Junos – VPN Hierarchy

Wow! A Junos post! Amazing.

We all know that the configuration on a Junos box is very hierarchical. Sometimes it doesn’t make a lot of sense, but it’s all a pretty cascade of code. One of the big messes that I’ve found is the VPN configuration hierarchy; there are way more items to configure than on an IOS device.  To reinforce the stpes in my head, I thought I’d get some of the pieces into a post. These aren’t all the options, but it’s all you need to get a static IPSec tunnel up and running.

security
ike
proposal <<<<  Think ISAKMP policy on Cisco
authentication-method <<<< PSK
dh-group
authentication-algorithm
encryption-algorithm
lifetime-seconds
policy
mode <<<< Main versus quick
proposal
pre-shared key <<<< The key and the proposal are bound together
gateway <<<< The remote peer
ike-policy
address
external-interface <<<< Think the if where you put the crypto map
ipsec
proposal <<<< Transform set…kinda
protocol (ESP)
authentication-algorithm
encryption-algorithm
lifetime-seconds
policy
proposal
vpn
bind-interface <<<< Complicated story
ike
gateway
proxy-identity <<<< Also complicated
local
remote
ipsec-policy
establish-tunnels immediately <<<< Awesome!

That’ll do, pig.  I’ll fire off a real configuration post later.  Feel free to add your pair of pennies since I’m a total Junos n00b.

Send any stocking stuffers questions my way.

Aaron Conaway

I shake my head around sometimes and see what falls out. That's what lands on these pages.

More Posts

Follow Me:
Twitter

3 comments for “Junos – VPN Hierarchy

  1. December 30, 2011 at 7:46 pm

    You really think this is worse than IOS? Especially when you display it like this, it makes total sense. You have 3 “sections” for each of ike and ipsec. It honestly couldn’t be more clear.

  2. December 30, 2011 at 7:49 pm

    Also, why is bind-interface a complicated story?

  3. January 31, 2012 at 8:08 pm

    Twenty-two different configuration items is a mess, though it’s present much more clearly than IOS for sure. The bind interface gets complicated when you have multiple combinations of remote and local proxy identities to the same gateway.

Leave a Reply

Your email address will not be published. Required fields are marked *