vMX

Expand all | Collapse all

IPsec VPN on Juniper vMX not working .

Elevate01-18-2018 00:01

  • 1.  IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 17:39

    Issue:

    ======

    IPsec VPN b/w Juniper vMX and Vyatta 5400 not working .

     

    Topology:

    ========

     

    192.168.100.1/24------Vyatta---------------Cloud--------------AWS ------Juniper vMX---10.0.20.0/24

     

    Corcerns or Problems:

    ==================

    1.  since the deployment is in AWS VPC the Public or Revenue interface is not in default Routing instance so both Public ge-0/0/0 and ge0/0/1 are in Routing instance named DATAPLANE-VMX-VPN-WANCLOUDS.And if my understanding is correct both si-0/0/0.1 and si-0/0/0.1 should be part of routing instance DATAPLANE-VMX-VPN-WANCLOUDS but on configuring getting this error.

     

    root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.1 

     

    [edit]

    root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2    

     

    [edit]

    root@Juniper-vMX-Wanclouds# commit check 

    [edit services service-set IPSEC-SITE-TO-SITE]

      'ipsec-vpn-options'

        The service interface si-0/0/0.2 must be configured under default routing-instance

     

    2. How to enable NAT Traversal for IPsec vpn on vMX as the VMx is deployed behind Internet Gateway 1:1 Nat.But as per my undersatnding its enable by default.

     

     

     

    Configuration:

     

    Vyatta5400:

    ----------------

     

    vyatta:~$ show configuration commands | grep vpn
    set vpn ipsec esp-group ESP-1H compression 'disable'
    set vpn ipsec esp-group ESP-1H lifetime '27000'
    set vpn ipsec esp-group ESP-1H mode 'tunnel'
    set vpn ipsec esp-group ESP-1H pfs 'dh-group5'
    set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'
    set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'
    set vpn ipsec ike-group IKE-1H lifetime '28800'
    set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'
    set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'
    set vpn ipsec ipsec-interfaces interface 'bond1'
    set vpn ipsec nat-traversal 'enable'
    set vpn ipsec site-to-site peer 34.210.108.160 authentication id '108.1.114.92'
    set vpn ipsec site-to-site peer 34.210.108.160 authentication mode 'pre-shared-secret'
    set vpn ipsec site-to-site peer 34.210.108.160 authentication pre-shared-secret 'cisco1000'
    set vpn ipsec site-to-site peer 34.210.108.160 authentication remote-id '34.210.108.160'
    set vpn ipsec site-to-site peer 34.210.108.160 connection-type 'initiate'
    set vpn ipsec site-to-site peer 34.210.108.160 default-esp-group 'ESP-1H'
    set vpn ipsec site-to-site peer 34.210.108.160 ike-group 'IKE-1H'
    set vpn ipsec site-to-site peer 34.210.108.160 local-address '108.1.114.92'
    set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 allow-nat-networks 'disable'
    set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 allow-public-networks 'disable'
    set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 local prefix '192.168.100.0/24'
    set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 remote prefix '10.0.20.0/24'
     
     
    Juniper-VMX:
    -----------------

    set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

    set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

    set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

    set groups global interfaces si-0/0/0 unit 0

    set groups global interfaces si-0/0/0 unit 1 family inet

    set groups global interfaces si-0/0/0 unit 1 service-domain inside

    set groups global interfaces si-0/0/0 unit 2 family inet

    set groups global interfaces si-0/0/0 unit 2 service-domain outside

    set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

    set groups global routing-options static route 0.0.0.0/0 retain

    set groups global routing-options static route 0.0.0.0/0 no-readvertise

    set apply-groups global

     

     
    IPsec Configuration

    set groups global interfaces si-0/0/0 unit 0

    set groups global interfaces si-0/0/0 unit 1 family inet

    set groups global interfaces si-0/0/0 unit 1 service-domain inside

    set groups global interfaces si-0/0/0 unit 2 family inet

    set groups global interfaces si-0/0/0 unit 2 service-domain outside

    set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

    set groups global routing-options static route 0.0.0.0/0 retain

    set groups global routing-options static route 0.0.0.0/0 no-readvertise

    set apply-groups global

    set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

    set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1

    set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA

    set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection

    set services ipsec-vpn rule IPSec-VYATTA match-direction input

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400

    set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta

    set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"

    set services ipsec-vpn establish-tunnels immediately

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/1.0

     

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

     

     

    root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.1 

     

    [edit]

    root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2    

     

    [edit]

    root@Juniper-vMX-Wanclouds# commit check 

    [edit services service-set IPSEC-SITE-TO-SITE]

      'ipsec-vpn-options'

        The service interface si-0/0/0.2 must be configured under default routing-instance

     

    error: configuration check-out failed

     

     

    ISAKMP packet coming from Vyatta Device.

     

    root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp      

    verbose output suppressed, use <detail> or <extensive> for full protocol decode

    Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.

    Address resolution timeout is 4s.

    Listening on ge-0/0/0, capture size 96 bytes

     

    Reverse lookup for 10.0.10.12 failed (check DNS reachability).

    Other reverse lookup failures will not be reported.

    Use <no-resolve> to avoid reverse lookups on IP addresses.

     

    00:54:34.986840  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:54:44.427606  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:54:44.624821  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:54:54.602837  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

     

    00:55:14.927376  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

     
     

    #vmx
    #NAT
    #vyatta
    #routing-instance
    #IPSec


  • 2.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 19:58
    Hi,

    Your config doesn’t seem to be correct.
    You have both inside and outside interface in same routing-instance DATAPLANE-VMX-VPN-WANCLOUDS.

    Your local gateway and outside service interface should be either in global routing-instance or in another routing-instance.

    I will correct the config and share if needed


  • 3.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 20:33
    Here’s the config for your reference.

    Topology:

    R1----------------------------R2

    R1 config:


    [edit]
    root@R1_re# run show services ipsec-vpn ike sa
    Remote Address State Initiator cookie Responder cookie Exchange type
    10.1.12.2 Matured 846c851af53cecfd 221279f553a29262 Main

    [edit]
    root@R1_re#

    [edit]
    root@R1_re# run show services ipsec-vpn ipsec sa
    Service set: test, IKE Routing-instance: outside

    Rule: test-vpn, Term: 1, Tunnel index: 1
    Local gateway: 10.1.12.1, Remote gateway: 10.1.12.2
    IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
    UDP encapsulate: Disabled, UDP Destination port: 0
    NATT Detection: Not Detected, NATT keepalive interval: 0
    Direction SPI AUX-SPI Mode Type Protocol
    inbound 4044436681 0 tunnel dynamic ESP
    outbound 1708770906 0 tunnel dynamic ESP

    [edit]
    root@R1_re#

    [edit]
    root@R1_re# show services | display set
    set services rpm probe A test PING-A-1 probe-type icmp-ping
    set services rpm probe A test PING-A-1 target address 10.1.12.2
    set services rpm probe A test PING-A-1 test-interval 3
    set services rpm probe A test PING-A-1 thresholds successive-loss 3
    set services service-set test next-hop-service inside-service-interface si-0/0/0.1
    set services service-set test next-hop-service outside-service-interface si-0/0/0.2
    set services service-set test ipsec-vpn-options local-gateway 10.1.12.1
    set services service-set test ipsec-vpn-options local-gateway routing-instance outside
    set services service-set test ipsec-vpn-rules test-vpn
    set services ipsec-vpn rule test-vpn term 1 from source-address 192.168.0.0/24
    set services ipsec-vpn rule test-vpn term 1 from destination-address 172.16.0.0/24
    set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.2
    set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
    set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
    set services ipsec-vpn rule test-vpn match-direction input
    set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
    set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
    set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
    set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
    set services ipsec-vpn ike proposal ike-proposal dh-group group5
    set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
    set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
    set services ipsec-vpn ike policy ike-policy proposals ike-proposal
    set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
    set services ipsec-vpn establish-tunnels immediately

    [edit]
    root@R1_re#

    root@R1_re# show routing-instances | display set
    set routing-instances inside instance-type virtual-router
    set routing-instances inside interface si-0/0/0.1
    set routing-instances inside interface ge-0/0/2.0
    set routing-instances inside routing-options static route 172.16.0.0/24 next-hop si-0/0/0.1
    set routing-instances inside routing-options static route 192.168.0.0/24 next-hop 10.1.14.4
    set routing-instances outside instance-type virtual-router
    set routing-instances outside interface si-0/0/0.2
    set routing-instances outside interface ge-0/0/1.0
    set routing-instances outside routing-options static route 172.16.0.0/24 next-hop 10.1.12.2

    [edit]
    [edit]
    root@R1_re# show interfaces
    si-0/0/0 {
    unit 1 {
    family inet;
    service-domain inside;
    }
    unit 2 {
    family inet;
    service-domain outside;
    }
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 10.1.12.1/24;
    }
    }
    }
    ge-0/0/2 {
    unit 0 {
    family inet {
    address 10.1.14.1/24;
    }
    }
    }


    R2: Config



    [edit]
    root@R2_re# show services | display set
    set services service-set test next-hop-service inside-service-interface si-0/0/0.1
    set services service-set test next-hop-service outside-service-interface si-0/0/0.2
    set services service-set test ipsec-vpn-options local-gateway 10.1.12.2
    set services service-set test ipsec-vpn-options local-gateway routing-instance outside
    set services service-set test ipsec-vpn-rules test-vpn
    set services ipsec-vpn rule test-vpn term 1 from source-address 172.16.0.0/24
    set services ipsec-vpn rule test-vpn term 1 from destination-address 192.168.0.0/24
    set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.1
    set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
    set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
    set services ipsec-vpn rule test-vpn match-direction input
    set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
    set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
    set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
    set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
    set services ipsec-vpn ike proposal ike-proposal dh-group group5
    set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
    set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
    set services ipsec-vpn ike policy ike-policy proposals ike-proposal
    set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
    set services ipsec-vpn establish-tunnels immediately

    [edit]
    root@R2_re#

    [edit]
    root@R2_re# show routing-instances | display set
    set routing-instances inside instance-type virtual-router
    set routing-instances inside interface si-0/0/0.1
    set routing-instances inside interface ge-0/0/2.0
    set routing-instances inside routing-options static route 192.168.0.0/24 next-hop si-0/0/0.1
    set routing-instances inside routing-options static route 172.16.0.0/24 next-hop 10.1.23.3
    set routing-instances outside instance-type virtual-router
    set routing-instances outside interface si-0/0/0.2
    set routing-instances outside interface ge-0/0/1.0
    set routing-instances outside routing-options static route 192.168.0.0/24 next-hop 10.1.12.1

    [edit]
    root@R2_re#
    [edit]
    root@R2_re# show interfaces
    si-0/0/0 {
    unit 1 {
    family inet;
    service-domain inside;
    }
    unit 2 {
    family inet;
    service-domain outside;
    }
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 10.1.12.2/24;
    }
    }
    }
    ge-0/0/2 {
    unit 0 {
    family inet {
    address 10.1.23.2/24;
    }
    }
    }

    [edit]
    root@R2_re# run show services ipsec-vpn ike sa
    Remote Address State Initiator cookie Responder cookie Exchange type
    10.1.12.1 Matured 846c851af53cecfd 221279f553a29262 Main

    [edit]
    root@R2_re# run show services ipsec-vpn ipsec sa
    Service set: test, IKE Routing-instance: outside

    Rule: test-vpn, Term: 1, Tunnel index: 1
    Local gateway: 10.1.12.2, Remote gateway: 10.1.12.1
    IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
    UDP encapsulate: Disabled, UDP Destination port: 0
    NATT Detection: Not Detected, NATT keepalive interval: 0
    Direction SPI AUX-SPI Mode Type Protocol
    inbound 1708770906 0 tunnel dynamic ESP
    outbound 4044436681 0 tunnel dynamic ESP

    [edit]
    root@R2_re#



    HTH


  • 4.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 21:05
    You can also do it without “outside routing-instance” as well. just keep your local gateway and outside service interface in global table and remove the routing-instance statement from below command.

    set services service-set test ipsec-vpn-options local-gateway 155.1.12.2
    set services service-set test ipsec-vpn-options local-gateway routing-instance outside


  • 5.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 23:34

    Thanks a lot for looking inot it and providing the working configs .Will try to move the inside interface to global routing table and update you .The reason i am using the Routing Instance as i have one public elastic ip and if i attach to fxp management interface then i cannot create ipsec vpn .The only possible option is to move the gig interface from default routing instance .



  • 6.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 23:42
    I believe, it was the outside (WAN) interface which is used as a local-gateway for the IPsec-tunnel.


  • 7.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-11-2018 14:08

    Thanks again but i have some doubts and would like to clear before changing the configuration attaching the Topology just to give some background and then would like to understand if i am missing something or my approach is not correct.

     

    Goal :

    ======

    Device connected behind Vyatta 5400 can access the File and DB servers connected to VMX on ge-0/0/1 and ge-0/0/2.

     

    Corncerns:

    =========

    1.This deployment is in AWS VPC and using Elastic IP which is public and if i attach the eleastic IP to FXP0 then i cannot create IPSec as its Mgmt interface and if i attach this Elastic IP to Revenue or Ge-0/0/0 interface then i cannot access the vMX or device as its in same Routing table that is global routing instance.So i decieded to create a Routing instance "DATAPLANE-VMX-VPN-WANCLOUDS" and move both my ge-0/0/0 interface which is basically public interface and ge-0/0/1 and ge-0/0/2 interafce where the internal File and DB server is connected and i am able to ping from ge-0/0/0 public to vyatta 5400 wan interface.

     

    2.Now i configured the IPSec vpn b/w ge-0/0/0 of vMX and Vyatta5400 device but for that i need to create si 

    si-0/0/0.1 inside-interface , si-0/0/0.2 outside interface and here i am confused meaning these interface are some how tied to ge-0/0/0 and ge-0/0/1 ? or si-0/0/0.2 outside interface and ge-0/0/0 wan public interface will remain in Routing instance "DATAPLANE-VMX-VPN-WANCLOUDS" and i have to move the si-0/0/0.1 inside-interface and ge-0/0/1 and ge-0/0/2 interfaces ( where internal servers are connected)  should be moved to global or default Routing-instance or only si-0/0/0.1 inside-interface should be moved from this "DATAPLANE-VMX-VPN-WANCLOUDS" routing instance.

     

    Regards

    Syed.

     

    Topology.jpeg



  • 8.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-11-2018 15:59

    The reason i brought the earlier discussion that i have tested the similar setup with vSRX Firewall IPsec VPN and all the interfaces was part of same Routing-Instance DATAPLANE-VPN-WANCLOUDS including st virtual interface. The only difference was zones Trust and Untrust . Wan interface ge-0/0/0 and st0.0 were part of Untrust Zone and ge-0/0/1 Trust zone.

     

     

    set routing-instances DATAPLANE-VPN-WANCLOUDS instance-type virtual-router

    set routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/0.0

    set routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/1.0

    set routing-instances DATAPLANE-VPN-WANCLOUDS interface st0.0



  • 9.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-12-2018 01:43
    Ok.. So you can configure IPsec VPN in 3 ways in this case.

    First:

    Put Outside interface ( ge-0/0/0 and si-0/0/0.2) in one routing-instance and Inside interface (ge-0/0/1, ge-0/0/2 & si-0/0/0.1 ) in once routing instance.
    This config I already shared.


    Second:


    Keep your (outside interface) ge-0/0/0 and si-0/0/0.2 in DATAPLANE-VMX-VPN-WANCLOUDS and Inside interface (ge-0/0/1, ge-0/0/2 & si-0/0/0.1) in global table.

    You need to add a static route in the global table for the traffic destined to Device connected behind Vyatta as below.

    Set routing-option static route


  • 10.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-18-2018 00:01

    Hi,

     

    Did it work for you?

     

     



  • 11.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-30-2018 18:11

    Hi Kingsman,

    I have tried with the sugested confguration but still its not working.

     

    1. Routing-Instance DATAPLANE-VMX-VPN-WANCLOUDS

        i.  ge-0/0/0 and si-0/0/0.2 

     

    2. Global Routing-Instance:

        i. ge-0/0/1 and si-0/0/0.2

        ii. set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1 ( where 192.168.100.1 is connected to Vyatta)

     

     

    vMX:

    ====

    set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

    set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

    set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

    set groups global interfaces si-0/0/0 unit 0

    set groups global interfaces si-0/0/0 unit 1 family inet

    set groups global interfaces si-0/0/0 unit 1 service-domain inside

    set groups global interfaces si-0/0/0 unit 2 family inet

    set groups global interfaces si-0/0/0 unit 2 service-domain outside

    set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

    set groups global routing-options static route 0.0.0.0/0 retain

    set groups global routing-options static route 0.0.0.0/0 no-readvertise

    set apply-groups global

    set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

    set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1

    set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway routing-instance DATAPLANE-VMX-VPN-WANCLOUDS

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA

    set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.115.92

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection

    set services ipsec-vpn rule IPSec-VYATTA match-direction input

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400

    set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta

    set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"

    set services ipsec-vpn establish-tunnels immediately

    set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

     set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 192.168.100.0/24 next-hop 108.1.115.92

    root@Juniper-vMX-Wanclouds> show configuration services service-set IPSEC-SITE-TO-SITE    

    next-hop-service {

        inside-service-interface si-0/0/0.1;

        outside-service-interface si-0/0/0.2;

    }

    ipsec-vpn-options {

        local-gateway 10.0.10.12 routing-instance DATAPLANE-VMX-VPN-WANCLOUDS;

    }

    ipsec-vpn-rules IPSec-VYATTA;

     

    root@Juniper-vMX-Wanclouds> 

     

     

    root@Juniper-vMX-Wanclouds> 

     

    root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp               

    verbose output suppressed, use <detail> or <extensive> for full protocol decode

    Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.

    Address resolution timeout is 4s.

    Listening on ge-0/0/0, capture size 96 bytes

     

    Reverse lookup for 10.0.10.12 failed (check DNS reachability).

    Other reverse lookup failures will not be reported.

    Use <no-resolve> to avoid reverse lookups on IP addresses.

     

    01:34:30.002214  In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    01:34:30.008571 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

    01:34:52.718981  In IP 107.173.40.203.5063 > 10.0.10.12.sip: SIP, length: 416

    01:35:10.225491  In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    01:35:10.231659 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

    01:35:50.448662  In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    01:35:50.454043 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

    01:36:29.670526  In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    01:36:29.676629 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

    01:37:09.893797  In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    01:37:09.899046 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

    01:37:50.114708  In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    01:37:50.121600 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

    01:38:30.344314  In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    01:38:30.350602 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

     

    Vyatta:

     

    vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep vpn
    set vpn ipsec esp-group ESP-1H compression 'disable'
    set vpn ipsec esp-group ESP-1H lifetime '27000'
    set vpn ipsec esp-group ESP-1H mode 'tunnel'
    set vpn ipsec esp-group ESP-1H pfs 'dh-group5'
    set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'
    set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'
    set vpn ipsec ike-group IKE-1H lifetime '28800'
    set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'
    set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'
    set vpn ipsec ipsec-interfaces interface 'bond1'
    set vpn ipsec nat-traversal 'enable'
    set vpn ipsec site-to-site peer 35.163.189.77 authentication id '108.1.115.92'
    set vpn ipsec site-to-site peer 35.163.189.77 authentication mode 'pre-shared-secret'
    set vpn ipsec site-to-site peer 35.163.189.77 authentication pre-shared-secret 'cisco1000'
    set vpn ipsec site-to-site peer 35.163.189.77 authentication remote-id '35.163.189.77'
    set vpn ipsec site-to-site peer 35.163.189.77 connection-type 'initiate'
    set vpn ipsec site-to-site peer 35.163.189.77 default-esp-group 'ESP-1H'
    set vpn ipsec site-to-site peer 35.163.189.77 ike-group 'IKE-1H'
    set vpn ipsec site-to-site peer 35.163.189.77 local-address '108.1.115.92'
    set vpn ipsec site-to-site peer 35.163.189.77 tunnel 0 allow-nat-networks 'disable'
    set vpn ipsec site-to-site peer 35.163.189.77 tunnel 0 allow-public-networks 'disable'
    set vpn ipsec site-to-site peer 35.163.189.77 tunnel 0 local prefix '192.168.100.0/24'
    set vpn ipsec site-to-site peer 35.163.189.77 tunnel 0 remote prefix '10.0.20.0/24'
    vyatta@gw-melbourne1-02-06-2016:~$

     

     



  • 12.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-04-2018 09:11

    The config looks good. Do you have any nat device between the 2 peers?

     

     



  • 13.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-04-2018 09:41

    Vyatta is Public Device in Softlayer Cloud and Juniper vMX is on AWS clouds which is basically 1:1 Nat as its behind Nat-Gateway.And i believe NAT traversal is by default on Juniper vMX.

     

    Regards

    Syed



  • 14.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-04-2018 21:14
    Can you disable the Natt on mx and check?

    Get Outlook for Android<>


  • 15.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-04-2018 21:38

    What’s the command to disable Nat on Vmx but don’t u think it will cause
    issues later as this device is behind Nat.




  • 16.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-04-2018 22:15

    Disable NAT Transversal

    set services ipsec-vpn disable-natt



  • 17.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-04-2018 22:20

    Thanks again i will try and share the results

     



  • 18.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-04-2018 22:26
    Hi,

    NATT is officially is supported from 17.4 on MX platform. I need to check it’s the same case with vMX as well but for now, can you try disabling NATT and check if it works?

    You can refer to below link.

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/services-ipsec-nat-t-disabling.html

    HTH


  • 19.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-04-2018 22:28

    Thanks Again and will share the output.



  • 20.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-05-2018 15:48

    I have disabled the NAT Traversal on Juniper vMX but still the same issue.

     

    root@Juniper-vMX-Wanclouds> show configuration | display set | grep nat 

    set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

    set services ipsec-vpn disable-natt

     

     

     

    root@Juniper-vMX-Wanclouds> ping 108.1.115.92 routing-instance DATAPLANE-VMX-VPN-WANCLOUDS interface ?

    Possible completions:

      <interface>          Source interface (multicast, all-ones, unrouted packets)

    root@Juniper-vMX-Wanclouds> ping 108.1.115.92 routing-instance DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0 

    PING 108.1.115.92 (108.1.115.92): 56 data bytes

    64 bytes from 108.1.115.92: icmp_seq=0 ttl=40 time=193.308 ms

    64 bytes from 108.1.115.92: icmp_seq=1 ttl=40 time=192.126 ms

    64 bytes from 108.1.115.92: icmp_seq=2 ttl=40 time=189.996 ms

    64 bytes from 108.1.115.92: icmp_seq=3 ttl=40 time=189.118 ms

    64 bytes from 108.1.115.92: icmp_seq=4 ttl=40 time=189.470 ms

    ^C

    --- 108.1.115.92 ping statistics ---

    6 packets transmitted, 5 packets received, 16% packet loss

    round-trip min/avg/max/stddev = 189.118/190.804/193.308/1.631 ms

     

    root@Juniper-vMX-Wanclouds> show configuration | display set                                                       

    set version 17.2R1.13

     

    set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

    set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

    set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

    set groups global interfaces si-0/0/0 unit 0

    set groups global interfaces si-0/0/0 unit 1 family inet

    set groups global interfaces si-0/0/0 unit 1 service-domain inside

    set groups global interfaces si-0/0/0 unit 2 family inet

    set groups global interfaces si-0/0/0 unit 2 service-domain outside

    set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

    set groups global routing-options static route 0.0.0.0/0 retain

    set groups global routing-options static route 0.0.0.0/0 no-readvertise

    set apply-groups global

    set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

    set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1

    set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway routing-instance DATAPLANE-VMX-VPN-WANCLOUDS

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA

    set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.115.92

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection

    set services ipsec-vpn rule IPSec-VYATTA match-direction input

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400

    set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta

    set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"

    set services ipsec-vpn establish-tunnels immediately

    set services ipsec-vpn disable-natt

    set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 192.168.100.0/24 next-hop 108.1.115.92

     

     

     

    root@Juniper-vMX-Wanclouds> 

     

     

    root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp 

    verbose output suppressed, use <detail> or <extensive> for full protocol decode

    Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.

    Address resolution timeout is 4s.

    Listening on ge-0/0/0, capture size 96 bytes

     

    Reverse lookup for 10.0.10.12 failed (check DNS reachability).

    Other reverse lookup failures will not be reported.

    Use <no-resolve> to avoid reverse lookups on IP addresses.

     

    22:37:27.258324  In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    22:37:27.266412 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]

    22:38:06.285971  In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    22:38:06.291761 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]

    22:38:46.316629  In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    22:38:46.322870 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]

    22:39:27.074786  In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    22:39:27.081587 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]

    22:40:06.369408  In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    22:40:06.376011 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]

    22:40:16.572681  In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    22:40:16.577964 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]

    22:40:36.395870  In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    22:40:36.402259 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]

    22:41:16.426245  In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    22:41:16.435971 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]

    22:41:56.454951  In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    22:41:56.462379 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]

    ^C

    98 packets received by filter

    0 packets dropped by kernel

     

     

     

    set vpn ipsec esp-group ESP-1H compression 'disable'

    set vpn ipsec esp-group ESP-1H lifetime '27000'

    set vpn ipsec esp-group ESP-1H mode 'tunnel'

    set vpn ipsec esp-group ESP-1H pfs 'dh-group5'

    set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'

    set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'

    set vpn ipsec ike-group IKE-1H lifetime '28800'

    set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'

    set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'

    set vpn ipsec ipsec-interfaces interface 'bond1'

    set vpn ipsec nat-traversal 'enable'

    set vpn ipsec site-to-site peer 35.162.145.118 authentication id '108.1.115.92'

    set vpn ipsec site-to-site peer 35.162.145.118 authentication mode 'pre-shared-secret'

    set vpn ipsec site-to-site peer 35.162.145.118 authentication pre-shared-secret 'cisco1000'

    set vpn ipsec site-to-site peer 35.162.145.118 authentication remote-id '35.162.145.118'

    set vpn ipsec site-to-site peer 35.162.145.118 connection-type 'initiate'

    set vpn ipsec site-to-site peer 35.162.145.118 default-esp-group 'ESP-1H'

    set vpn ipsec site-to-site peer 35.162.145.118 ike-group 'IKE-1H'

    set vpn ipsec site-to-site peer 35.162.145.118 local-address '108.1.115.92'

    set vpn ipsec site-to-site peer 35.162.145.118 tunnel 0 allow-nat-networks 'disable'

    set vpn ipsec site-to-site peer 35.162.145.118 tunnel 0 allow-public-networks 'disable'

    set vpn ipsec site-to-site peer 35.162.145.118 tunnel 0 local prefix '192.168.100.0/24'

    set vpn ipsec site-to-site peer 35.162.145.118 tunnel 0 remote prefix '10.0.20.0/24'

     

     

    vyatta@gw-melbourne1-02-06-2016:~$ show vpn ike sa

    Peer ID / IP                            Local ID / IP               

    ------------                            -------------

    35.162.145.118                          108.1.115.92                           

     

        State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time

        -----  -------  ----  -------  -----  ------  ------

        init   n/a      n/a   n/a      no     0       28800  

     

     

    vyatta@gw-melbourne1-02-06-2016:~$ 

    vyatta@gw-melbourne1-02-06-2016:~$ 

    vyatta@gw-melbourne1-02-06-2016:~$ show vpn ipsec sa

    Peer ID / IP                            Local ID / IP               

    ------------                            -------------

    35.162.145.118                          108.1.115.92                           

     

        Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto

        ------  -----  -------------  -------  ----  -----  ------  ------  -----

        0       down   n/a            n/a      n/a   no     0       27000   all

     

     

    Regards

    syed



  • 21.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-05-2018 23:02
    Can you enable ipsec traceoption and attached the tracelog file here ?

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/traceoptions-edit-services-ipsec-vpn.html

    Use level all and flag all while enabling the trace options.


  • 22.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-06-2018 16:48
      |   view attached

    I am attaching the ouput of log file.

    Attachment(s)

    txt
    JuniperVMXIPSEClog.txt   1.41 MB 1 version


  • 23.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-07-2018 01:58
    Hi I see this in the logs.

    Feb 7 00:22:33 [10.0.10.12 <-> 168.1.114.92] Instance: IPSEC-SITE-TO-SITE is down as service interface: si-0/0/0.2 is not up, Lookup failed.

    Do you have tunnel-services enabled on the FPC? I don’t see tunnel-service configured in your configuration.


  • 24.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-12-2018 12:49

     

    Hi ,

      Not sure how to enable tunnel services on FPC , checked some of the output to make sure if fpc status is ok .Can u share the command to enable tunnel services on FPC.

     

    root@Juniper-vMX-Wanclouds> show chassis hardware detail     

    Hardware inventory:

    Item             Version  Part number  Serial number     Description

    Chassis                                VM5A5406B749      VMX

    Midplane        

    Routing Engine 0                                         RE-VMX

      vtbd0     0 MB                                         Hard Disk

    CB 0                                                     VMX SCB

    CB 1                                                     VMX SCB

    FPC 0                                                    Virtual FPC

      CPU            Rev. 1.0 RIOT         BUILTIN          

      MIC 0                                                  Virtual

        PIC 0                 BUILTIN      BUILTIN           Virtual

     

    root@Juniper-vMX-Wanclouds> show chassis fpc pic-status      

    Slot 0   Online       Virtual FPC                                   

      PIC 0  Online       Virtual

     

     

     

     

    root@Juniper-vMX-Wanclouds> show chassis network-services 

    Network Services Mode: IP

     

    root@Juniper-vMX-Wanclouds> 

     

    Regards

    Syed

     



  • 25.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-12-2018 21:29
    Set chassis fpc x pic x tunnel-services bandwidth 1/10g

    Here x is the pic and pfc no.

    Do you see your sister interface up on your box?

    Can you paste the output of "show interface terse | match si"

    Also make sure you are using the correct si interface.

    Get Outlook for Android<>


  • 26.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-13-2018 18:36

    Here is the output and i enabled tunnel services on Tunnel.

     

    root@Juniper-vMX-Wanclouds> show interfaces terse | match si    -->Before enabling tunnel services on tunnel

    esi                     up    up

    lsi                     up    up

     

    root@Juniper-vMX-Wanclouds> show chassis hardware 

    Hardware inventory:

    Item             Version  Part number  Serial number     Description

    Chassis                                VM5A5406B749      VMX

    Midplane        

    Routing Engine 0                                         RE-VMX

    CB 0                                                     VMX SCB

    CB 1                                                     VMX SCB

    FPC 0                                                    Virtual FPC

      CPU            Rev. 1.0 RIOT         BUILTIN          

      MIC 0                                                  Virtual

        PIC 0                 BUILTIN      BUILTIN           Virtual

     

    root@Juniper-vMX-Wanclouds> set ch

                                      ^

    syntax error.

    root@Juniper-vMX-Wanclouds> configure 

    Entering configuration mode

     

    [edit]

    root@Juniper-vMX-Wanclouds# set chassis fpc 0 pic 0 tunnel-services bandwidth ?

    Possible completions:

      <bandwidth>          Bandwidth reserved for tunnel service

      100g                 100 gigabits per second

      10g                  10 gigabits per second

      1g                   1 gigabit per second

      200g                 200 gigabits per second

      20g                  20 gigabits per second

      300g                 300 gigabits per second

      30g                  30 gigabits per second

      400g                 400 gigabits per second

      40g                  40 gigabits per second

      50g                  50 gigabits per second

      60g                  60 gigabits per second

      70g                  70 gigabits per second

      80g                  80 gigabits per second

      90g                  90 gigabits per second

    [edit]

     

    root@Juniper-vMX-Wanclouds# set chassis fpc 0 pic 0 tunnel-services bandwidth 1g  

     

    [edit]

    root@Juniper-vMX-Wanclouds# commit 

    commit complete

     

    [edit]

    root@Juniper-vMX-Wanclouds# 

     



  • 27.  RE: IPsec VPN on Juniper vMX not working .

    Posted 02-13-2018 20:21
    Is it working now? You didn’t see si interface in the output (before enabling tunneling)

    It should work now.


  • 28.  RE: IPsec VPN on Juniper vMX not working .

    Posted 03-02-2018 17:45
      |   view attached

    Still its not working i have tried all options , including the output from device and debug from vmx in attachment.Still complaining in debug the si interface down but interface output saying its up i think there is some issue vMX.

     

    root@Juniper-vMX-Wanclouds> show interfaces terse | match si 

    esi                     up    up

    lsi                     up    up

     

    Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_isakmp_select_sa: Taking reference to fallback negotiation 8d16400 (now 2 references)

    Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ssh_set_thread_debug_info: ikev2_fb_isakmp_select_sa: set thread debug info - local 0xc0a000a remote 0x5c7201a8neg 0x8d16400 neg->ike_sa 0x8cad200 ike_sa 0x0

    Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ike_state_step: Input function[1] = ike_st_i_sa_proposal asked retry later

    Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ike_process_packet: No output packet, returning

    Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_st_select_ike_sa: FB; Calling v2 policy function select_ike_sa

    Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] In kmd_pm_spd_select_ike_sa: Enter SA 8cad200 ED 8e25028

    Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] Looking up IKE gateway for server: 10.0.10.12 and routing instance id: 8

    Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] instance: IPSEC-SITE-TO-SITE found for server: 10.0.10.12 in routing instance id: 8

    Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] Instance: IPSEC-SITE-TO-SITE is down as service interface: si-0/0/0.2 is not up, Lookup failed.

    Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] No instance available to serve this request

    Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error Invalid argument (neg 8d16400)

     

    root@Juniper-vMX-Wanclouds> show configuration | display set 

    set version 17.2R1.13

    set groups global system host-name Juniper-vMX-Wanclouds

    set groups global system login user jnpr uid 2000

    set groups global system login user jnpr class super-user

    set groups global system login user jnpr authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxHi+V3riqQj4QPAksAAs2ATrbJlUCyPzWEZtBtQS5pdjm6xa9xXVYcyxwEu3CmmyMDAf4xt6thJvvNZbFZRoo9k0W4cTn4BiqeBBhjfaPeowkErpNugCyJZMkmId/sdLuZ/TrcGV0ZFI8l8ojAZFt8Q/bh0vMBgbs2nfA/oVRk8RWh5fIVadC0ocjhKahO6QkZmlDQLKssWDHUBJSqjutCVTJlkvWfq3ieISxlGavYEcx99vycbyMExcOsl2kNetxNcd6hHNCJjsRaRJQd3TGzjsFYw8/nRwa1TacUts4Y7ni1QvObOdcGu4Hla8roGqAFr6vrPrZqs/I2ehTr4WT ix_vMX_key_pair_Jan7_Khalid"

    set groups global system services ssh

    set groups global system syslog user * any emergency

    set groups global system syslog file messages any notice

    set groups global system syslog file messages authorization info

    set groups global system syslog file interactive-commands interactive-commands any

    set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

    set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

    set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

    set groups global interfaces si-0/0/0 unit 0

    set groups global interfaces si-0/0/0 unit 1 family inet

    set groups global interfaces si-0/0/0 unit 1 service-domain inside

    set groups global interfaces si-0/0/0 unit 2 family inet

    set groups global interfaces si-0/0/0 unit 2 service-domain outside

    set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

    set groups global routing-options static route 0.0.0.0/0 retain

    set groups global routing-options static route 0.0.0.0/0 no-readvertise

    set apply-groups global

    set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

    set chassis fpc 0 pic 0 tunnel-services bandwidth 1g

    set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1

    set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway routing-instance DATAPLANE-VMX-VPN-WANCLOUDS

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA

    set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection

    set services ipsec-vpn rule IPSec-VYATTA match-direction input

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400

    set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta

    set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"

    set services ipsec-vpn traceoptions file VmxIPSECCommunity

    set services ipsec-vpn traceoptions file size 10m

    set services ipsec-vpn traceoptions file files 2

    set services ipsec-vpn traceoptions level all

    set services ipsec-vpn traceoptions flag all

    set services ipsec-vpn establish-tunnels immediately

    set services ipsec-vpn disable-natt

    set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 192.168.100.0/24 next-hop 108.1.114.92

     

    root@Juniper-vMX-Wanclouds> show services ipsec-vpn ipsec security-associations 

    Service set: IPSEC-SITE-TO-SITE, IKE Routing-instance: DATAPLANE-VMX-VPN-WANCLOUDS

     

      Rule: IPSec-VYATTA, Term: 1, Tunnel index: 1

      Local gateway: 10.0.10.12, Remote gateway: 108.1.114.92

      IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500

      UDP encapsulate: Disabled, UDP Destination port: 0

      

      --- No IPSec SA information available ---

     

    root@Juniper-vMX-Wanclouds> show interfaces terse | match si 

    esi                     up    up

    lsi                     up    up

     

     

     

    root@Juniper-vMX-Wanclouds> show chassis hardware detail 

    Hardware inventory:

    Item             Version  Part number  Serial number     Description

    Chassis                                VM5A5406B749      VMX

    Midplane        

    Routing Engine 0                                         RE-VMX

      vtbd0     0 MB                                         Hard Disk

    CB 0                                                     VMX SCB

    CB 1                                                     VMX SCB

    FPC 0                                                    Virtual FPC

      CPU            Rev. 1.0 RIOT         BUILTIN          

      MIC 0                                                  Virtual

        PIC 0                 BUILTIN      BUILTIN           Virtual

     

     

     

    root@Juniper-vMX-Wanclouds> show services ipsec-vpn ike security-associations            

     

    root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp 

    verbose output suppressed, use <detail> or <extensive> for full protocol decode

    Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.

    Address resolution timeout is 4s.

    Listening on ge-0/0/0, capture size 96 bytes

     

    Reverse lookup for 10.0.10.12 failed (check DNS reachability).

    Other reverse lookup failures will not be reported.

    Use <no-resolve> to avoid reverse lookups on IP addresses.

     

    00:54:04.606186  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:54:04.707330 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

    00:54:44.094174  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:54:44.200468 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

    00:55:24.234474  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:55:24.328674 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

    00:56:04.807564  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:56:04.908874 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

    00:56:44.502941  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:56:44.602296 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

    00:57:24.887299  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:57:25.005052 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

    ^C

    92 packets received by filter

    0 packets dropped by kernel

     

    root@Juniper-vMX-Wanclouds> show interfaces terse | grep ge 

    ge-0/0/0                up    up

    ge-0/0/0.0              up    up   inet     10.0.10.12/24   

    ge-0/0/1                up    up

    ge-0/0/1.0              up    up   inet     10.0.20.81/24   

    ge-0/0/2                up    down

    ge-0/0/3                up    down

    ge-0/0/4                up    down

    ge-0/0/5                up    down

    ge-0/0/6                up    down

    ge-0/0/7                up    down

    ge-0/0/8                up    down

    ge-0/0/9                up    down

     

    root@Juniper-vMX-Wanclouds> show interfaces terse | grep si    

    esi                     up    up

    lsi                     up    up

     

     

     

     

    Brocade-Vyatta:

    =============

     

    vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep vpn

    set vpn ipsec esp-group ESP-1H compression 'disable'

    set vpn ipsec esp-group ESP-1H lifetime '27000'

    set vpn ipsec esp-group ESP-1H mode 'tunnel'

    set vpn ipsec esp-group ESP-1H pfs 'dh-group5'

    set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'

    set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'

    set vpn ipsec ike-group IKE-1H lifetime '28800'

    set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'

    set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'

    set vpn ipsec ike-group IKE-1H proposal 1 hash 'md5'

    set vpn ipsec ipsec-interfaces interface 'bond1'

    set vpn ipsec nat-traversal 'enable'

    set vpn ipsec site-to-site peer 34.218.101.112 authentication id '108.1.114.92'

    set vpn ipsec site-to-site peer 34.218.101.112 authentication mode 'pre-shared-secret'

    set vpn ipsec site-to-site peer 34.218.101.112 authentication pre-shared-secret 'cisco1000'

    set vpn ipsec site-to-site peer 34.218.101.112 authentication remote-id '10.0.10.12'

    set vpn ipsec site-to-site peer 34.218.101.112 connection-type 'initiate'

    set vpn ipsec site-to-site peer 34.218.101.112 default-esp-group 'ESP-1H'

    set vpn ipsec site-to-site peer 34.218.101.112 ike-group 'IKE-1H'

    set vpn ipsec site-to-site peer 34.218.101.112 local-address '108.1.114.92'

    set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 allow-nat-networks 'disable'

    set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 allow-public-networks 'disable'

    set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 local prefix '192.168.100.0/24'

    set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 remote prefix '10.0.20.0/24'

    vyatta@gw-melbourne1-02-06-2016:~$ 

    vyatta@gw-melbourne1-02-06-2016:~$ 

    vyatta@gw-melbourne1-02-06-2016:~$ 

    vyatta@gw-melbourne1-02-06-2016:~$ show vpn ike sa

    Peer ID / IP                            Local ID / IP               

    ------------                            -------------

    34.218.101.112                          108.1.114.92                           

     

        State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time

        -----  -------  ----  -------  -----  ------  ------

        init   n/a      n/a   n/a      no     0       28800  

     

     

    vyatta@gw-melbourne1-02-06-2016:~$ show vpn ipsec sa

    Peer ID / IP                            Local ID / IP               

    ------------                            -------------

    34.218.101.112                          108.1.114.92                           

     

        Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto

        ------  -----  -------------  -------  ----  -----  ------  ------  -----

        0       down   n/a            n/a      n/a   no     0       27000   all

     

     

    vyatta@gw-melbourne1-02-06-2016:~$

    Attachment(s)

    rtf
    IPsec-3Mar.rtf   57 K 1 version


  • 29.  RE: IPsec VPN on Juniper vMX not working .

    Posted 03-02-2018 19:23

    Hi Syed,

     

    Still si-* interface is not created on your VMX box.  Please share <show configuration chassis>

     

    vmx> show interfaces terse | match si 

    esi up up
    lsi up up

     

    Above is output is not si-* interface.

     

    vmx# set chassis fpc 0 pic 0 inline-services

    [edit]
    vmx# commit
    commit complete

    [edit]
    vmx# run show interfaces terse | match si-
    si-0/0/0 up up 

    [edit]

     

    Hope this helps

    --------------------------------------------------------------------------------------------------------
    If this post was helpful, please mark this post as an "Accepted Solution".
    Kudos are always appreciated!
    --------------------------------------------------------------------------------------------------------



  • 30.  RE: IPsec VPN on Juniper vMX not working .

    Posted 03-02-2018 22:17
    Hi,

    As I said earlier, you don’t have si-0/0/0 interface configured in your box.
    Can you try with below command and check?

    root@PE1_re> show interfaces terse | match si
    esi up up
    lsi up up
    lsi.1 up up inet

    root@PE1_re>
    [edit]
    root@PE1_re# set chassis fpc 0 pic 0 inline-services

    [edit]
    root@PE1_re# commit
    commit complete

    [edit]
    root@PE1_re#
    root@PE1_re# run show interfaces terse | match si
    si-0/0/0 up up
    esi up up
    lsi up up
    lsi.1 up up inet

    [edit]
    root@PE1_re#

    Regards
    Harpreet


  • 31.  RE: IPsec VPN on Juniper vMX not working .

    Posted 03-03-2018 13:19

    I Had  the configuration for Si interfaces the only thing missing was "set chassis fpc 0 pic 0 inline-services" and its working now special thanks to Kingsman (Harpreet) and vvadivel.

     

     

    root@Juniper-vMX-Wanclouds> show configuration | display set 

    set version 17.2R1.13

    set groups global system host-name Juniper-vMX-Wanclouds

    set groups global system login user jnpr uid 2000

    set groups global system login user jnpr class super-user

    set groups global system services ssh

    set groups global system syslog user * any emergency

    set groups global system syslog file messages any notice

    set groups global system syslog file messages authorization info

    set groups global system syslog file interactive-commands interactive-commands any

    set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

    set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

    set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

    set groups global interfaces si-0/0/0 unit 0

    set groups global interfaces si-0/0/0 unit 1 family inet

    set groups global interfaces si-0/0/0 unit 1 service-domain inside

    set groups global interfaces si-0/0/0 unit 2 family inet

    set groups global interfaces si-0/0/0 unit 2 service-domain outside

    set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

    set groups global routing-options static route 0.0.0.0/0 retain

    set groups global routing-options static route 0.0.0.0/0 no-readvertise

    set apply-groups global

    set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

    set chassis fpc 0 pic 0 tunnel-services bandwidth 1g

    set chassis fpc 0 pic 0 inline-services

    set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1

    set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway routing-instance DATAPLANE-VMX-VPN-WANCLOUDS

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA

    set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection

    set services ipsec-vpn rule IPSec-VYATTA match-direction input

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400

    set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta

    set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"

    set services ipsec-vpn traceoptions file VmxIPSECCommunity

    set services ipsec-vpn traceoptions file size 10m

    set services ipsec-vpn traceoptions file files 2

    set services ipsec-vpn traceoptions level all

    set services ipsec-vpn traceoptions flag all

    set services ipsec-vpn establish-tunnels immediately

    set services ipsec-vpn disable-natt

    set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 192.168.100.0/24 next-hop 108.1.114.92

                                            

    root@Juniper-vMX-Wanclouds> show interfaces terse | match si 

    si-0/0/0                up    up

    si-0/0/0.0              up    up  

    si-0/0/0.1              up    up   inet    

    si-0/0/0.2              up    up   inet    

    esi                     up    up

    lsi                     up    up

     

     

    Regards

    syed.