MPLS over GRE over IPSec

I recently had to set up a layer 2 stretch across an IPSec tunnel for a customer using SRX firewalls, as they had a requirement for two remote sites to be on the same broadcast domain.

Setting up layer 2 over IPSec can be achieved in a number of ways and one of the methods requires an IDP license! So while I was doing my research that was off the list straight away as the customer didn’t want to pay for it.  So after trolling through the net I came across setting up MPLS over GRE and then establishing the GRE over IPSec to encrypt it.

Here is a quick diagram of how the topology looks.

MPLS over GRE over IPSec

Configuration overview:

  • Create route based VPN with numbered tunnel interfaces, since the tunnels are point to point I used a /30 address.
  • Create gre intrefaces using the St0.0 interfaces as the source and destination.  Again I used a /30 address here as well.
  • Create a firewall filter to enable packet mode and apply it on the interface that will be the layer 2 circuit and the interfaces enabled for MPLS.  MPLS does not work in flow mode which is way packet mode needs to be enabled.
  • Enable LDP and OSPF for signalling
  • Configure the the relevant security policies

Configuration:

Interface configuration:

set interfaces gr-0/0/0 unit 0 tunnel source 10.2.1.1
set interfaces gr-0/0/0 unit 0 tunnel destination 10.2.1.2
set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.9/30
set interfaces gr-0/0/0 unit 0 family mpls filter input mpls-packet-mode
#fe-0/0/6 will be the layer 2 link.  MPLS cannot operate in flow mode so packet mode has been enabled using the firewall filter
set interfaces fe-0/0/6 encapsulation ethernet-ccc
set interfaces fe-0/0/6 unit 0 family ccc filter input l2circuit-packet-mode
set interfaces fe-0/0/4 unit 0 family inet address 10.0.0.1/30
set interfaces lo0 unit 0 family inet address 192.168.0.1/32
set interfaces lo0 unit 0 family mpls
set interfaces st0 unit 0 family inet address 10.2.1.1/30

Protocols Configuration:

set protocols mpls interface gr-0/0/0.0
set protocols mpls interface lo0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set protocols ldp traceoptions file ldp_shoot
set protocols ldp traceoptions file size 10m
set protocols ldp traceoptions flag all
set protocols ldp interface gr-0/0/0.0
set protocols ldp interface lo0.0
#to add another interface use a different virtual-circuit-id
set protocols l2circuit neighbor 192.168.0.2 interface fe-0/0/1.0 virtual-circuit-id 100000
set protocols l2circuit neighbor 192.168.0.2 interface fe-0/0/1.0 encapsulation-type ethernet

VPN Configuration:

set security ike policy 1 mode main
set security ike policy 1 proposal-set standard
set security ike policy 1 pre-shared-key ascii-text “$9$jzkm5n/tIEyQFEylKx7jHqmQF”
set security ike gateway 1 ike-policy 1
set security ike gateway 1 address 10.0.0.2
set security ike gateway 1 external-interface fe-0/0/4.0
set security ipsec policy 1 proposal-set standard
set security ipsec vpn 1 bind-interface st0.0
set security ipsec vpn 1 ike gateway 1
set security ipsec vpn 1 ike ipsec-policy 1
set security ipsec vpn 1 establish-tunnels immediately

Zones and Security Policies:

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone untrust to-zone untrust policy Policy1 match source-address any
set security policies from-zone untrust to-zone untrust policy Policy1 match destination-address any
set security policies from-zone untrust to-zone untrust policy Policy1 match application any
set security policies from-zone untrust to-zone untrust policy Policy1 then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/6.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces lo0.0
set security zones security-zone untrust interfaces gr-0/0/0.0
set security zones security-zone untrust interfaces st0.0
set security zones security-zone untrust interfaces fe-0/0/4.0

Firewall Filter Configuration

set firewall family mpls filter mpls-packet-mode term ALL-TRAFFIC then packet-mode
set firewall family mpls filter mpls-packet-mode term ALL-TRAFFIC then accept
set firewall family ccc filter l2circuit-packet-mode term ALL-TRAFFIC then packet-mode
set firewall family ccc filter l2circuit-packet-mode term ALL-TRAFFIC then accept

Verification:

IPSec Tunnel:

root@SRX1# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
6663928 UP     476a7195d79ee8ae  57afb0bad6f25285  Main           10.0.0.2

[edit]
root@SRX1# run show security ipsec security-associations
Total active tunnels: 1
ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
<131074 ESP:3des/sha1 414b5adf 3559/ unlim   –   root 500   10.0.0.2
>131074 ESP:3des/sha1 a64c2030 3559/ unlim   –   root 500   10.0.0.2

LDP session is established:

root@SRX1# run show ldp session
Address           State        Connection     Hold time
192.168.0.2         Operational  Open             27

The port participating in the layer 2 stretch is up.

root@SRX1# run show l2circuit connections
Layer-2 Circuit Connections:

Legend for connection status (St)
EI — encapsulation invalid      NP — interface h/w not present
MM — mtu mismatch               Dn — down
EM — encapsulation mismatch     VC-Dn — Virtual circuit Down
CM — control-word mismatch      Up — operational
VM — vlan id mismatch           CF — Call admission control failure
OL — no outgoing label          IB — TDM incompatible bitrate
NC — intf encaps not CCC/TCC    TM — TDM misconfiguration
BK — Backup Connection          ST — Standby Connection
CB — rcvd cell-bundle size bad  SP — Static Pseudowire
LD — local site signaled down   RS — remote site standby
RD — remote site signaled down  XX — unknown

Legend for interface status
Up — operational
Dn — down
Neighbor: 192.168.0.2
Interface                 Type  St     Time last up          # Up trans
fe-0/0/1.0(vc 100000)     rmt   Up     Feb 25 15:54:07 2015           1
Remote PE: 192.168.0.2, Negotiated control-word: Yes (Null)
Incoming label: 299808, Outgoing label: 299808
Negotiated PW status TLV: No
Local interface: fe-0/0/6.0, Status: Up, Encapsulation: ETHERNET

Connectivity:

C:>ping 172.16.10.31

Pinging 172.16.10.31 with 32 bytes of data:
Reply from 172.16.10.31: bytes=32 time=3ms TTL=64
Reply from 172.16.10.31: bytes=32 time=1ms TTL=64
Reply from 172.16.10.31: bytes=32 time=1ms TTL=64
Reply from 172.16.10.31: bytes=32 time=1ms TTL=64

Ping statistics for 172.16.10.31:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 1ms

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s