SRX

Hi,

I am trying to configure GRE over IPsec [SRX 240] and check iteroperability with Cisco router.

Can anyone guide me in this or mention me links/reference for this?

I am using Junos 9.6. 

Please help... 

Hi,

please find attached requested configuration. Short explanation how it works:

1) IPSec tunnel is established

2) Static route for endpoint fo GRE tunnel points towards  st0 interface (IPSec)

3) GRE tunnel is established over IPSec tunnel

4) OSPF is estabished over GRE tunnel

5) Each route installed through OSPF/GRE interface will have next-hop gr- interface. Entire traffic to such destinations would be encapsultaed first into GRE and then into IPSec

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it. 

Kind Regards

Michael Pergament 

Attachment(s)

gre-ipsec-srx240.txt   7 KB 1 version

Hi,

Thank you for the reply.

I just have more question.

Can you give me some explanation/ configration on how to configure IPsec vpn, without GRE? Do we have to use st0.0 interface fot that purpose? If so, then example will be quite helpful.

I want to check first normal IPsec vpn and then GRE over IPsec.

Thank you in advance.

Hi,

The problem is first step and that is how to establish IPsec tunnel.

I checked guide at http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/ipsec-vpn-config-overview.html#ipsec-vpn-config-overview. 

I am confused about the use of st0 interface in normal IPsec, i.e. without GRE.

I have just started working on JUNOS   , so please bear this in mind.

Thanks in advance.  

Hey swami - in terms of basic IPsec - the st0 I/F is used when you are creating a route based VPN. If you are doing route based then binding the st0 I/F to the G/W and policy will make it work. You then of couse have to tie a route to the I/F (set routing-options static route xxxx next-hop st0.x)

To get the general IPsec working are you building route or policy based? The steps are the same for buildout of phase 1 and phase 2:

Build Phase 1 proposal (auth and encypt meth)

Build Phase 1 policy (bind proposal to auth data)

Build Phase 1 G/W (bind policy to remote addess)

Build Phase 2 proposal (auth, encypt meth)

Build Phase 2 policy (PFS, keys..., bind proposal)

Then you would either:

Build VPN tunnel (bind phase G/W (ike)  and Phase 2 policy (ipsec) to tunnel) for policy based or bind to st0 for route based. And then you of course have to deal with the policy side of everything.

I am coming off a lot of time on ScreenOS and it seems that there are more steps in JUNOS even though the result is the same and the steps are the same - it just seems a lot longer 😞

If it helps I can send you some sample configs on Monday that I have built to help me get up to speed on JUNOS IPsec.

No GRE in them though 🙂

I am gone until Monday but can send them then if you like!

Thanks for the reply.

It cleared some doubts.

And the config provided is working perfectly for GRE over IPsec with cisco.

Thanks two all for help. 

Hello,

I try to establish ospf over gre over ipsec using this example, but it seems that ospf packets are not send through gre interface. I was trying to setup this connection with ssg5 6.2. This is my config which I think is correct, but it's not working:/

Regards,

pioterbrat

Attachment(s)

konfig.txt   1 KB 1 version

What JUNOS version are you running? Be sure it is latest version as there was an issue with earlier versions in which OSPF over GRE over IPSec was not working. Perhaps 9.6R3 or 10.0R2 as those versions have the fix.

-Richard

I have 10R1.8. Where to find information about this bug??

Regards,

pioterbrat

Contact JTAC for info about this. Otherwise I'd recommend upgrading to 10.0R2.

-Richard

Hi

I want to get ISIS running over the GRE tunnel.  I have essentially the same setup as your example.

my VPN is up, my GRE tunnel is up over the VPN.

I am able to get OSPF running over the GRE tunnel fine and dandy.

but I cannot get the ISIS adjencies up over when the GRE tunnel goes over the VPN.

If I disable the VPN and use the normal LAN routing for the GRE tunnel the ISIS comes up over the GRE tunnel.

When the GRE tunnel goes over the VPN the ISIS stays down.

any ideas? MTU or something?

Hello,

One thing to check is that ISIS cannot handle fragmentation.

JUNOS does "smart ISIS Hello padding" by default where first few Hellos are padded to interface MTU.

And tunnel interface MTU for GRE-in-IPsec is smaller than plain GRE tunnel MTU.

HTH

Rgds

Alex

Trying to get this to work. Im confused about the IP of the GRE tunnel itself. Based on your configuration how would the remote endpoint GRE tunnel look. Does it have an IP in the 10.11.0.0/24 network? I ask because in your config I dont see a route to the 10.11.0.0/24 network.

At this time I have an SSG320 and an SRX 210. I have the IPsec tunnel up, but on the SSG the GRE tunnel interface says "ready" on the SRX it says "up up".

I have done GRE over IPSEC configuring with cisco router. ...IPSEC has been established. But GRE tunnel destination IP

is not pinging. Please help..

Follow nice link

http://www.myitnotes.info/doku.php?id=en:jobs:vpn_gre_over_ipsec_1