST be the same IP configured on the remote end as the destination-address (or destination prefix).
- 198.51.100.2/32: This is the remote prefix for the IPSEC policy. As an example, this will be the loopback address of the destination router. GRE tunnels will go to this destination IP. This option MUST be the same IP configured on the remote end as the source-address (or source prefix).
- 192.0.2.2: This is the IP address of the remote router – IPSEC connections will be made to this IP.
- IKE-some-peer: This is the name of the IKE policy for this peer. The IKE policy contains the IKE version and PSK.
- The dead peer detection options are not required but recommended.
set services ipsec-vpn rule IPSEC-Rule-1 term some-peer-1 from source-address 198.51.100.1/32 set services ipsec-vpn rule IPSEC-Rule-1 term some-peer-1 from destination-address 198.51.100.2/32 set services ipsec-vpn rule IPSEC-Rule-1 term some-peer-1 then remote-gateway 192.0.2.2 set services ipsec-vpn rule IPSEC-Rule-1 term some-peer-1 then dynamic ike-policy IKE-some-peer set services ipsec-vpn rule IPSEC-Rule-1 term some-peer-1 then dynamic ipsec-policy IPSEC-Policy set services ipsec-vpn rule IPSEC-Rule-1 term some-peer-1 then initiate-dead-peer-detection set services ipsec-vpn rule IPSEC-Rule-1 term some-peer-1 then dead-peer-detection interval 30 set services ipsec-vpn rule IPSEC-Rule-1 term some-peer-1 then dead-peer-detection threshold 2
You can then create the IKE policy for the peer. You will need to change the following:
- MY-LONG-PSK: Set this to the PSK you would like for the IPSEC connection. This must match on both ends.
set services ipsec-vpn ike policy IKE-some-peer version 2 set services ipsec-vpn ike policy IKE-some-peer proposals IKE-Proposal set services ipsec-vpn ike policy IKE-some-peer pre-shared-key ascii-text MY-LONG-PSK
Now that you have defined an IPSEC rule it must be added to the IPSEC service set:
set service-set IPSEC ipsec-vpn-rules IPSEC-Rule-1
The last thing to do is add a route for the destination prefix set in the rule configuration (198.51.100.2/32 in this example) via the INSIDE service interface:
set routing-options static route 198.51.100.2/32 next-hop ms-0/2/0.10
The IPSEC configuration is now complete – you can set up the peer end and you should be able to reach the other end of the tunnel. You can now configure the GRE tunnel as normal, ensure that you use the correct source and destination IP’s (it should match the source-address and destination-address set in the IPSEC rule).
If you would like to enable logging to help with trouble shooting the IPSEC connections you can configute the logging under the “services ipsec-vpn traceoptions” hierarchy. As an example, to log events to the file “ipsec” I use:
set services ipsec-vpn traceoptions file ipsec set services ipsec-vpn traceoptions file size 10m set services ipsec-vpn traceoptions file files 10 set services ipsec-vpn traceoptions file world-readable set services ipsec-vpn traceoptions level info set services ipsec-vpn traceoptions flag all