vMX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Group VPN between vMX as a member and a cisco router as a Group Controller

Jump to Best Answer
This thread has been viewed 0 times
  • 1.  Group VPN between vMX as a member and a cisco router as a Group Controller

    Posted 01-02-2019 10:19

    Hello,     

            I am trying to set up a Group VPN between a cisco GC/KS and 3 vMX router (14.1R1.10) and another cisco router as a member. I've managed to get the Group VPN working between the two cisco router, but I have dificulties configuring the vMX routers an maybe someone here can help.

    Config for GM-1 (juniper vMX router as a group member).

    Config for GC/KS (cisco router as the Group Controller)

    Config for GM-6 (cisco router as a group member)

    The connection between GM-6 and GC-KS is up:

     

    GM-6#show crypto session detail
    Crypto session current status

    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
    X - IKE Extended Authentication, F - IKE Fragmentation
    R - IKE Auto Reconnect

    Interface: Ethernet0/3
    Session status: UP-ACTIVE
    Peer: 0.0.0.0 port 848 fvrf: (none) ivrf: (none)
    Phase1_id: 4.4.4.2
    Desc: (none)
    Session ID: 0
    IKEv1 SA: local 6.6.6.2/848 remote 4.4.4.2/848 Active
    Capabilities:(none) connid:1001 lifetime:23:22:03
    IPSEC FLOW: permit ip 192.168.0.0/255.255.0.0 192.168.0.0/255.255.0.0
    Active SAs: 2, origin: crypto map
    Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/1964
    Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/1964

     

     

    The problem is at the vMX configuration under edit services service-set, when I try the si interfaces it gives me the following error:

     

    rokk@GM-1# show | compare
    [edit]
    +  services {
    +      service-set SER-SET {
    +          interface-service {
    +              service-interface si-0/0/0;
    +          }
    +          ipsec-group-vpn ABC;
    +      }
    +  }
    [edit interfaces]
    +   si-0/0/0 {
    +       unit 0 {
    +           family inet;
    +       }
    +   }

    [edit]
    rokk@GM-1# commit check      
    [edit services]
      'service-set SER-SET'
        nat-rules or nat-rule-sets or softwire-rules or softwire-rule-sets or ip-reassembly-rule or ip-reassembly-rule-sets must be configured when si is the service-interface
    error: configuration check-out failed

     

     

    So, has anyone tryed to configure Group VPN on the vMX router? and if yes, can you give me an example? or can you show me what else I must do? because I see that I can configure the router as a member under security group-vpn member .

    See topology attached.

    Thank you.


    #vmx
    #Group_VPN


  • 2.  RE: Group VPN between vMX as a member and a cisco router as a Group Controller

    Posted 01-02-2019 10:25

    Config for GM-1 (juniper vMX router as a group member):

    https://textuploader.com/1s26n

    Config for GC/KS (cisco router as the Group Controller):

    https://textuploader.com/1s268

    Config for GM-6 (cisco router as a group member):

    https://textuploader.com/1s2j9



  • 3.  RE: Group VPN between vMX as a member and a cisco router as a Group Controller
    Best Answer

    Posted 01-02-2019 10:30

    Ipsec VPN isn't supported on vMX before Junos 15.1F6 (https://apps.juniper.net/feature-explorer/feature-info.html?fKey=6052&fn=IPsec%20support) and group vpn not before 14.1R5 (https://apps.juniper.net/feature-explorer/feature-info.html?fKey=6349&fn=Group%20VPN%20member) - so for a start please try with a supported release.

     

     I would suggest to go with vMX 18.2R1 which is available as a free trial: https://www.juniper.net/us/en/dm/free-vmx-trial/



  • 4.  RE: Group VPN between vMX as a member and a cisco router as a Group Controller

    Posted 01-02-2019 20:31

    Thank you.

    I will try that version.