vMX

 View Only
last person joined: 7 days ago 

Ask questions and share experiences about vMX.
Expand all | Collapse all

IPsec VPN on Juniper vMX not working .

Erdem

Erdem01-18-2018 00:01

  • 1.  IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 17:39

    Issue:

    ======

    IPsec VPN b/w Juniper vMX and Vyatta 5400 not working .

     

    Topology:

    ========

     

    192.168.100.1/24------Vyatta---------------Cloud--------------AWS ------Juniper vMX---10.0.20.0/24

     

    Corcerns or Problems:

    ==================

    1.  since the deployment is in AWS VPC the Public or Revenue interface is not in default Routing instance so both Public ge-0/0/0 and ge0/0/1 are in Routing instance named DATAPLANE-VMX-VPN-WANCLOUDS.And if my understanding is correct both si-0/0/0.1 and si-0/0/0.1 should be part of routing instance DATAPLANE-VMX-VPN-WANCLOUDS but on configuring getting this error.

     

    root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.1 

     

    [edit]

    root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2    

     

    [edit]

    root@Juniper-vMX-Wanclouds# commit check 

    [edit services service-set IPSEC-SITE-TO-SITE]

      'ipsec-vpn-options'

        The service interface si-0/0/0.2 must be configured under default routing-instance

     

    2. How to enable NAT Traversal for IPsec vpn on vMX as the VMx is deployed behind Internet Gateway 1:1 Nat.But as per my undersatnding its enable by default.

     

     

     

    Configuration:

     

    Vyatta5400:

    ----------------

     

    vyatta:~$ show configuration commands | grep vpn
    set vpn ipsec esp-group ESP-1H compression 'disable'
    set vpn ipsec esp-group ESP-1H lifetime '27000'
    set vpn ipsec esp-group ESP-1H mode 'tunnel'
    set vpn ipsec esp-group ESP-1H pfs 'dh-group5'
    set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'
    set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'
    set vpn ipsec ike-group IKE-1H lifetime '28800'
    set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'
    set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'
    set vpn ipsec ipsec-interfaces interface 'bond1'
    set vpn ipsec nat-traversal 'enable'
    set vpn ipsec site-to-site peer 34.210.108.160 authentication id '108.1.114.92'
    set vpn ipsec site-to-site peer 34.210.108.160 authentication mode 'pre-shared-secret'
    set vpn ipsec site-to-site peer 34.210.108.160 authentication pre-shared-secret 'cisco1000'
    set vpn ipsec site-to-site peer 34.210.108.160 authentication remote-id '34.210.108.160'
    set vpn ipsec site-to-site peer 34.210.108.160 connection-type 'initiate'
    set vpn ipsec site-to-site peer 34.210.108.160 default-esp-group 'ESP-1H'
    set vpn ipsec site-to-site peer 34.210.108.160 ike-group 'IKE-1H'
    set vpn ipsec site-to-site peer 34.210.108.160 local-address '108.1.114.92'
    set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 allow-nat-networks 'disable'
    set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 allow-public-networks 'disable'
    set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 local prefix '192.168.100.0/24'
    set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 remote prefix '10.0.20.0/24'
     
     
    Juniper-VMX:
    -----------------

    set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

    set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

    set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

    set groups global interfaces si-0/0/0 unit 0

    set groups global interfaces si-0/0/0 unit 1 family inet

    set groups global interfaces si-0/0/0 unit 1 service-domain inside

    set groups global interfaces si-0/0/0 unit 2 family inet

    set groups global interfaces si-0/0/0 unit 2 service-domain outside

    set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

    set groups global routing-options static route 0.0.0.0/0 retain

    set groups global routing-options static route 0.0.0.0/0 no-readvertise

    set apply-groups global

     

     
    IPsec Configuration

    set groups global interfaces si-0/0/0 unit 0

    set groups global interfaces si-0/0/0 unit 1 family inet

    set groups global interfaces si-0/0/0 unit 1 service-domain inside

    set groups global interfaces si-0/0/0 unit 2 family inet

    set groups global interfaces si-0/0/0 unit 2 service-domain outside

    set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

    set groups global routing-options static route 0.0.0.0/0 retain

    set groups global routing-options static route 0.0.0.0/0 no-readvertise

    set apply-groups global

    set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

    set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1

    set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA

    set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection

    set services ipsec-vpn rule IPSec-VYATTA match-direction input

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400

    set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta

    set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"

    set services ipsec-vpn establish-tunnels immediately

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/1.0

     

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

     

     

    root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.1 

     

    [edit]

    root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2    

     

    [edit]

    root@Juniper-vMX-Wanclouds# commit check 

    [edit services service-set IPSEC-SITE-TO-SITE]

      'ipsec-vpn-options'

        The service interface si-0/0/0.2 must be configured under default routing-instance

     

    error: configuration check-out failed

     

     

    ISAKMP packet coming from Vyatta Device.

     

    root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp      

    verbose output suppressed, use <detail> or <extensive> for full protocol decode

    Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.

    Address resolution timeout is 4s.

    Listening on ge-0/0/0, capture size 96 bytes

     

    Reverse lookup for 10.0.10.12 failed (check DNS reachability).

    Other reverse lookup failures will not be reported.

    Use <no-resolve> to avoid reverse lookups on IP addresses.

     

    00:54:34.986840  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:54:44.427606  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:54:44.624821  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:54:54.602837  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

     

    00:55:14.927376  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

     
     

    #vmx
    #NAT
    #vyatta
    #routing-instance
    #IPSec


  • 2.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 19:58
    Hi,

    Your config doesn’t seem to be correct.
    You have both inside and outside interface in same routing-instance DATAPLANE-VMX-VPN-WANCLOUDS.

    Your local gateway and outside service interface should be either in global routing-instance or in another routing-instance.

    I will correct the config and share if needed


  • 3.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 20:33
    Here’s the config for your reference.

    Topology:

    R1----------------------------R2

    R1 config:


    [edit]
    root@R1_re# run show services ipsec-vpn ike sa
    Remote Address State Initiator cookie Responder cookie Exchange type
    10.1.12.2 Matured 846c851af53cecfd 221279f553a29262 Main

    [edit]
    root@R1_re#

    [edit]
    root@R1_re# run show services ipsec-vpn ipsec sa
    Service set: test, IKE Routing-instance: outside

    Rule: test-vpn, Term: 1, Tunnel index: 1
    Local gateway: 10.1.12.1, Remote gateway: 10.1.12.2
    IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
    UDP encapsulate: Disabled, UDP Destination port: 0
    NATT Detection: Not Detected, NATT keepalive interval: 0
    Direction SPI AUX-SPI Mode Type Protocol
    inbound 4044436681 0 tunnel dynamic ESP
    outbound 1708770906 0 tunnel dynamic ESP

    [edit]
    root@R1_re#

    [edit]
    root@R1_re# show services | display set
    set services rpm probe A test PING-A-1 probe-type icmp-ping
    set services rpm probe A test PING-A-1 target address 10.1.12.2
    set services rpm probe A test PING-A-1 test-interval 3
    set services rpm probe A test PING-A-1 thresholds successive-loss 3
    set services service-set test next-hop-service inside-service-interface si-0/0/0.1
    set services service-set test next-hop-service outside-service-interface si-0/0/0.2
    set services service-set test ipsec-vpn-options local-gateway 10.1.12.1
    set services service-set test ipsec-vpn-options local-gateway routing-instance outside
    set services service-set test ipsec-vpn-rules test-vpn
    set services ipsec-vpn rule test-vpn term 1 from source-address 192.168.0.0/24
    set services ipsec-vpn rule test-vpn term 1 from destination-address 172.16.0.0/24
    set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.2
    set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
    set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
    set services ipsec-vpn rule test-vpn match-direction input
    set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
    set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
    set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
    set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
    set services ipsec-vpn ike proposal ike-proposal dh-group group5
    set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
    set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
    set services ipsec-vpn ike policy ike-policy proposals ike-proposal
    set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
    set services ipsec-vpn establish-tunnels immediately

    [edit]
    root@R1_re#

    root@R1_re# show routing-instances | display set
    set routing-instances inside instance-type virtual-router
    set routing-instances inside interface si-0/0/0.1
    set routing-instances inside interface ge-0/0/2.0
    set routing-instances inside routing-options static route 172.16.0.0/24 next-hop si-0/0/0.1
    set routing-instances inside routing-options static route 192.168.0.0/24 next-hop 10.1.14.4
    set routing-instances outside instance-type virtual-router
    set routing-instances outside interface si-0/0/0.2
    set routing-instances outside interface ge-0/0/1.0
    set routing-instances outside routing-options static route 172.16.0.0/24 next-hop 10.1.12.2

    [edit]
    [edit]
    root@R1_re# show interfaces
    si-0/0/0 {
    unit 1 {
    family inet;
    service-domain inside;
    }
    unit 2 {
    family inet;
    service-domain outside;
    }
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 10.1.12.1/24;
    }
    }
    }
    ge-0/0/2 {
    unit 0 {
    family inet {
    address 10.1.14.1/24;
    }
    }
    }


    R2: Config



    [edit]
    root@R2_re# show services | display set
    set services service-set test next-hop-service inside-service-interface si-0/0/0.1
    set services service-set test next-hop-service outside-service-interface si-0/0/0.2
    set services service-set test ipsec-vpn-options local-gateway 10.1.12.2
    set services service-set test ipsec-vpn-options local-gateway routing-instance outside
    set services service-set test ipsec-vpn-rules test-vpn
    set services ipsec-vpn rule test-vpn term 1 from source-address 172.16.0.0/24
    set services ipsec-vpn rule test-vpn term 1 from destination-address 192.168.0.0/24
    set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.1
    set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
    set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
    set services ipsec-vpn rule test-vpn match-direction input
    set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
    set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
    set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
    set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
    set services ipsec-vpn ike proposal ike-proposal dh-group group5
    set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
    set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
    set services ipsec-vpn ike policy ike-policy proposals ike-proposal
    set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
    set services ipsec-vpn establish-tunnels immediately

    [edit]
    root@R2_re#

    [edit]
    root@R2_re# show routing-instances | display set
    set routing-instances inside instance-type virtual-router
    set routing-instances inside interface si-0/0/0.1
    set routing-instances inside interface ge-0/0/2.0
    set routing-instances inside routing-options static route 192.168.0.0/24 next-hop si-0/0/0.1
    set routing-instances inside routing-options static route 172.16.0.0/24 next-hop 10.1.23.3
    set routing-instances outside instance-type virtual-router
    set routing-instances outside interface si-0/0/0.2
    set routing-instances outside interface ge-0/0/1.0
    set routing-instances outside routing-options static route 192.168.0.0/24 next-hop 10.1.12.1

    [edit]
    root@R2_re#
    [edit]
    root@R2_re# show interfaces
    si-0/0/0 {
    unit 1 {
    family inet;
    service-domain inside;
    }
    unit 2 {
    family inet;
    service-domain outside;
    }
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 10.1.12.2/24;
    }
    }
    }
    ge-0/0/2 {
    unit 0 {
    family inet {
    address 10.1.23.2/24;
    }
    }
    }

    [edit]
    root@R2_re# run show services ipsec-vpn ike sa
    Remote Address State Initiator cookie Responder cookie Exchange type
    10.1.12.1 Matured 846c851af53cecfd 221279f553a29262 Main

    [edit]
    root@R2_re# run show services ipsec-vpn ipsec sa
    Service set: test, IKE Routing-instance: outside

    Rule: test-vpn, Term: 1, Tunnel index: 1
    Local gateway: 10.1.12.2, Remote gateway: 10.1.12.1
    IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
    UDP encapsulate: Disabled, UDP Destination port: 0
    NATT Detection: Not Detected, NATT keepalive interval: 0
    Direction SPI AUX-SPI Mode Type Protocol
    inbound 1708770906 0 tunnel dynamic ESP
    outbound 4044436681 0 tunnel dynamic ESP

    [edit]
    root@R2_re#



    HTH


  • 4.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 21:05
    You can also do it without “outside routing-instance” as well. just keep your local gateway and outside service interface in global table and remove the routing-instance statement from below command.

    set services service-set test ipsec-vpn-options local-gateway 155.1.12.2
    set services service-set test ipsec-vpn-options local-gateway routing-instance outside


  • 5.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 23:34

    Thanks a lot for looking inot it and providing the working configs .Will try to move the inside interface to global routing table and update you .The reason i am using the Routing Instance as i have one public elastic ip and if i attach to fxp management interface then i cannot create ipsec vpn .The only possible option is to move the gig interface from default routing instance .



  • 6.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 23:42
    I believe, it was the outside (WAN) interface which is used as a local-gateway for the IPsec-tunnel.


  • 7.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-11-2018 14:08

    Thanks again but i have some doubts and would like to clear before changing the configuration attaching the Topology just to give some background and then would like to understand if i am missing something or my approach is not correct.

     

    Goal :

    ======

    Device connected behind Vyatta 5400 can access the File and DB servers connected to VMX on ge-0/0/1 and ge-0/0/2.

     

    Corncerns:

    =========

    1.This deployment is in AWS VPC and using Elastic IP which is public and if i attach the eleastic IP to FXP0 then i cannot create IPSec as its Mgmt interface and if i attach this Elastic IP to Revenue or Ge-0/0/0 interface then i cannot access the vMX or device as its in same Routing table that is global routing instance.So i decieded to create a Routing instance "DATAPLANE-VMX-VPN-WANCLOUDS" and move both my ge-0/0/0 interface which is basically public interface and ge-0/0/1 and ge-0/0/2 interafce where the internal File and DB server is connected and i am able to ping from ge-0/0/0 public to vyatta 5400 wan interface.

     

    2.Now i configured the IPSec vpn b/w ge-0/0/0 of vMX and Vyatta5400 device but for that i need to create si 

    si-0/0/0.1 inside-interface , si-0/0/0.2 outside interface and here i am confused meaning these interface are some how tied to ge-0/0/0 and ge-0/0/1 ? or si-0/0/0.2 outside interface and ge-0/0/0 wan public interface will remain in Routing instance "DATAPLANE-VMX-VPN-WANCLOUDS" and i have to move the si-0/0/0.1 inside-interface and ge-0/0/1 and ge-0/0/2 interfaces ( where internal servers are connected)  should be moved to global or default Routing-instance or only si-0/0/0.1 inside-interface should be moved from this "DATAPLANE-VMX-VPN-WANCLOUDS" routing instance.

     

    Regards

    Syed.

     

    Topology.jpeg



  • 8.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-11-2018 15:59

    The reason i brought the earlier discussion that i have tested the similar setup with vSRX Firewall IPsec VPN and all the interfaces was part of same Routing-Instance DATAPLANE-VPN-WANCLOUDS including st virtual interface. The only difference was zones Trust and Untrust . Wan interface ge-0/0/0 and st0.0 were part of Untrust Zone and ge-0/0/1 Trust zone.

     

     

    set routing-instances DATAPLANE-VPN-WANCLOUDS instance-type virtual-router

    set routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/0.0

    set routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/1.0

    set routing-instances DATAPLANE-VPN-WANCLOUDS interface st0.0



  • 9.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-12-2018 01:43
    Ok.. So you can configure IPsec VPN in 3 ways in this case.

    First:

    Put Outside interface ( ge-0/0/0 and si-0/0/0.2) in one routing-instance and Inside interface (ge-0/0/1, ge-0/0/2 & si-0/0/0.1 ) in once routing instance.
    This config I already shared.


    Second:


    Keep your (outside interface) ge-0/0/0 and si-0/0/0.2 in DATAPLANE-VMX-VPN-WANCLOUDS and Inside interface (ge-0/0/1, ge-0/0/2 & si-0/0/0.1) in global table.

    You need to add a static route in the global table for the traffic destined to Device connected behind Vyatta as below.

    Set routing-option static route


  • 10.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-18-2018 00:01

    Hi,

     

    Did it work for you?

     

     



  • 11.  RE: IPsec VPN on Juniper vMX not working .