Routing
Routing

Route based IPsec on MX

‎01-22-2016 09:07 AM

Can anyone tell me if it is possible to configure a route based (not policy based) IPsec tunnel on the MX with MS-MIC? This is fairly straight forward on an SRX and seems to be the prefered method.

JNCIE-ENT #552, JNCIP-SEC, JNCIS-SP, JNCSP-ENT, JNCDA, CCNP, CCDA
8 REPLIES 8
Routing

Re: Route based IPsec on MX

‎01-22-2016 11:24 PM

Hello,

Yes it is possible. Have You tried the documentation?

http://www.juniper.net/documentation/en_US/junos15.1/topics/example/ipsec-configuring-on-ms-mic.html

The above is the top link if You google "juniper mx ipsec"

https://www.google.co.uk/search?&q=juniper+mx+ipsec

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Routing

Re: Route based IPsec on MX

‎01-25-2016 06:33 AM

HI,

 

Yes I have seen that document and it appears to be a policy based configuration. I am looking to use an IPsec tunnel to connect an SRX210 to an MX104. I want to use a route based  VPN that allows me to run a routing protocol across it. The configuration on the link uses policy to direct traffic across the tunnel rather than binding an interface that will become one end of a point to point link. On an SRX this would be the st0 interface.

JNCIE-ENT #552, JNCIP-SEC, JNCIS-SP, JNCSP-ENT, JNCDA, CCNP, CCDA
Routing
Solution
Accepted by topic author Regalis
‎01-26-2016 12:11 PM

Re: Route based IPsec on MX

‎01-25-2016 06:58 AM

Hello,

 


@Regalis wrote:

HI,

 

Yes I have seen that document and it appears to be a policy based configuration.


It is not. It is route-based IPSec and SRX-style policy-based IPSec is not supported on MX.

It is true that You have to configure a policy to populate proxy-ids BUT You HAVE to use routing to direct traffic into MX IPSec interface.

 


@Regalis wrote:

HI,

 

. I want to use a route based  VPN that allows me to run a routing protocol across it. 


This config allows to run Your chosen protocol, even multicast-based such as OSPFv2, without additional GRE encaps, unlike CSCO.

 


@Regalis wrote:

HI,

 

The configuration on the link uses policy to direct traffic across the tunnel 


This policy is just for proxy-id creation.

 


@Regalis wrote:

HI,

 

 binding an interface that will become one end of a point to point link. On an SRX this would be the st0 interface.


The MX MS-MIC equivalent is ms-x/y/z.w logical interface which is marked as "inside" in the config.

 

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Routing

Re: Route based IPsec on MX

‎01-25-2016 07:11 AM

Oh, OK, so is it possible to put an address on the ms-x/y/z.a interface under family inet?

JNCIE-ENT #552, JNCIP-SEC, JNCIS-SP, JNCSP-ENT, JNCDA, CCNP, CCDA
Routing

Re: Route based IPsec on MX

‎01-25-2016 09:01 AM

Hello,

Yes it is possible.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Routing

Re: Route based IPsec on MX

‎01-26-2016 12:11 PM

Excellent, thanks.

JNCIE-ENT #552, JNCIP-SEC, JNCIS-SP, JNCSP-ENT, JNCDA, CCNP, CCDA
Routing

Re: Route based IPsec on MX

‎09-09-2018 05:39 PM

hi all,

 

does it works for put ip address in interface ms-x/y/z ? so ipsec between SRX - MX can build ip point to point on interface st0 (srx) and interface ms (mx).

Routing

Re: Route based IPsec on MX

a week ago

Hi Rahman

 

yes you can add ip on ms interface for p2p connection from mx to srx

but you need to configure a rule to direct the traffic toward the tunnel

 

regards