MX: IPsec from an MPLS VPN

An example configuration that will let you create an IPsec VPN that originates from an MPLS-VPN. I created the following scenario:


Used and verified the following configuration to establish an IPsec tunnel that originates from within a routing-instance:

=========================
Interfaces configuration:
=========================

set interfaces xe-1/2/0 unit 550 description towards-an-srx
set interfaces xe-1/2/0 unit 550 vlan-id 550
set interfaces xe-1/2/0 unit 550 family inet address 172.31.255.10/29

set interfaces lo0 unit 1684 description to-enable-ping-test
set interfaces lo0 unit 1684 family inet address 201.0.0.1/24

set interfaces ms-0/0/0 unit 10 description ipsec-tunnel-outside
set interfaces ms-0/0/0 unit 10 family inet unnumbered-address xe-1/2/0.550
set interfaces ms-0/0/0 unit 10 service-domain outside

set interfaces ms-0/0/0 unit 11 description ipsec-tunnel-inside
set interfaces ms-0/0/0 unit 11 family inet
set interfaces ms-0/0/0 unit 11 service-domain inside

=================
Routing-instance:
=================

set routing-instances ipvpn instance-type vrf
set routing-instances ipvpn interface ms-0/0/0.11
set routing-instances ipvpn interface lo0.1684
set routing-instances ipvpn route-distinguisher 1:1
set routing-instances ipvpn vrf-target target:1:1
set routing-instances ipvpn vrf-table-label
set routing-instances ipvpn routing-options static route 200.0.0.0/24 next-hop ms-0/0/0.11

============
Service-set:
============

! IPsec cannot be activated in a service-set already activated for stateful firewalling 
! When multiple services are needed inside 1 MPLS VPN, 
! you can create two separate service-sets and put the relevant ms interfaces inside the routing-instance 

set services service-set ipsec-firewall next-hop-service inside-service-interface ms-0/0/0.11
set services service-set ipsec-firewall next-hop-service outside-service-interface ms-0/0/0.10
set services service-set ipsec-firewall ipsec-vpn-options local-gateway 172.31.255.10
set services service-set ipsec-firewall ipsec-vpn-rules encrypt

! could not put multiple sources into one term 

set services ipsec-vpn rule encrypt term ipsec from source-address 201.0.0.0/24
set services ipsec-vpn rule encrypt term ipsec from destination-address 200.0.0.0/24
set services ipsec-vpn rule encrypt term ipsec then remote-gateway 172.31.255.11
set services ipsec-vpn rule encrypt term ipsec then dynamic ike-policy ike-p1
set services ipsec-vpn rule encrypt term ipsec then dynamic ipsec-policy ipsec-p2

! so I created a second one 

set services ipsec-vpn rule encrypt term ipsec-10-range from source-address 10.0.0.0/8
set services ipsec-vpn rule encrypt term ipsec-10-range from destination-address 200.0.0.0/24
set services ipsec-vpn rule encrypt term ipsec-10-range then remote-gateway 172.31.255.11
set services ipsec-vpn rule encrypt term ipsec-10-range then dynamic ike-policy ike-p1
set services ipsec-vpn rule encrypt term ipsec-10-range then dynamic ipsec-policy ipsec-p2
set services ipsec-vpn rule encrypt match-direction input

set services ipsec-vpn ipsec proposal ipsec-p2 protocol esp
set services ipsec-vpn ipsec proposal ipsec-p2 authentication-algorithm hmac-sha1-96
set services ipsec-vpn ipsec proposal ipsec-p2 encryption-algorithm 3des-cbc

set services ipsec-vpn ipsec policy ipsec-p2 proposals ipsec-p2

set services ipsec-vpn ike proposal ike-p1 authentication-method pre-shared-keys
set services ipsec-vpn ike proposal ike-p1 dh-group group2
set services ipsec-vpn ike proposal ike-p1 authentication-algorithm sha1
set services ipsec-vpn ike proposal ike-p1 encryption-algorithm aes-256-cbc
set services ipsec-vpn ike proposal ike-p1 lifetime-seconds 86400

set services ipsec-vpn ike policy ike-p1 mode main
set services ipsec-vpn ike policy ike-p1 proposals ike-p1
set services ipsec-vpn ike policy ike-p1 pre-shared-key ascii-text "$9$/n0H9pBIRSKMXFnIcyr8L"

The thing that confused me most before starting was the configuration of the ms-x/x/x interfaces. The MPLS VPN is forwarding it's traffic towards the interface configured with 'service-domain inside'. For this reason, that interface is placed inside the ipvpn.inet.0 routing table. To make sure that the subnet found at the other end of the tunnel is available to the MPLS VPN, the static route towards this subnet needs to be configured in the ipvpn.inet.0 table.

The outside service-domain is what the MX will use to establish the IPsec tunnel. This interface will need to be in inet.0 (assuming the Internet is accessible from the global routing-table). No other route needs to be configured in the inet.0 table.

By using the 'next-hop-service' in the [services service-set xxxx] stanza, the relevant traffic is directed to the services MIC. Another interesting thing was that inside the MPLS VPN, I also configured a stateful firewall. This stateful firewall was using another service-set (and another ms-interface). Because of this, no firewall-rule was needed to allow traffic to traverse the tunnel.

After this configuration, you can use the following commands to verify that the tunnel is up and handling traffic:

play@MX104-TEST-HB> show services ipsec-vpn ike security-associations detail
IKE peer 172.31.255.11
  Role: Responder, State: Matured
  Initiator cookie: 3389e1414c713040, Responder cookie: 90cd04b3f7ee728e
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 172.31.255.10, Remote: 172.31.255.11
  Lifetime: Expires in 79268 seconds
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : 2
  Traffic statistics:
   Input  bytes  :                39376
   Output bytes  :                48024
   Input  packets:                  315
   Output packets:                  312
  Flags: IKE SA created
  IPSec security associations: 18 created, 14 deleted

play@MX104-TEST-HB> show services ipsec-vpn ipsec security-associations ipsec-firewall extensive
Service set: ipsec-firewall, IKE Routing-instance: default

  Rule: encrypt, Term: ipsec, Tunnel index: 1
  Local gateway: 172.31.255.10, Remote gateway: 172.31.255.11
  IPSec inside interface: ms-0/0/0.11, Tunnel MTU: 1500
  Local identity: ipv4_subnet(any:0,[0..7]=201.0.0.0/24)
  Remote identity: ipv4_subnet(any:0,[0..7]=200.0.0.0/24)

    Direction: inbound, SPI: 2536391950, AUX-SPI: 0
    Mode: tunnel, Type: dynamic, State: Installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Soft lifetime: Expires in 878 seconds
    Hard lifetime: Expires in 1433 seconds
    Anti-replay service: Enabled, Replay window size: 64

    Direction: outbound, SPI: 1736490921, AUX-SPI: 0
    Mode: tunnel, Type: dynamic, State: Installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Soft lifetime: Expires in 878 seconds
    Hard lifetime: Expires in 1433 seconds
    Anti-replay service: Enabled, Replay window size: 64

  Rule: encrypt, Term: ipsec-10-range, Tunnel index: 2
  Local gateway: 172.31.255.10, Remote gateway: 172.31.255.11
  IPSec inside interface: ms-0/0/0.11, Tunnel MTU: 1500
  Local identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/8)
  Remote identity: ipv4_subnet(any:0,[0..7]=200.0.0.0/24)

    Direction: inbound, SPI: 45354595, AUX-SPI: 0
    Mode: tunnel, Type: dynamic, State: Installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Soft lifetime: Expires in 808 seconds
    Hard lifetime: Expires in 1443 seconds
    Anti-replay service: Enabled, Replay window size: 64

    Direction: outbound, SPI: 1083434050, AUX-SPI: 0
    Mode: tunnel, Type: dynamic, State: Installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Soft lifetime: Expires in 808 seconds
    Hard lifetime: Expires in 1443 seconds
    Anti-replay service: Enabled, Replay window size: 64

play@MX104-TEST-HB> show route forwarding-table vpn ipvpn destination 200.0.0.0/24
Routing table: ipvpn.inet
Internet:
Destination        Type RtRef Next hop           Type Index    NhRef Netif
200.0.0.0/24       user     0                    ucst     2346     2 ms-0/0/0.11

play@MX104-TEST-HB> show services sessions
ms-0/0/0
Service Set: ipsec-firewall, Session: 503316485, ALG: none, Flags: 0x0000, IP Action: no, Offload: no, Asymmetric: no
ESP       172.31.255.11:29219  ->   172.31.255.10:13816  Forward  O            1418
ESP       172.31.255.10:13816  ->   172.31.255.11:29219  Forward  I               0

Service Set: ipsec-firewall, Session: 1979711492, ALG: none, Flags: 0x0000, IP Action: no, Offload: no, Asymmetric: no
ESP       172.31.255.11:13176  ->   172.31.255.10:55969  Forward  O            1433
ESP       172.31.255.10:55969  ->   172.31.255.11:13176  Forward  I               0

Service Set: ipsec-firewall, Session: 1744830470, ALG: none, Flags: 0x0000, IP Action: no, Offload: no, Asymmetric: no
ICMP          200.0.0.1        ->       201.0.0.1        Forward  O               0
ICMP          201.0.0.1        ->       200.0.0.1        Forward  I           16256

Service Set: ipsec-firewall, Session: 402653192, ALG: none, Flags: 0x0000, IP Action: no, Offload: no, Asymmetric: no
ICMP           10.0.0.1        ->       200.0.0.1        Forward  I           16991
ICMP          200.0.0.1        ->        10.0.0.1        Forward  O               0

P.S.The only reason I used an unnumbered interface here was because it happened to be easiest in my lab.

16-6-2015