Juniper's MultiServices MIC (MS-MIC-16G) has some fancy features that allow you to do NAT, IPSec termination (~8Gbit/s), etc. on the MX platform. However, documentation for it sucks and J-Tac don't appear to be super familiar with it.

In order to create an IPSec-protected GRE tunnel between two MXs, you need:

  • A pair of IPs to use for IPSec termination (10.0.0.1/32 and 10.0.0.2/32). These could be your half of the /30 an ISP allocates to you for peering.
  • A pair of /32s to use for routing traffic to the MS-MIC (10.0.204.50/32 and 10.0.79.50/32). These can be RFC1918 space if you'd like, however, should be separate from your routers primary loopback IP.
  • A /30 to use for the GRE tunnel itself (10.10.10.0/30). Should be publically routeable if you plan to use the GRE tunnel for moving Internet-facing traffic around.

Add our magic IP to lo0 and route traffic destined to our peers lo0 (10.0.204.50/32) to the MS-MIC (we'll use this as the GRE tunnel destination)

set interfaces lo0 unit 0 family inet address 10.0.79.50/32
set routing-options static route 10.0.204.50/32 next-hop ms-2/2/0.1

Configure interfaces on the MS-MIC:

set interfaces ms-2/2/0 unit 0 family inet
set interfaces ms-2/2/0 unit 1 family inet
set interfaces ms-2/2/0 unit 1 service-domain inside
set interfaces ms-2/2/0 unit 2 family inet
set interfaces ms-2/2/0 unit 2 service-domain outside

Configure the IPSec rules to encrypt traffic from our lo0 destined to our peers lo0:

set services ipsec-vpn rule IPSec term 1 from source-address 10.0.79.50/32
set services ipsec-vpn rule IPSec term 1 from destination-address 10.0.204.50/32
set services ipsec-vpn rule IPSec term 1 then remote-gateway 10.0.0.2
set services ipsec-vpn rule IPSec term 1 then dynamic ike-policy IKE-Policy
set services ipsec-vpn rule IPSec term 1 then dynamic ipsec-policy IPSec_policy
set services ipsec-vpn rule IPSec term 1 then initiate-dead-peer-detection
set services ipsec-vpn rule IPSec match-direction input
set services ipsec-vpn ipsec proposal IPSec-proposal protocol esp
set services ipsec-vpn ipsec proposal IPSec-proposal authentication-algorithm hmac-sha1-96
set services ipsec-vpn ipsec proposal IPSec-proposal encryption-algorithm aes-128-cbc
set services ipsec-vpn ipsec policy IPSec_policy proposals IPSec-proposal
set services ipsec-vpn ipsec policy IPSec_policy perfect-forward-secrecy keys group19
set services ipsec-vpn ike proposal IKE-Proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal IKE-Proposal dh-group group19
set services ipsec-vpn ike proposal IKE-Proposal authentication-algorithm sha-256
set services ipsec-vpn ike proposal IKE-Proposal encryption-algorithm aes-128-cbc
set services ipsec-vpn ike proposal IKE-Proposal lifetime-seconds 14400
set services ipsec-vpn ike policy IKE-Policy proposals IKE-Proposal
set services ipsec-vpn ike policy IKE-Policy pre-shared-key ascii-text supersecretkey
set services ipsec-vpn establish-tunnels immediately

You might want to use certificates here for extra security. Shared secrets aren't awesome.

Bind the service sets to the interfaces we previously created

set services service-set IPSec_SS next-hop-service inside-service-interface ms-1/2/0.1
set services service-set IPSec_SS next-hop-service outside-service-interface ms-1/2/0.2
set services service-set IPSec_SS ipsec-vpn-options local-gateway 10.0.0.1
set services service-set IPSec_SS ipsec-vpn-rules IPSec

Configure the MS-MIC to intercept and rewrite the max segment size on TCP packets with the syn flag set to avoid fragmentation issues:

set interfaces ms-2/2/0 unit 3 family inet
set interfaces ms-2/2/0 unit 3 family inet6
set interfaces ms-2/2/0 unit 3 description "TCP MSS Modification"

set services service-set tcp-mss tcp-mss 1360 stateful-firewall-rules permit-all
set services service-set tcp-mss interface-service service-interface ms-2/2/0.3
set services service-set tcp-mss service-set-options enable-asymmetric-traffic-processing

set services stateful-firewall rule permit-all match-direction input-output term accept then accept

set firewall family inet service-filter mss-filter term tcp from protocol tcp tcp-flags syn
set firewall family inet service-filter mss-filter term tcp then service
set firewall family inet service-filter mss-filter term default then skip
set firewall family inet6 service-filter mss-filter_v6 term tcp from next-header tcp tcp-flags syn
set firewall family inet6 service-filter mss-filter_v6 term tcp then service
set firewall family inet6 service-filter mss-filter_v6 term default then skip

enable-asymmetric-traffic-processing is essential if you have the possibility for asymmetric routing in your environment.

Finally, configure our GRE tunnel and assign the TCP MSS modification service set to it:

set interfaces gr-1/3/0 unit 0 tunnel source 10.0.79.50
set interfaces gr-1/3/0 unit 0 tunnel destination 10.0.204.50
set interfaces gr-1/3/0 unit 0 family inet service input service-set tcp-mss service-filter mss-filter
set interfaces gr-1/3/0 unit 0 family inet service output service-set tcp-mss service-filter mss-filter
set interfaces gr-1/3/0 unit 0 family inet address 10.10.10.1/30
set interfaces gr-1/3/0 unit 0 family inet6 service input service-set tcp-mss service-filter mss-filter_v6
set interfaces gr-1/3/0 unit 0 family inet6 service output service-set tcp-mss service-filter mss-filter_v6

You can configure an IPv6 IP here as well if it is in use in your environment.

On your peer router, simply reverse the various IPs.

Verify everything works:

ping 10.0.204.50 source 10.0.79.50

show services ipsec-vpn ipsec security-associations
show services ipsec-vpn ipsec statistics

Ensure that the GRE tunnel IP addresses do not end up in your routing table as this could cause a recursive routing loop. In the above example, we're using the static routes to ensure we don't do this, but, having an export filter for your IGP that rejects the GRE tunel source/destination IPs might be a good thing to add.

You could also build this using interface service-sets instead of the static routes, however, the static routes involve a little less 'magic' and should be a little safer.