Junos
Highlighted
Junos

VRF Aware IPSec VPN on Junos possible?

‎06-27-2020 07:45 AM

Hello

Have stolen the name "VRF Aware IPSec VPN" on a Cisco documentation. Is it possible to achieve the same effect on Junos devices? The concept is best described by a sketch below, essentially you have remote sites accessible via IPSec site-to-site vpn intergrated to L3 MPLS VPN.

 

 

vpn_ipsec_vrfaware.gif

4 REPLIES 4
Highlighted
Junos

Re: VRF Aware IPSec VPN on Junos possible?

‎06-27-2020 10:48 AM

If I have understood it correctly, the you need to aggregate and terminate IPSEC tunnels from different customer on a MPLS PE in their respective VRFs. Below is the example for the same:

https://www.juniper.net/documentation/en_US/junos/topics/example/ipsec-statically-assigned-tunnels-o...

 



Regards,
Nupur Kanoi
Juniper Ambassador
JNCIE-ENT#520, JNCIE-SP#2824, JNCIP-DC & Juniper Ingenious Champion
Highlighted
Junos

Re: VRF Aware IPSec VPN on Junos possible?

‎06-27-2020 01:36 PM

Thanks,

I struggle to understand however. The example only shows one vrf, it's kinda hard to corelate the mapping of the 3 units being used for the ms-1/2/0 interface like that. How do you add another vrf to this scheme? Do you need additional 3 units or another ms interface? if you are well versed with this.

Highlighted
Junos

Re: VRF Aware IPSec VPN on Junos possible?

‎06-27-2020 02:30 PM

You can ignore ms-1/2/0.0. For every IPSEC tunnel you need one inside interface specified for inside domain and another one for outside domain. Simply saying, you need to create 2 units under same ms-* interface for next IPSEC tunnel. ms-* interface fpc/pic/port mapping depends on the multiservices MIC placement in your chassis. There is no need to use another MIC slot for another ms-* interface for IPSEC. Depending on the scaling number(which would be quite high), you can create multiple IPSEC tunnel using the same ms-*



Regards,
Nupur Kanoi
Juniper Ambassador
JNCIE-ENT#520, JNCIE-SP#2824, JNCIP-DC & Juniper Ingenious Champion
Highlighted
Junos
Solution
Accepted by topic author basondolepaul
‎06-28-2020 10:58 AM

Re: VRF Aware IPSec VPN on Junos possible?

‎06-28-2020 10:56 AM

I have tried the config from the link (shared above) but didn't work as is, upon troubleshooting noticed the config is missing the line

 

set services ipsec-vpn rule demo-rule term demo-term then dynamic ipsec-policy demo_ipsec_policy 

 

Also I have had to use inline service interface si-* in place of ms-* since I was trying out on vMX 18

 

Here is my full config in case someone needs a reference

 

set chassis fpc 0 pic 0 tunnel-services bandwidth 10g
set chassis fpc 0 pic 0 inline-services bandwidth 10g

set groups IPVPN-PARAMEMTERS services ipsec-vpn ipsec proposal IPVPN-IPSEC-PROPOSAL protocol esp
set groups IPVPN-PARAMEMTERS services ipsec-vpn ipsec proposal IPVPN-IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
set groups IPVPN-PARAMEMTERS services ipsec-vpn ipsec proposal IPVPN-IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
set groups IPVPN-PARAMEMTERS services ipsec-vpn ipsec proposal IPVPN-IPSEC-PROPOSAL lifetime-seconds 3600
set groups IPVPN-PARAMEMTERS services ipsec-vpn ipsec policy IPVPN-IPSEC-POLICY perfect-forward-secrecy keys group14
set groups IPVPN-PARAMEMTERS services ipsec-vpn ipsec policy IPVPN-IPSEC-POLICY proposals IPVPN-IPSEC-PROPOSAL
set groups IPVPN-PARAMEMTERS services ipsec-vpn ike proposal IPVPN-IKE-PROPOSAL authentication-method pre-shared-keys
set groups IPVPN-PARAMEMTERS services ipsec-vpn ike proposal IPVPN-IKE-PROPOSAL dh-group group2
set groups IPVPN-PARAMEMTERS services ipsec-vpn ike proposal IPVPN-IKE-PROPOSAL authentication-algorithm sha1
set groups IPVPN-PARAMEMTERS services ipsec-vpn ike proposal IPVPN-IKE-PROPOSAL encryption-algorithm 3des-cbc
set groups IPVPN-PARAMEMTERS services ipsec-vpn ike proposal IPVPN-IKE-PROPOSAL lifetime-seconds 28800
set groups IPVPN-PARAMEMTERS services ipsec-vpn ike policy IPVPN-IKE-POLICY version 2
set groups IPVPN-PARAMEMTERS services ipsec-vpn ike policy IPVPN-IKE-POLICY proposals IPVPN-IKE-PROPOSAL
set groups IPVPN-PARAMEMTERS services ipsec-vpn ike policy IPVPN-IKE-POLICY local-id ipv4_addr 172.16.0.1
set groups IPVPN-PARAMEMTERS services ipsec-vpn ike policy IPVPN-IKE-POLICY remote-id ipv4_addr 172.17.0.1
set groups IPVPN-PARAMEMTERS services ipsec-vpn ike policy IPVPN-IKE-POLICY remote-id ipv4_addr 172.19.0.1
set groups IPVPN-PARAMEMTERS services ipsec-vpn ike policy IPVPN-IKE-POLICY pre-shared-key ascii-text "$9$acUDHzF6AuBEc-bY4Djp0BRSeN-wsgJSrYo"

set groups IPVPN-SITE1 services ipsec-vpn rule SITE1-RULE term 1 then remote-gateway 172.17.0.1
set groups IPVPN-SITE1 services ipsec-vpn rule SITE1-RULE term 1 then dynamic ike-policy IPVPN-IKE-POLICY
set groups IPVPN-SITE1 services ipsec-vpn rule SITE1-RULE term 1 then dynamic ipsec-policy IPVPN-IPSEC-POLICY
set groups IPVPN-SITE1 services ipsec-vpn rule SITE1-RULE match-direction input
set groups IPVPN-SITE1 services service-set SERVICESET-SITE1 next-hop-service inside-service-interface si-0/0/0.1
set groups IPVPN-SITE1 services service-set SERVICESET-SITE1 next-hop-service outside-service-interface si-0/0/0.2
set groups IPVPN-SITE1 services service-set SERVICESET-SITE1 ipsec-vpn-options local-gateway 172.16.0.1
set groups IPVPN-SITE1 services service-set SERVICESET-SITE1 ipsec-vpn-rules SITE1-RULE 
set groups IPVPN-SITE1 interfaces si-0/0/0 unit 1 description "to remote internet site 1 via IPSec"
set groups IPVPN-SITE1 interfaces si-0/0/0 unit 1 family inet address 172.18.0.1/30
set groups IPVPN-SITE1 interfaces si-0/0/0 unit 1 service-domain inside
set groups IPVPN-SITE1 interfaces si-0/0/0 unit 2 description "to remote internet site 1 via IPSec"
set groups IPVPN-SITE1 interfaces si-0/0/0 unit 2 family inet
set groups IPVPN-SITE1 interfaces si-0/0/0 unit 2 service-domain outside
set groups IPVPN-SITE1 routing-instances IPVPN interface si-0/0/0.1
set groups IPVPN-SITE1 routing-instances IPVPN routing-options static route 10.10.2.0/30 next-hop si-0/0/0.1

set groups IPVPN-SITE2 services ipsec-vpn rule SITE2-RULE term 1 then remote-gateway 172.19.0.1
set groups IPVPN-SITE2 services ipsec-vpn rule SITE2-RULE term 1 then dynamic ike-policy IPVPN-IKE-POLICY
set groups IPVPN-SITE2 services ipsec-vpn rule SITE2-RULE term 1 then dynamic ipsec-policy IPVPN-IPSEC-POLICY
set groups IPVPN-SITE2 services ipsec-vpn rule SITE2-RULE match-direction input
set groups IPVPN-SITE2 services service-set SERVICESET-SITE2 next-hop-service inside-service-interface si-0/0/0.3
set groups IPVPN-SITE2 services service-set SERVICESET-SITE2 next-hop-service outside-service-interface si-0/0/0.4
set groups IPVPN-SITE2 services service-set SERVICESET-SITE2 ipsec-vpn-options local-gateway 172.16.0.1
set groups IPVPN-SITE2 services service-set SERVICESET-SITE2 ipsec-vpn-rules SITE2-RULE
set groups IPVPN-SITE2 interfaces si-0/0/0 unit 3 description "to remote internet site 2 via IPSec"
set groups IPVPN-SITE2 interfaces si-0/0/0 unit 3 family inet address 172.20.0.1/30
set groups IPVPN-SITE2 interfaces si-0/0/0 unit 3 service-domain inside
set groups IPVPN-SITE2 interfaces si-0/0/0 unit 4 description "to remote internet site 2 via IPSec"
set groups IPVPN-SITE2 interfaces si-0/0/0 unit 4 family inet
set groups IPVPN-SITE2 interfaces si-0/0/0 unit 4 service-domain outside
set groups IPVPN-SITE2 routing-instances IPVPN interface si-0/0/0.3
set groups IPVPN-SITE2 routing-instances IPVPN routing-options static route 10.10.3.0/30 next-hop si-0/0/0.3

set apply-groups IPVPN-PARAMEMTERS
set apply-groups IPVPN-SITE1
set apply-groups IPVPN-SITE2

set interfaces ge-0/0/0 unit 0 description "to internet"
set interfaces ge-0/0/0 unit 0 family inet address 172.16.0.1/30
set interfaces ge-0/0/1 unit 0 description "to ce"
set interfaces ge-0/0/1 unit 0 family inet address 10.10.1.1/30
set routing-options static route 0.0.0.0/0 next-hop 172.16.0.2
set routing-instances IPVPN instance-type vrf
set routing-instances IPVPN interface ge-0/0/1.0
set routing-instances IPVPN route-distinguisher 100:100
set routing-instances IPVPN vrf-target target:100:100
set routing-instances IPVPN vrf-table-label

 

 

 

 

Feedback