MIND SAFE

MENU

Search

JUNIPER CISCO GRE IPSEC WITH OSPF

I had the privilege of introducing Cisco and Juniper into a new relationship. They were happy, holding hands
and exchange routes, but the relationship was taboo, so they wanted to keep it private. Solution? OSPF over
GRE/IPSec.
Here is the topology:

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

This diagram is helpful when mapping out the configuration:

Here are my notes on how to set this up:

Cisco 3845 HQ
Configure Phase 1
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

crypto isakmp policy 1

encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 123456789 address 33.33.33.33

Configure Phase 2

ip access-list extended LOOPBACK1-TO-SRX-LOOPBACK

permit ip host 10.255.0.1 host 10.255.0.3
crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha-hmac
crypto map CRYPTO-MAP 1 ipsec-isakmp
set peer 33.33.33.33
set transform-set TRANSFORM
set pfs group2
match address LOOPBACK1-TO-SRX-LOOPBACK

Configure the Loopback (Used as the tunnel source)

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

interface Loopback1
ip address 10.255.0.1 255.255.255.255

Configure the Virtual Tunnel Interface

interface Tunnel1
description *** GRE to SRX ***
ip address 10.0.0.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf flood-reduction
ip ospf 10 area 990
keepalive 10 3
tunnel source Loopback1
tunnel destination 10.255.0.3

Configure OSPF

router ospf 10
area 990 stub

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Prevent Recursive Routing

ip route 10.255.0.3 255.255.255.255 11.11.11.1

Apply crypto-map

interface GigabitEthernet0/0
crypto map CRYPTO-MAP

Juniper SRX Remote Site

Configure Phase 1 IKE

set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys

set security ike proposal IKE-PROPOSAL dh-group group2
set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-PROPOSAL encryption-algorithm aes-256-cbc
set security ike proposal IKE-PROPOSAL lifetime-seconds 28800
set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals IKE-PROPOSAL

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

set security ike policy IKE-POLICY pre-shared-key ascii-text 123456789

Configure Phase 1 IKE Gateways

set security ike gateway HQ-1 ike-policy IKE-POLICY

set security ike gateway HQ-1 address 11.11.11.11
set security ike gateway HQ-1 local-identity inet 33.33.33.33
set security ike gateway HQ-1 external-interface ge-0/0/0.0

Configure Phase 2 IPSec

set security ipsec proposal IPSEC-PROPOSAL protocol esp

set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 3600
set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group2
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL

Configure Phase 2 IPSec Peers

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

set security ipsec vpn HQ-1 bind-interface st0.0

set security ipsec vpn HQ-1 ike gateway HQ-1
set security ipsec vpn HQ-1 ike proxy-identity local 10.255.0.3/32
set security ipsec vpn HQ-1 ike proxy-identity remote 10.255.0.1/32
set security ipsec vpn HQ-1 ike proxy-identity service junos-gre
set security ipsec vpn HQ-1 ike ipsec-policy IPSEC-POLICY
set security ipsec vpn HQ-1 establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350

Configure the Loopback (Used as the tunnel source)

set interfaces lo0 unit 0 family inet address 10.255.0.3/32

set security zones security-zone signaling interfaces lo0.0

Configure the Virtual Tunnel Interface

set interfaces st0 unit 0 family inet

set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 0 tunnel source 10.255.0.3
set interfaces gr-0/0/0 unit 0 tunnel destination 10.255.0.1

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation

set interfaces gr-0/0/0 unit 0 family inet mtu 1400
set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.2/30

Configure OSPF

set protocols ospf area 0.0.3.222 stub

set protocols ospf area 0.0.3.222 interface gr-0/0/0.0 flood-reduction
set protocols ospf area 0.0.3.222 interface gr-0/0/0.1 flood-reduction
set protocols ospf area 0.0.3.222 interface vlan.1 passive
set protocols ospf area 0.0.3.222 interface vlan.1 flood-reduction
set security zones security-zone vpn host-inbound-traffic protocols ospf

Configure Security Zones and Policies

For troubleshooting purposes, you might want to permit-all in the default policy and apply more granular
control afterwards:

set security policies default-policy permit-all

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Sample security zones:

set security zones security-zone public host-inbound-traffic system-services ike

set security zones security-zone signaling host-inbound-traffic system-services ike
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone public interfaces ge-0/0/0.0 host-inbound-traffic system-services
any-service
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn interfaces gr-0/0/0.0
set security zones security-zone signaling interfaces lo0.0
set security policies from-zone vpn to-zone signaling policy vpn match source-address any
set security policies from-zone vpn to-zone signaling policy vpn match destination-address any
set security policies from-zone vpn to-zone signaling policy vpn match application any
set security policies from-zone vpn to-zone signaling policy vpn then permit
set policy-options prefix-list concentrators 11.11.11.11/32
set firewall family inet filter ingress-from-inet term ipsec-allow from prefix-list concentrators

Configure Routing

set routing-options static route 10.255.0.1/32 next-hop st0.0

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Verify

admin@SRX240# run show security ike security-associations

Index State Initiator cookie Responder cookie Mode Remote Address
7251638 UP 47ffe2c472e10db5 c14aab1a09ec22b3 Main 11.11.11.11
admin@SRX240# run show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
131073 ESP:aes-256/sha1 4d1c403b 876/ 4608000 - root 4500 11.11.11.11
admin@SRX240# run show ospf neighbor
Address Interface State ID Pri Dead
10.0.0.1 gr-0/0/0.0 Full 1.1.1.7 1 38

Add a redundant tunnel? Sure!

New topology would look like this:

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Cisco 3845 Secondary

crypto isakmp policy 1

encr aes 256
authentication pre-share
group 2
lifetime 28800

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

crypto isakmp key 123456789 address 33.33.33.33

ip access-list extended LOOPBACK1-TO-SRX-LOOPBACK
permit ip host 10.255.0.2 host 10.255.0.3
crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha-hmac
crypto map CRYPTO-MAP 1 ipsec-isakmp
set peer 33.33.33.33
set transform-set TRANSFORM
set pfs group2
match address LOOPBACK1-TO-SRX-LOOPBACK
interface Loopback1
ip address 10.255.0.2 255.255.255.255
interface Tunnel1
description *** GRE to SRX ***
ip address 10.0.0.5 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf flood-reduction
ip ospf 10 area 990
keepalive 10 3
tunnel source Loopback1
tunnel destination 10.255.0.3
router ospf 10
area 990 stub
ip route 10.255.0.3 255.255.255.255 22.22.22.1
interface GigabitEthernet0/0

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

crypto map CRYPTO-MAP

Juniper SRX

set security ike gateway HQ-2 ike-policy IKE-POLICY

set security ike gateway HQ-2 address 22.22.22.22
set security ike gateway HQ-2 local-identity inet 33.33.33.33
set security ike gateway HQ-2 external-interface ge-0/0/0.0
set security ipsec vpn HQ-2 bind-interface st0.1
set security ipsec vpn HQ-2 ike gateway HQ-2
set security ipsec vpn HQ-2 ike proxy-identity local 10.255.0.3/32
set security ipsec vpn HQ-2 ike proxy-identity remote 10.255.0.2/32
set security ipsec vpn HQ-2 ike proxy-identity service junos-gre
set security ipsec vpn HQ-2 ike ipsec-policy IPSEC-POLICY
set security ipsec vpn HQ-2 establish-tunnels immediately
set interfaces gr-0/0/0 unit 1 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 1 tunnel source 10.255.0.3
set interfaces gr-0/0/0 unit 1 tunnel destination 10.255.0.2
set interfaces gr-0/0/0 unit 1 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 1 family inet mtu 1400
set interfaces gr-0/0/0 unit 1 family inet address 10.0.0.6/30
set interfaces st0 unit 1 family inet
set security zones security-zone vpn interfaces st0.1

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

set security zones security-zone vpn interfaces gr-0/0/0.1

Helpful references:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB19372
http://myitnotes.info/doku.php?id=en:jobs:vpn_gre_over_ipsec_1
http://expert-mode.blogspot.ca/2013/05/juniper-srx-route-based-vpn-howto.html
http://expert-mode.blogspot.com/2013/05/juniper-srx-ospf-over-gre-over-ipsec.html
About these ads

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Share this:
Email

Facebook

Twitter 1

LinkedIn 2

Google

Like
One blogger likes this.

Related

Configuring IP Multicast in
Sparse-mode with Auto-RP

Configuring BFD on Nexus

NX-OS
In "BFD"

Configuring Netflow on Nexus

NXOS
In "CCIE Data Center"

Posted in Cisco, Juniper and tagged cisco, gre, ipsec, juniper, vpn on February 1, 2014. 3 Comments

Configuring IP Multicast in Sparse-mode with Auto-RP

Export Check Point Policies to HTML or XML

3 COMMENTS
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

bilunov77
February 26, 2014 at 4:41 pm

Reblogged this on 49514262200010.

REPLY

Alex
August 5, 2014 at 8:48 am

Wow that was really helpful as Im new to JUNOS. Thanks, David!

REPLY

varnumd
August 5, 2014 at 7:12 pm

Thanks for reading!

REPLY

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

LEAVE A REPLY
Enter your comment here...

EMAIL SUBSCRIPTION
Enter your email address to subscribe to this
blog and receive notifications of new posts by
email.
Join 324 other followers
Enter your email address

SIGN ME UP!

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

FOLLOW ME ON TWITTER
My Tweets
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

RECENT POSTS
The Path to CCIE Data Center
Configuring WWxN Pools in UCS
UCS Boot from iSCSI
Configuring iSLB for CCIE DC
Configuring iSCSI for CCIE DC

ARCHIVE
December 2014
November 2014
September 2014
August 2014
July 2014
June 2014
May 2014

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

March 2014
February 2014
March 2011
December 2009
May 2009

CATEGORIES
Check Point (1)
Cisco (23)
BFD (1)
CCIE Data Center (21)
FabricPath (1)
iSCSI (3)
Multicast (1)
Nexus (6)
Storage (10)
UCS (3)
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Juniper (1)
SAN (1)
TCP (1)
Uncategorized (4)

BLOGS I FOLLOW
Curious Packet
adam raffe
The CCIE R&S
Layer Zero Blog
CCIE Blog
Keeping It Classless
BRAD HEDLUND
CCIE or Null!
Jeremy Waldrop's Blog

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Follow Mind Safe

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

C R EA T E A FR EE WEB S I T E O R B LO G A T WO R D P R ES S .C O M. T HE S UI T S T HEME.

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com