Juniper MX with MS-MIC-16G – IPSEC with PSK

These are the steps to set up IPSEC on a Juniper MX with the MS-MIC-16G (multiservices MIC) – these instructions are for an MX80 but will work with any of the MX family with the multiservices MIC. These instructions will set up a route based VPN – you can then run GRE tunnels over the IPSEC connection and use BGP to control what is routed over IPSEC.

First you must add the inside and outside service interfaces. For this example I will create the logical interfaces 10 (inside) and 11 (outside).

Next you need to define the service set. Ensure that the inside/outside interface units match the interfaces you created above.

You need to define a local gateway for the service set, this should be set to the IP address on the router that you will be connecting to from your IPSEC clients (replace 192.0.2.1 with your routers IP):

Next you can add your IPSEC and IKE proposals and the IPSEC policy. For this example I use the following settings:

  • IKE Auth Type: Pre shared key
  • IKE Proposal: DH Group 5 (1536 bit)
  • IKE Auth Alogorithm: SHA1
  • IKE Encryption: AES-256-CBC
  • IPSEC Protocol: ESP
  • IPSEC PFS Group: group5 (1536 bit)
  • IPSEC Auth Alogorithm: hmac-sha1-96
  • IPSEC Encryption: AES-256-CBC

The lifetime for both IPSEC and IKE is set to 3600 seconds (1 hour).

Next a rule needs to be created. The rule will contain the configurations for the IPSEC peers (each peer being one term). Optionally you can split the peers into different rules, later on the configuration a rule set can be defined and attached to the IPSEC service set. For this example we will name the rule “IPSEC-Rule-1” – you will need to change the following:

  • some-peer-1: Change this to a short name for the peer.
  • 198.51.100.1/32: This is the local prefix for the IPSEC policy. As an example, I set this to the loopback address of this router, GRE tunnels are sourced from this IP. This option MUST be the same IP configured on the remote end as the destination-address (or destination prefix).
  • 198.51.100.2/32: This is the remote prefix for the IPSEC policy. As an example, this will be the loopback address of the destination router. GRE tunnels will go to this destination IP. This option MUST be the same IP configured on the remote end as the source-address (or source prefix).
  • 192.0.2.2: This is the IP address of the remote router – IPSEC connections will be made to this IP.
  • IKE-some-peer: This is the name of the IKE policy for this peer. The IKE policy contains the IKE version and PSK.
  • The dead peer detection options are not required but recommended.

You can then create the IKE policy for the peer. You will need to change the following:

  • MY-LONG-PSK: Set this to the PSK you would like for the IPSEC connection. This must match on both ends.

Now that you have defined an IPSEC rule it must be added to the IPSEC service set:

The last thing to do is add a route for the destination prefix set in the rule configuration (198.51.100.2/32 in this example) via the INSIDE service interface:

The IPSEC configuration is now complete – you can set up the peer end and you should be able to reach the other end of the tunnel. You can now configure the GRE tunnel as normal, ensure that you use the correct source and destination IP’s (it should match the source-address and destination-address set in the IPSEC rule).

If you would like to enable logging to help with trouble shooting the IPSEC connections you can configute the logging under the “services ipsec-vpn traceoptions” hierarchy. As an example, to log events to the file “ipsec” I use:

Posted in Juniper.

Leave a Reply

Your email address will not be published.