I recently had to set up a layer 2 stretch across an IPSec tunnel for a customer using SRX firewalls, as they had a requirement for two remote sites to be on the same broadcast domain.
Setting up layer 2 over IPSec can be achieved in a number of ways and one of the methods requires an IDP license! So while I was doing my research that was off the list straight away as the customer didn’t want to pay for it. So after trolling through the net I came across setting up MPLS over GRE and then establishing the GRE over IPSec to encrypt it.
Here is a quick diagram of how the topology looks.
Note: The green arrow should point to the SRXs not the CIsco’s, too lazy to correct it properly 🙂
Configuration overview:
- Create route based VPN with numbered tunnel interfaces, since the tunnels are point to point I used a /30 address.
- Create gre intrefaces using the St0.0 interfaces as the source and destination. Again I used a /30 address here as well.
- Create a firewall filter to enable packet mode and apply it on the interface that will be the layer 2 circuit and the interfaces enabled for MPLS. MPLS does not work in flow mode which is way packet mode needs to be enabled.
- Enable LDP and OSPF for signalling
- Configure the the relevant security policies
Configuration:
Interface configuration:
set interfaces gr-0/0/0 unit 0 tunnel source 10.2.1.1
set interfaces gr-0/0/0 unit 0 tunnel destination 10.2.1.2
set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.9/30
set interfaces gr-0/0/0 unit 0 family mpls filter input mpls-packet-mode
#fe-0/0/6 will be the layer 2 link. MPLS cannot operate in flow mode so packet mode has been enabled using the firewall filter
set interfaces fe-0/0/6 encapsulation ethernet-ccc
set interfaces fe-0/0/6 unit 0 family ccc filter input l2circuit-packet-mode
set interfaces fe-0/0/4 unit 0 family inet address 10.0.0.1/30
set interfaces lo0 unit 0 family inet address 192.168.0.1/32
set interfaces lo0 unit 0 family mpls
set interfaces st0 unit 0 family inet address 10.2.1.1/30
Protocols Configuration:
set protocols mpls interface gr-0/0/0.0
set protocols mpls interface lo0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set protocols ldp traceoptions file ldp_shoot
set protocols ldp traceoptions file size 10m
set protocols ldp traceoptions flag all
set protocols ldp interface gr-0/0/0.0
set protocols ldp interface lo0.0
#to add another interface use a different virtual-circuit-id
set protocols l2circuit neighbor 192.168.0.2 interface fe-0/0/1.0 virtual-circuit-id 100000
set protocols l2circuit neighbor 192.168.0.2 interface fe-0/0/1.0 encapsulation-type ethernet
VPN Configuration:
set security ike policy 1 mode main
set security ike policy 1 proposal-set standard
set security ike policy 1 pre-shared-key ascii-text “$9$jzkm5n/tIEyQFEylKx7jHqmQF”
set security ike gateway 1 ike-policy 1
set security ike gateway 1 address 10.0.0.2
set security ike gateway 1 external-interface fe-0/0/4.0
set security ipsec policy 1 proposal-set standard
set security ipsec vpn 1 bind-interface st0.0
set security ipsec vpn 1 ike gateway 1
set security ipsec vpn 1 ike ipsec-policy 1
set security ipsec vpn 1 establish-tunnels immediately
Zones and Security Policies:
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone untrust to-zone untrust policy Policy1 match source-address any
set security policies from-zone untrust to-zone untrust policy Policy1 match destination-address any
set security policies from-zone untrust to-zone untrust policy Policy1 match application any
set security policies from-zone untrust to-zone untrust policy Policy1 then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/6.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces lo0.0
set security zones security-zone untrust interfaces gr-0/0/0.0
set security zones security-zone untrust interfaces st0.0
set security zones security-zone untrust interfaces fe-0/0/4.0
Firewall Filter Configuration
set firewall family mpls filter mpls-packet-mode term ALL-TRAFFIC then packet-mode
set firewall family mpls filter mpls-packet-mode term ALL-TRAFFIC then accept
set firewall family ccc filter l2circuit-packet-mode term ALL-TRAFFIC then packet-mode
set firewall family ccc filter l2circuit-packet-mode term ALL-TRAFFIC then accept
Verification:
IPSec Tunnel:
root@SRX1# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
6663928 UP 476a7195d79ee8ae 57afb0bad6f25285 Main 10.0.0.2
[edit]
root@SRX1# run show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131074 ESP:3des/sha1 414b5adf 3559/ unlim – root 500 10.0.0.2
>131074 ESP:3des/sha1 a64c2030 3559/ unlim – root 500 10.0.0.2
LDP session is established:
root@SRX1# run show ldp session
Address State Connection Hold time
192.168.0.2 Operational Open 27
The port participating in the layer 2 stretch is up.
root@SRX1# run show l2circuit connections
Layer-2 Circuit Connections:
Legend for connection status (St)
EI — encapsulation invalid NP — interface h/w not present
MM — mtu mismatch Dn — down
EM — encapsulation mismatch VC-Dn — Virtual circuit Down
CM — control-word mismatch Up — operational
VM — vlan id mismatch CF — Call admission control failure
OL — no outgoing label IB — TDM incompatible bitrate
NC — intf encaps not CCC/TCC TM — TDM misconfiguration
BK — Backup Connection ST — Standby Connection
CB — rcvd cell-bundle size bad SP — Static Pseudowire
LD — local site signaled down RS — remote site standby
RD — remote site signaled down XX — unknown
Legend for interface status
Up — operational
Dn — down
Neighbor: 192.168.0.2
Interface Type St Time last up # Up trans
fe-0/0/1.0(vc 100000) rmt Up Feb 25 15:54:07 2015 1
Remote PE: 192.168.0.2, Negotiated control-word: Yes (Null)
Incoming label: 299808, Outgoing label: 299808
Negotiated PW status TLV: No
Local interface: fe-0/0/6.0, Status: Up, Encapsulation: ETHERNET
Connectivity:
C:>ping 172.16.10.31
Pinging 172.16.10.31 with 32 bytes of data:
Reply from 172.16.10.31: bytes=32 time=3ms TTL=64
Reply from 172.16.10.31: bytes=32 time=1ms TTL=64
Reply from 172.16.10.31: bytes=32 time=1ms TTL=64
Reply from 172.16.10.31: bytes=32 time=1ms TTL=64
Ping statistics for 172.16.10.31:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 1ms