vMX

Hello,

I am trying to get a ipsec VPN set up between two vMXs to prove out a design for a physical MX-104. I have attached a picture outlining the setup. I have two VMXs, one with an external IP address of 74.116.50.69 (hostname DS_MX), and the other with an external IP address of 34.207.46.5 (hostname FAUX_AWS_MX). I am attempting to get a VPN tunnel established between both VMXs.

Once the VPN tunnel is established, I would then like to build a BGP session over between the peering endpoints of 169.254.46.194/30 and 169.254.46.193/30. I have assigned these IP addresses to the si-0/0/0.1 interfaces as shown in the diagram vmx_setup. Note that the diagram refernces the MX-104 interface names-on the vMX, the xe interfaces are ge-0/0/0. ms-4/0/0 is si-0/0/0.

I used this article as a reference

https://www.juniper.net/documentation/en_US/junos/topics/example/ipsec-configuring-on-ms-mic.html

I beleive I have been able to get the initial tunnel to build based on the output of some verfication commands that I have done. However, when I try to ping the corresponding 169 IP address on the other side of the tunnel, I am unable to do so. I also have a packet capture running between the VMXs and I don't even see ESP packets. It looks to me like the traffic is not even getting put into the tunnel for whatever reason. That;s where my confusion is, and that's where I am stuck right now.

I have attached the configs, as well as some verificaiton commands in a file (vmx_broke.txt) along with the diagram, vmx_setup.

If someone would be able to take a look at the configs and tell me what I am doing wrong, I would really appreciate it.

As a side note, this is all to prove out what kind of configuraiton is needed on an MX-104 with an MS-MIC card in order to connect to a VPN endpoint in AWS. If anyone has actually done this already, I would really appreciate any information or tips on how to go about setting up things on the MX-104 side. Right now, I have a SRX device that is terminating the VPN to AWS. AWS autogenerates the VPN config for the SRX, so it's pretty straight forward. 

However, I am struggling with the equivalent MX-104 config-it looks to me like thee is no way to bind a tunnel interface to a VPN like there is on the SRX series. It looks like I need to create a VPN rule at some level. I don't have  a MS-MIC card in my possesion to test with on my actual MX-104. and I'd prefer not to buy one until I can prove this design out on a vMX and get an idea for what the config looks like.

There really isn't too much documentation around setting up a VPN on an MX series besides the article that I found above which is frusterating as well. 

Thanks for any help that can be provided, and please let me know if there is any additonal information that I can provide.

Attachment(s)

vmx_broke.txt   12 KB 1 version

Hello,

Please use JUNOS 17.2 for VMX IPSec, it is not supported with 16.2.

Also, You'd need to assign at least 5 vCPUs and 8G RAM for vPFE to be able to support IPSec with JUNOS 17.2 and newer. 

HTH

Thx
Alex

Did my configuration look correct? I ran across another post that mentioned needing to use GRE tunnels with IPSEC VPN which was confusing me

https://forums.juniper.net/t5/vMX/IPSec-on-vMX/td-p/287393

Thanks for letting me know! I'll give 17.2 a shot and see if that works

I switched to 17.2 and I got the vpn tunnel up and running, including BGP over it! Thanks for the help-my config was good and I just needed to use 17.2 instead of what I was on.

Hi,

I got the same issue with vpn but this is physical box where the vpn is in between two sites. the box on the other site is MX480. in my case the vpn is up and active and the bgp is active but not established yet. currently our MX104 box is running on 15.1 so do i need to upgrade it for 17.2.? please post all other possibilities why i am not getting any traffic through tunnel.

Thanks,

Manu 

Oops, I didn't see that your box was physical. Your situation sounds similar to mine, but my issue was as far as I know because the vMX didn't support ipsec vpn in v15. Are you using MS-MIC cards?

Hello,

MX104 requires a MS-MIC interface card and 

MX480 requires a MS-MIC interface card, or MS-MPC linecard or older MS-DPC linecard to support IPSec

https://www.juniper.net/documentation/en_US/junos/topics/example/ipsec-configuring-on-ms-mic.html

The IPSec configuration fllavor with SI- interfaces cited in this topic is supported only for VMX.

HTH

Thx

Alex

Hi,

Yes i got MS-DPC on MX480 and MS-MIC on MX104. all the configurations are good and the connectivity is good but i am unable to get the traffic through vpn and the bgp  is not getting established in between two sites.