vMX

Expand all | Collapse all

tracking if IPsec tunnel is down and forward traffic wihtout ipsec

Jump to Best Answer
  • 1.  tracking if IPsec tunnel is down and forward traffic wihtout ipsec

    Posted 01-16-2018 01:47

    Hi,

     

    I have IPsec working in VMX, with also a backup tunnel.

    In the configuration I have a static route to the service inline interface to encrypt traffic to specific ´destination.

     

    As last way I would like to send the traffic without any encryption if both tunnels are down.

    How can I track that the tunnels are down and redraw the static route?

     

     

    chassis {                               
        fpc 0 {
            pic 0 {
                interface-type xe;
                inline-services {
                    bandwidth 1g;
                }
            }
            lite-mode;
        }
        network-services enhanced-ip;
    }
    services {
        service-set IPSec_SS1 {
            next-hop-service {
                inside-service-interface si-0/0/0.1;
                outside-service-interface si-0/0/0.2;
            }
            ipsec-vpn-options {
                local-gateway 10.254.0.9;
            }
            ipsec-vpn-rules IPSec;
        }
        ipsec-vpn {                         
            rule IPSec {
                term 1 {
                    then {
                        remote-gateway 10.0.0.2;
                        backup-remote-gateway 10.0.0.14;
                        dynamic {
                            ike-policy IKE-Policy;
                            ipsec-policy IPSec_policy;
                        }
                        
                        tunnel-mtu 1600;
                        copy-tos-from-inner-ip-header;
                        initiate-dead-peer-detection;
                    }
                }
                match-direction input;
            }
            ipsec {
                proposal IPSec-proposal {
                    protocol esp;
                    authentication-algorithm hmac-sha1-96;
                    encryption-algorithm aes-128-cbc;
                }                           
                policy IPSec_policy {
                    perfect-forward-secrecy {
                        keys group19;
                    }
                    proposals IPSec-proposal;
                }
            }
            ike {
                proposal IKE-Proposal {
                    authentication-method pre-shared-keys;
                    dh-group group19;
                    authentication-algorithm sha-256;
                    encryption-algorithm aes-128-cbc;
                    lifetime-seconds 14400;
                }
                policy IKE-Policy {
                    proposals IKE-Proposal;
                    pre-shared-key ascii-text "9$ddddddd./.P"; ## SECRET-DATA
                }
            }
            establish-tunnels immediately;
        }
    }
    interfaces {
        si-0/0/0 {
            unit 0 {
                family inet;
            }
            unit 1 {
                family inet;
                service-domain inside;
            }
            unit 2 {
                family inet;
                service-domain outside;
            }
        }
        xe-0/0/0 {
            unit 0 {
                family inet {
                    address 10.0.0.1/30;
                }                           
            }
        }
        xe-0/0/1 {
            mtu 1514;
            unit 0 {
                family inet {
                    address 10.0.0.10/30;
                }
            }
        }
        xe-0/0/2 {
            unit 0 {
                family inet {
                    address 10.0.0.17/30;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 10.254.0.9/32;
                }
            }                               
        }
    }
    routing-options {
        static {
            route 192.168.0.0/24 next-hop si-0/0/0.1;
        }
    }
    protocols {
        ospf {
            area 0.0.0.0 {
                interface xe-0/0/0.0;
                interface xe-0/0/1.0;
                interface lo0.0 {
                    passive;
                }
                interface xe-0/0/2.0;
            }
        }
    }

    Thanks Niklas

     



  • 2.  RE: tracking if IPsec tunnel is down and forward traffic wihtout ipsec

    Posted 01-16-2018 02:35
    Service IP monitoring is not supported on mx.

    You can use the script to achieve this.

    Please refer to below posts.

    https://forums.juniper.net/t5/Routing/MX480-IP-SLA/m-p/312325

    https://forums.juniper.net/t5/Junos-Automation-Scripting/write-scripts-delete-next-hop-for-static-route/td-p/85290


    HTH


  • 3.  RE: tracking if IPsec tunnel is down and forward traffic wihtout ipsec

    Posted 01-16-2018 06:39

    Hi,

    Thanks for the advice.

    Did following event-options, unfortunately it does not work.

    Has anyone a hint how is should look?

     

    policy tunnel_up {
        events KMD_PM_SA_ESTABLISHED;
        then {
            change-configuration {
                commands {
                    "set routing-options static route 192.168.0.0/24 next-hop si-0/0/0.1";
                }
            }
        }
    }
    policy tunnel_down {
        events KMD_PM_SA_DELETED;
        then {
            change-configuration {
                commands {
                    "delete routing-options static route 192.168.0/24 next-hop si-0/0/0.1";
                }
            }
        }
    }


  • 4.  RE: tracking if IPsec tunnel is down and forward traffic wihtout ipsec
    Best Answer

    Posted 01-16-2018 07:29

    Hi again,

    With following event-options is work

     

    policy tunnel_up {
        events SYSTEM;
        attributes-match {
            system.message matches KMD_PM_SA_ESTABLISHED;
        }
        then {
            change-configuration {
                commands {
                    "set routing-options static route 192.168.0.0/24 next-hop si-0/0/0.1";
                }
            }
        }
    }
    policy tunnel_down {
        events SYSTEM;
        attributes-match {
            system.message matches KMD_PM_SA_DELETED;
        }
        then {
            change-configuration {
                commands {
                    "delete routing-options static route 192.168.0.0/24 next-hop si-0/0/0.1";
                }
            }
        }
    }


  • 5.  RE: tracking if IPsec tunnel is down and forward traffic wihtout ipsec

    Posted 01-16-2018 10:13

    Glad to know that it worked for you 🙂

     

    Cheers!