vMX

Issue:

======

IPsec VPN b/w Juniper vMX and Vyatta 5400 not working .

 

Topology:

========

 

192.168.100.1/24------Vyatta---------------Cloud--------------AWS ------Juniper vMX---10.0.20.0/24

 

Corcerns or Problems:

==================

1.  since the deployment is in AWS VPC the Public or Revenue interface is not in default Routing instance so both Public ge-0/0/0 and ge0/0/1 are in Routing instance named DATAPLANE-VMX-VPN-WANCLOUDS.And if my understanding is correct both si-0/0/0.1 and si-0/0/0.1 should be part of routing instance DATAPLANE-VMX-VPN-WANCLOUDS but on configuring getting this error.

 

root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.1 

 

[edit]

root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2    

 

[edit]

root@Juniper-vMX-Wanclouds# commit check 

[edit services service-set IPSEC-SITE-TO-SITE]

  'ipsec-vpn-options'

    The service interface si-0/0/0.2 must be configured under default routing-instance

 

2. How to enable NAT Traversal for IPsec vpn on vMX as the VMx is deployed behind Internet Gateway 1:1 Nat.But as per my undersatnding its enable by default.

 

 

 

Configuration:

 

Vyatta5400:

----------------

 

#vmx
#NAT
#vyatta
#routing-instance
#IPSec

Hi,

Your config doesn’t seem to be correct.
You have both inside and outside interface in same routing-instance DATAPLANE-VMX-VPN-WANCLOUDS.

Your local gateway and outside service interface should be either in global routing-instance or in another routing-instance.

I will correct the config and share if needed

Here’s the config for your reference.

Topology:

R1----------------------------R2

R1 config:


[edit]
root@R1_re# run show services ipsec-vpn ike sa
Remote Address State Initiator cookie Responder cookie Exchange type
10.1.12.2 Matured 846c851af53cecfd 221279f553a29262 Main

[edit]
root@R1_re#

[edit]
root@R1_re# run show services ipsec-vpn ipsec sa
Service set: test, IKE Routing-instance: outside

Rule: test-vpn, Term: 1, Tunnel index: 1
Local gateway: 10.1.12.1, Remote gateway: 10.1.12.2
IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
NATT Detection: Not Detected, NATT keepalive interval: 0
Direction SPI AUX-SPI Mode Type Protocol
inbound 4044436681 0 tunnel dynamic ESP
outbound 1708770906 0 tunnel dynamic ESP

[edit]
root@R1_re#

[edit]
root@R1_re# show services | display set
set services rpm probe A test PING-A-1 probe-type icmp-ping
set services rpm probe A test PING-A-1 target address 10.1.12.2
set services rpm probe A test PING-A-1 test-interval 3
set services rpm probe A test PING-A-1 thresholds successive-loss 3
set services service-set test next-hop-service inside-service-interface si-0/0/0.1
set services service-set test next-hop-service outside-service-interface si-0/0/0.2
set services service-set test ipsec-vpn-options local-gateway 10.1.12.1
set services service-set test ipsec-vpn-options local-gateway routing-instance outside
set services service-set test ipsec-vpn-rules test-vpn
set services ipsec-vpn rule test-vpn term 1 from source-address 192.168.0.0/24
set services ipsec-vpn rule test-vpn term 1 from destination-address 172.16.0.0/24
set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.2
set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
set services ipsec-vpn rule test-vpn match-direction input
set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal ike-proposal dh-group group5
set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
set services ipsec-vpn ike policy ike-policy proposals ike-proposal
set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
set services ipsec-vpn establish-tunnels immediately

[edit]
root@R1_re#

root@R1_re# show routing-instances | display set
set routing-instances inside instance-type virtual-router
set routing-instances inside interface si-0/0/0.1
set routing-instances inside interface ge-0/0/2.0
set routing-instances inside routing-options static route 172.16.0.0/24 next-hop si-0/0/0.1
set routing-instances inside routing-options static route 192.168.0.0/24 next-hop 10.1.14.4
set routing-instances outside instance-type virtual-router
set routing-instances outside interface si-0/0/0.2
set routing-instances outside interface ge-0/0/1.0
set routing-instances outside routing-options static route 172.16.0.0/24 next-hop 10.1.12.2

[edit]
[edit]
root@R1_re# show interfaces
si-0/0/0 {
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.12.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.1.14.1/24;
}
}
}


R2: Config



[edit]
root@R2_re# show services | display set
set services service-set test next-hop-service inside-service-interface si-0/0/0.1
set services service-set test next-hop-service outside-service-interface si-0/0/0.2
set services service-set test ipsec-vpn-options local-gateway 10.1.12.2
set services service-set test ipsec-vpn-options local-gateway routing-instance outside
set services service-set test ipsec-vpn-rules test-vpn
set services ipsec-vpn rule test-vpn term 1 from source-address 172.16.0.0/24
set services ipsec-vpn rule test-vpn term 1 from destination-address 192.168.0.0/24
set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.1
set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
set services ipsec-vpn rule test-vpn match-direction input
set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal ike-proposal dh-group group5
set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
set services ipsec-vpn ike policy ike-policy proposals ike-proposal
set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
set services ipsec-vpn establish-tunnels immediately

[edit]
root@R2_re#

[edit]
root@R2_re# show routing-instances | display set
set routing-instances inside instance-type virtual-router
set routing-instances inside interface si-0/0/0.1
set routing-instances inside interface ge-0/0/2.0
set routing-instances inside routing-options static route 192.168.0.0/24 next-hop si-0/0/0.1
set routing-instances inside routing-options static route 172.16.0.0/24 next-hop 10.1.23.3
set routing-instances outside instance-type virtual-router
set routing-instances outside interface si-0/0/0.2
set routing-instances outside interface ge-0/0/1.0
set routing-instances outside routing-options static route 192.168.0.0/24 next-hop 10.1.12.1

[edit]
root@R2_re#
[edit]
root@R2_re# show interfaces
si-0/0/0 {
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.12.2/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.1.23.2/24;
}
}
}

[edit]
root@R2_re# run show services ipsec-vpn ike sa
Remote Address State Initiator cookie Responder cookie Exchange type
10.1.12.1 Matured 846c851af53cecfd 221279f553a29262 Main

[edit]
root@R2_re# run show services ipsec-vpn ipsec sa
Service set: test, IKE Routing-instance: outside

Rule: test-vpn, Term: 1, Tunnel index: 1
Local gateway: 10.1.12.2, Remote gateway: 10.1.12.1
IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
NATT Detection: Not Detected, NATT keepalive interval: 0
Direction SPI AUX-SPI Mode Type Protocol
inbound 1708770906 0 tunnel dynamic ESP
outbound 4044436681 0 tunnel dynamic ESP

[edit]
root@R2_re#



HTH

You can also do it without “outside routing-instance” as well. just keep your local gateway and outside service interface in global table and remove the routing-instance statement from below command.

set services service-set test ipsec-vpn-options local-gateway 155.1.12.2
set services service-set test ipsec-vpn-options local-gateway routing-instance outside

Thanks a lot for looking inot it and providing the working configs .Will try to move the inside interface to global routing table and update you .The reason i am using the Routing Instance as i have one public elastic ip and if i attach to fxp management interface then i cannot create ipsec vpn .The only possible option is to move the gig interface from default routing instance .

I believe, it was the outside (WAN) interface which is used as a local-gateway for the IPsec-tunnel.

Thanks again but i have some doubts and would like to clear before changing the configuration attaching the Topology just to give some background and then would like to understand if i am missing something or my approach is not correct.

 

Goal :

======

Device connected behind Vyatta 5400 can access the File and DB servers connected to VMX on ge-0/0/1 and ge-0/0/2.

 

Corncerns:

=========

1.This deployment is in AWS VPC and using Elastic IP which is public and if i attach the eleastic IP to FXP0 then i cannot create IPSec as its Mgmt interface and if i attach this Elastic IP to Revenue or Ge-0/0/0 interface then i cannot access the vMX or device as its in same Routing table that is global routing instance.So i decieded to create a Routing instance "DATAPLANE-VMX-VPN-WANCLOUDS" and move both my ge-0/0/0 interface which is basically public interface and ge-0/0/1 and ge-0/0/2 interafce where the internal File and DB server is connected and i am able to ping from ge-0/0/0 public to vyatta 5400 wan interface.

 

2.Now i configured the IPSec vpn b/w ge-0/0/0 of vMX and Vyatta5400 device but for that i need to create si 

si-0/0/0.1 inside-interface , si-0/0/0.2 outside interface and here i am confused meaning these interface are some how tied to ge-0/0/0 and ge-0/0/1 ? or si-0/0/0.2 outside interface and ge-0/0/0 wan public interface will remain in Routing instance "DATAPLANE-VMX-VPN-WANCLOUDS" and i have to move the si-0/0/0.1 inside-interface and ge-0/0/1 and ge-0/0/2 interfaces ( where internal servers are connected)  should be moved to global or default Routing-instance or only si-0/0/0.1 inside-interface should be moved from this "DATAPLANE-VMX-VPN-WANCLOUDS" routing instance.

 

Regards

Syed.

 

The reason i brought the earlier discussion that i have tested the similar setup with vSRX Firewall IPsec VPN and all the interfaces was part of same Routing-Instance DATAPLANE-VPN-WANCLOUDS including st virtual interface. The only difference was zones Trust and Untrust . Wan interface ge-0/0/0 and st0.0 were part of Untrust Zone and ge-0/0/1 Trust zone.

 

 

set routing-instances DATAPLANE-VPN-WANCLOUDS instance-type virtual-router

set routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/0.0

set routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/1.0

set routing-instances DATAPLANE-VPN-WANCLOUDS interface st0.0

Ok.. So you can configure IPsec VPN in 3 ways in this case.

First:

Put Outside interface ( ge-0/0/0 and si-0/0/0.2) in one routing-instance and Inside interface (ge-0/0/1, ge-0/0/2 & si-0/0/0.1 ) in once routing instance.
This config I already shared.


Second:


Keep your (outside interface) ge-0/0/0 and si-0/0/0.2 in DATAPLANE-VMX-VPN-WANCLOUDS and Inside interface (ge-0/0/1, ge-0/0/2 & si-0/0/0.1) in global table.

You need to add a static route in the global table for the traffic destined to Device connected behind Vyatta as below.

Set routing-option static route

Hi,

 

Did it work for you?