Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Juniper
Layer 3 VPN JUNOS
ctj
I have two Juniper M7i routers running 10.4R1.9 and I am trying to setup a VPN tunnel between the two. When I show services ipsec-vpn ipsec security associations no SA information is available. I've posted the configs below. Please give suggestions. Note: I was configuring over an old config, so disregard some of the needless commands.
dtoc> show configuration
## Last commit: 2011-11-21 22:34:12 UTC by dtoc
version 11.1R1.14;
system {
root-authentication {
encrypted-password "$1$E/wFo3sp$9/RGqhp/XgpvjdRTpWAkl1"; ## SECRET-DATA
}
login {
class superuser-local {
permissions all;
}
user dtoc {
uid 2011;
class superuser-local;
authentication {
encrypted-password "$1$8/WI4OXN$2JpyCXqnEI1w7nOBWUL/A."; ## SECRET-DATA
}
}
}
services {
ftp;
}
}
interfaces {
fe-0/0/0 {
description BLACKBONE;
unit 0 {
family inet {
service {
input {
service-set basic-vpn service-filter allow-bgp;
}
output {
service-set basic-vpn service-filter allow-bgp;
}
}
address 10.10.2.1/30;
}
}
}
sp-0/0/0 {
unit 0 {
family inet;
}
}
fe-0/0/1 {
description To_TACLANE;
speed 100m;
link-mode full-duplex;
unit 0 {
family inet {
address 10.10.1.1/30;
}
}
}
gr-1/2/0 {
unit 5 {
description Tunnel;
tunnel {
source 10.10.2.1;
destination 10.10.2.2;
}
family inet {
address 192.16.0.1/30;
}
}
}
}
routing-options {
static {
route 10.10.2.0/30 next-hop 10.10.2.2;
}
autonomous-system 65001;
}
protocols {
mpls {
no-cspf;
label-switched-path 10.0.0.1 {
to 10.0.0.1;
ldp-tunneling;
}
path 10.0.0.1 {
10.0.0.1 loose;
}
interface gr-1/2/0.1;
interface fe-0/0/0.0;
interface fe-0/0/1.0;
interface all;
}
bgp {
group to-ibgp {
type internal;
local-address 10.10.2.1;
family inet-vpn {
unicast;
}
neighbor 10.10.2.2;
}
}
ospf {
traffic-engineering;
reference-bandwidth 10g;
area 0.0.0.0 {
interface gr-1/2/0.1;
}
}
ldp {
interface fe-0/0/3.0;
interface gr-1/2/0.1;
interface all;
}
}
policy-options {
policy-statement DDTE-export {
term 1 {
from protocol [ ospf direct static bgp ];
then {
community add DDTE-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement DDTE-import {
term 1 {
from {
protocol bgp;
community DDTE-comm;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement JTDL-export {
term 1 {
from protocol [ direct static bgp ];
then {
community add JTDL-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement JTDL-import {
term 1 {
from {
protocol bgp;
community JTDL-comm;
}
then accept;
}
term 2 {
then reject;
}
}
community DDTE-comm members target:65001:2;
community JTDL-comm members target:65001:1;
}
firewall {
family inet {
service-filter allow-bgp {
term 1 {
from {
protocol tcp;
port bgp;
}
then skip;
}
term 3 {
from {
protocol [ tcp icmp gre esp ah udp igmp ];
}
then skip;
}
}
}
}
services {
ipsec-vpn {
rule secure-extranet {
term 1 {
from {
destination-address {
10.10.2.0/30;
}
}
then {
remote-gateway 10.10.2.2;
dynamic {
ike-policy IKE_POLICY;
}
}
}
match-direction output;
}
ipsec {
proposal IPSEC_PROPOSAL {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IPSEC_POLICY {
proposals IPSEC_PROPOSAL;
}
}
ike {
proposal IKE_PROPOSAL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IKE_POLICY {
proposals IKE_PROPOSAL;
pre-shared-key ascii-text "$9$xUM7-w4oGH.5Nd"; ## SECRET-DATA
}
}
}
service-set basic-vpn {
interface-service {
service-interface sp-0/0/0.0;
}
ipsec-vpn-options {
local-gateway 10.10.2.1;
}
ipsec-vpn-rules secure-extranet;
}
}
dtoc>
+++++++++++++++++++++++++++++++++++++++
dtoc@JITC_Juniper> show con
^
'con' is ambiguous.
Possible completions:
configuration Show current configuration
connections Show circuit cross-connect connections
dtoc@JITC_Juniper> show configuration
## Last commit: 2011-11-21 22:32:30 UTC by dtoc
version 10.4R1.9;
system {
host-name JITC_Juniper;
root-authentication {
encrypted-password "$1$6IP/TsBb$uvIiGtF9rnjQLUpz6SI390"; ## SECRET-DATA
}
login {
class tier3 {
permissions all;
}
user dtoc {
uid 2010;
class tier3;
authentication {
encrypted-password "$1$QuYb6yxt$VYGlB1eihyJWPdJyTJADe1"; ## SECRET-DATA
}
}
}
}
interfaces {
fe-0/0/0 {
description BLACKBONE;
unit 0 {
family inet {
service {
input {
service-set basic-vpn service-filter allow-bgp;
}
output {
service-set basic-vpn service-filter allow-bgp;
}
}
address 10.10.2.2/30;
}
}
}
sp-0/0/0 {
unit 0 {
family inet;
}
}
fe-0/0/1 {
description To_TACLANE;
unit 0 {
family inet {
address 10.10.3.1/30;
}
}
}
fe-0/0/3 {
description "to TACLANE";
unit 0 {
family inet {
address 192.168.0.1/30;
}
}
}
gr-1/2/0 {
unit 1 {
description "to Site B";
tunnel {
source 192.168.0.1;
destination 192.168.1.1;
}
family inet {
address 10.0.0.1/30;
}
family mpls;
}
}
}
routing-options {
static {
route 10.10.2.0/30 next-hop 10.10.2.1;
}
autonomous-system 65001;
}
protocols {
mpls {
no-cspf;
label-switched-path 10.0.0.2 {
to 10.0.0.2;
ldp-tunneling;
}
path 10.0.0.2 {
10.0.0.2 loose;
}
interface gr-1/2/0.1;
interface fe-0/0/0.0;
interface fe-0/0/1.0;
interface all;
}
bgp {
group to-ibgp {
type internal;
local-address 10.10.2.2;
family inet-vpn {
unicast;
}
neighbor 10.10.2.1;
}
}
ospf {
traffic-engineering;
reference-bandwidth 10g;
area 0.0.0.0 {
interface gr-1/2/0.1;
}
}
ldp {
interface fe-0/0/3.0;
interface gr-1/2/0.1;
interface all;
}
}
policy-options {
policy-statement DDTE-export {
term 1 {
from protocol [ ospf direct static bgp ];
then {
community add DDTE-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement DDTE-import {
term 1 {
from {
protocol bgp;
community DDTE-comm;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement JTDL-export {
term 1 {
from protocol [ direct static bgp ];
then {
community add JTDL-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement JTDL-import {
term 1 {
from {
protocol bgp;
community JTDL-comm;
}
then accept;
}
term 2 {
then reject;
}
}
community DDTE-comm members target:65001:2;
community JTDL-comm members target:65001:1;
}
firewall {
family inet {
service-filter allow-bgp {
term 1 {
from {
protocol tcp;
port bgp;
}
then skip;
}
term 3 {
from {
protocol [ icmp gre tcp esp ah udp igmp ];
}
then skip;
}
}
}
}
services {
ipsec-vpn {
rule secure-extranet {
term 1 {
from {
destination-address {
10.10.2.0/30;
}
}
then {
remote-gateway 10.10.2.1;
dynamic {
ike-policy IKE_POLICY;
}
}
}
match-direction output;
}
ipsec {
proposal IPSEC_PROPOSAL {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IPSEC_POLICY {
proposals IPSEC_PROPOSAL;
}
}
ike {
proposal IKE_PROPOSAL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IKE_POLICY {
proposals IKE_PROPOSAL;
pre-shared-key ascii-text "$9$X7gxNbg4Ziqf7-"; ## SECRET-DATA
}
}
}
service-set basic-vpn {
interface-service {
service-interface sp-0/0/0.0;
}
ipsec-vpn-options {
local-gateway 10.10.2.2;
}
ipsec-vpn-rules secure-extranet;
}
}
dtoc@JITC_Juniper>
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
There are no comments yet
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
