Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual page 181

Example 2
Copyright © 2010, Juniper Networks, Inc.
erx2(config-if)#ip address 200.1.0.0 255.255.0.0
erx2(config-if)#exit
Tunnel 2:
erx2(config)#interface tunnel ipsec:Aboca2boston
erx2(config-if)#tunnel transform-set customerAprotection
erx2(config-if)#tunnel local-identity subnet 200.2.0.0 255.255.0.0
erx2(config-if)#tunnel peer-identity subnet 200.3.0.0 255.255.0.0
erx2(config-if)#tunnel source 100.2.0.1
erx2(config-if)#tunnel destination 100.3.0.1
erx2(config-if)#ip address 200.3.0.0 255.255.0.0
erx2(config-if)#exit
Finally, on erx3 create two IPSec tunnels, one to carry customer A's traffic between
5.
Boston and Ottawa and another to carry the traffic between Boston and Boca:
Tunnel 1:
erx3(config)#interface tunnel ipsec:Aboston2ottawa
erx3(config-if)#tunnel transform-set customerAprotection
erx3(config-if)#tunnel local-identity subnet 200.3.0.0 255.255.0.0
erx3(config-if)#tunnel peer-identity subnet 200.1.0.0 255.255.0.0
erx3(config-if)#tunnel source 100.3.0.1
erx3(config-if)#tunnel destination 100.1.0.1
erx3(config-if)#ip address 200.1.0.0 255.255.0.0
erx3(config-if)#exit
Tunnel 2:
erx3(config)#interface tunnel ipsec:Aboston2boca
erx3(config-if)#tunnel transform-set customerAprotection
erx3(config-if)#tunnel local-identity subnet 200.3.0.0 255.255.0.0
erx3(config-if)#tunnel peer-identity subnet 200.2.0.0 255.255.0.0
erx3(config-if)#tunnel source 100.3.0.1
erx3(config-if)#tunnel destination 100.2.0.1
erx3(config-if)#ip address 200.2.0.0 255.255.0.0
erx3(config-if)#exit
The configuration is complete. Now customer A traffic between different cities flows
through the public, or untrusted, IP network inside a tunnel, where each packet is encrypted
and authenticated. Of course, this example shows the basic secure encapsulation of
customer traffic over the untrusted IP network. You can add features such as key
refreshing.
Example 2, shown in Figure 17 on page 156, enhances the previous example by having the
same ISP-X providing leased line replacement to two customers who use address
schemes in the same range. There are two ways to solve scenarios in which different
customers use similar IP address schemes:
One solution is to have different transport virtual routers—a configuration similar to
example 1, except that a different VR domain is possible.
Another solution, as described in this example, simply duplicates the endpoints for the
transport VR. This example assumes that the transport VR is the default VR.
Chapter 5: Configuring IPSec
155