Configuring IPSec
Problem
You need a secure method of sending information between sites.
Solution
Start by defining the IPSec SA between your two intranet sites. On each security router, define identical SAs:
[edit security ipsec] aviva@router1# edit security-association site1-site2 [edit security ipsec security-association site1-site2 ] aviva@router1# set description "SA from site1 to site2 " aviva@router1# set mode tunnel aviva@router1# set manual direction bidirectional protocol bundle aviva@router1# set manual direction bidirectional spi 400 aviva@router1# set manual direction bidirectional auxiliary-spi 400 aviva@router1# set manual direction bidirectional authentication algorithm hmac-sha1-96 aviva@router1# set manual direction bidirectional authentication key ascii-text $1991poPPi aviva@router1# set manual direction bidirectional encryption algorithm des-cbc aviva@router1# set manual direction bidirectional encryption key ascii-text $1991poPPi
Configuring a firewall filter accepts all traffic returning from the remote site:
[edit firewall filter traffic-out-of-ipsec-tunnel ] aviva@router1# set term out-of-ipsec-tunnel from source-address 10.0.97.0/24 aviva@router1# set term out-of-ipsec-tunnel from destination-address 10.0.12.0/24 aviva@router1# set term out-of-ipsec-tunnel then accept
Finally, apply the second filter on the ES interface that goes from the local security gateway to the remote security gateway:
[edit interfaces es-3/0/0 ] aviva@router1# set unit 0 tunnel source 10.0.12.33 aviva@router1# set unit 0 tunnel destination 10.0.97.62 aviva@router1# set unit 0 family inet ipsec-sa site1-site2 aviva@router1# set unit 0 family inet filter input traffic-out-of-ipsec-tunnel
Discussion
This recipe shows how to set up IPSec for M-series and T-series routers that have ES PICs. The setup process is fairly involved. There are three basic components to the configuration: defining the SA and the tunnel to carry the secured traffic, creating firewall filters to place traffic going from one site to the other into the tunnel, and configuring the interfaces to apply the filters and create the tunnel on the ES PIC. This recipe shows how to set up a manual SA, in which you specify all SA parameters in the configuration. While setting up SAs manually can be manageable in small networks, it does not scale well. As the network size increases, having IPSec dynamically configure SAs is a better option (see Recipe 3.2).
The SA is bidirectional, so the same encryption and authentication keys are used on incoming and outgoing traffic through the IPSec tunnel. To use different keys in each direction, use the set direction inbound and set direction outbound commands.
To start, define the SA. Because you have two routers acting as the security gateways between your two sites, you use tunnel mode. For the other SA parameters, this example chooses to use both the AH and ESP protocols (specified with the protocol bundle statement), HMAC-SHA1-96 authentication, DES-CBC encryption, and a SPI value of 400. The auxiliary SPI is needed because we are using both AH and ESP. Both security gateway routers must have the same SA configuration.
Next, you create a firewall filter to accept traffic returning from the remote site and you apply it to the ES interface. You need to set up similar firewall filters on the remote security gateway router.
Finally, you configure the router interfaces. On the ES interface facing the remote security gateway router, configure the tunnel on the logical unit, and for the IPv4 protocol family, associate the SA and apply the traffic-out-of-ipsec-tunnel filter. Set up the remote router in a similar fashion.
Use the following command to verify that the SA is active:
aviva@router1> show ipsec security-associations detail Security association: site1-site2, Interface family: Up Local gateway: 10.0.12.33, Remote gateway: 10.0.97.62 Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Direction: inbound, SPI: 400, AUX-SPI: 400 Mode: tunnel, Type: manual, State: Installed Protocol: BUNDLE, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: Disabled Direction: outbound, SPI: 400, AUX-SPI: 400 Mode: tunnel, Type: manual, State: Installed Protocol: BUNDLE, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: Disabled
The first line shows that the SA is active (Up), and you see that the inbound and outbound SAs are installed. This command also shows the configured SA parameters.
You can check the status of the IPSec tunnel with the ping and traceroute commands. You should be able to ping a system at the remote site:
aviva@router1> ping 10.0.97.2 PING 10.0.97.2 (10.0.97.2): 56 data bytes 64 bytes from 10.0.97.2: icmp_seq=0 ttl=253 time=0.939 ms 64 bytes from 10.0.97.2: icmp_seq=1 ttl=253 time=0.886 ms 64 bytes from 10.0.97.2: icmp_seq=2 ttl=253 time=0.826 ms ^C --- 10.0.97.2 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.826/0.884/0.939/0.046 ms
Use the traceroute command to verify that the traffic travels over the tunnel:
aviva@router1> traceroute 10.0.97.2 traceroute to 10.0.97.2 (10.0.97.2), 30 hops max, 40 byte packets 1 10.0.12.2 (10.0.12.2) 0.655 ms 0.549 ms 0.508 ms 2 10.0.0.3 (10.0.0.3) 0.833 ms 0.786 ms 0.757 ms 3 10.0.97.2 (10.0.97.2) 0.808 ms 0.741 ms 0.716 ms
In the second line of the traceroute output, you don't see 10.0.97.62, which is the IP address of the remote side of the tunnel, but rather 10.0.0.3, which is the loopback address of the remote security gateway router.
The configuration is a bit complex, so it's worth looking at the structure of the relevant portions of the configuration file rather than all the commands that you use to configure it. Some comments have been added.
[edit security ipsec] security-association site1-site2 { # <-- define the SA description "tunnel from site1 to site2"; mode tunnel; # <-- use tunnel mode manual { # <-- negotiate SA parameters up front direction bidirectional { protocol bundle; spi 400; auxiliary-spi 400; authentication { algorithm hmac-sha1-96; key ascii-text "$9$…"; ## SECRET-DATA } encryption { algorithm des-cbc; key ascii-text "$9$b…"; ## SECRET-DATA } } } } [edit firewall] filter traffic-out-of- ipsec-tunnel { # <-- receive remote traffic term out-of- ipsec-tunnel { from { source-address { # <-- remote subnet 10.0.97.0/24; } destination-address { # <-- local subnet 10.0.12.0/24; } then accept; } } [edit interfaces] es-3/0/0 { # <-- interface facing remote security gateway router unit 0 { tunnel { source 10.0.12.33; destination 10.0.97.62; } family inet { ipsec-sa site1-site2; filter { input traffic-out-of-ipsec-tunnel; } } } }