vMX

Expand all | Collapse all

Group VPN between vMX as a member and a cisco router as a Group Controller

Jump to Best Answer
  • 1.  Group VPN between vMX as a member and a cisco router as a Group Controller

    Posted 01-02-2019 10:19

    Hello,     

            I am trying to set up a Group VPN between a cisco GC/KS and 3 vMX router (14.1R1.10) and another cisco router as a member. I've managed to get the Group VPN working between the two cisco router, but I have dificulties configuring the vMX routers an maybe someone here can help.

    Config for GM-1 (juniper vMX router as a group member).

    Config for GC/KS (cisco router as the Group Controller)

    Config for GM-6 (cisco router as a group member)

    The connection between GM-6 and GC-KS is up:

     

    GM-6#show crypto session detail
    Crypto session current status

    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
    X - IKE Extended Authentication, F - IKE Fragmentation
    R - IKE Auto Reconnect

    Interface: Ethernet0/3
    Session status: UP-ACTIVE
    Peer: 0.0.0.0 port 848 fvrf: (none) ivrf: (none)
    Phase1_id: 4.4.4.2
    Desc: (none)
    Session ID: 0
    IKEv1 SA: local 6.6.6.2/848 remote 4.4.4.2/848 Active
    Capabilities:(none) connid:1001 lifetime:23:22:03
    IPSEC FLOW: permit ip 192.168.0.0/255.255.0.0 192.168.0.0/255.255.0.0
    Active SAs: 2, origin: crypto map
    Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/1964
    Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/1964

     

     

    The problem is at the vMX configuration under edit services service-set, when I try the si interfaces it gives me the following error:

     

    rokk@GM-1# show | compare
    [edit]
    +  services {
    +      service-set SER-SET {
    +          interface-service {
    +              service-interface si-0/0/0;
    +          }
    +          ipsec-group-vpn ABC;
    +      }
    +  }
    [edit interfaces]
    +   si-0/0/0 {
    +       unit 0 {
    +           family inet;
    +       }
    +   }

    [edit]
    rokk@GM-1# commit check      
    [edit services]
      'service-set SER-SET'
        nat-rules or nat-rule-sets or softwire-rules or softwire-rule-sets or ip-reassembly-rule or ip-reassembly-rule-sets must be configured when si is the service-interface
    error: configuration check-out failed

     

     

    So, has anyone tryed to configure Group VPN on the vMX router? and if yes, can you give me an example? or can you show me what else I must do? because I see that I can configure the router as a member under security group-vpn member .

    See topology attached.

    Thank you.


    #vmx
    #Group_VPN


  • 2.  RE: Group VPN between vMX as a member and a cisco router as a Group Controller

    Posted 01-02-2019 10:25

    Config for GM-1 (juniper vMX router as a group member):

    https://textuploader.com/1s26n

    Config for GC/KS (cisco router as the Group Controller):

    https://textuploader.com/1s268

    Config for GM-6 (cisco router as a group member):

    https://textuploader.com/1s2j9



  • 3.  RE: Group VPN between vMX as a member and a cisco router as a Group Controller
    Best Answer

    Posted 01-02-2019 10:30

    Ipsec VPN isn't supported on vMX before Junos 15.1F6 (https://apps.juniper.net/feature-explorer/feature-info.html?fKey=6052&fn=IPsec%20support) and group vpn not before 14.1R5 (https://apps.juniper.net/feature-explorer/feature-info.html?fKey=6349&fn=Group%20VPN%20member) - so for a start please try with a supported release.

     

     I would suggest to go with vMX 18.2R1 which is available as a free trial: https://www.juniper.net/us/en/dm/free-vmx-trial/



  • 4.  RE: Group VPN between vMX as a member and a cisco router as a Group Controller

    Posted 01-02-2019 20:31

    Thank you.

    I will try that version.