vMX

last person joined: 13 days ago 

Ask questions and share experiences about vMX.
Expand all | Collapse all

IPsec VPN on Juniper vMX not working .

Erdem

Erdem01-18-2018 00:01

  • 1.  IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 17:39

    Issue:

    ======

    IPsec VPN b/w Juniper vMX and Vyatta 5400 not working .

     

    Topology:

    ========

     

    192.168.100.1/24------Vyatta---------------Cloud--------------AWS ------Juniper vMX---10.0.20.0/24

     

    Corcerns or Problems:

    ==================

    1.  since the deployment is in AWS VPC the Public or Revenue interface is not in default Routing instance so both Public ge-0/0/0 and ge0/0/1 are in Routing instance named DATAPLANE-VMX-VPN-WANCLOUDS.And if my understanding is correct both si-0/0/0.1 and si-0/0/0.1 should be part of routing instance DATAPLANE-VMX-VPN-WANCLOUDS but on configuring getting this error.

     

    root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.1 

     

    [edit]

    root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2    

     

    [edit]

    root@Juniper-vMX-Wanclouds# commit check 

    [edit services service-set IPSEC-SITE-TO-SITE]

      'ipsec-vpn-options'

        The service interface si-0/0/0.2 must be configured under default routing-instance

     

    2. How to enable NAT Traversal for IPsec vpn on vMX as the VMx is deployed behind Internet Gateway 1:1 Nat.But as per my undersatnding its enable by default.

     

     

     

    Configuration:

     

    Vyatta5400:

    ----------------

     

    vyatta:~$ show configuration commands | grep vpn
    set vpn ipsec esp-group ESP-1H compression 'disable'
    set vpn ipsec esp-group ESP-1H lifetime '27000'
    set vpn ipsec esp-group ESP-1H mode 'tunnel'
    set vpn ipsec esp-group ESP-1H pfs 'dh-group5'
    set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'
    set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'
    set vpn ipsec ike-group IKE-1H lifetime '28800'
    set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'
    set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'
    set vpn ipsec ipsec-interfaces interface 'bond1'
    set vpn ipsec nat-traversal 'enable'
    set vpn ipsec site-to-site peer 34.210.108.160 authentication id '108.1.114.92'
    set vpn ipsec site-to-site peer 34.210.108.160 authentication mode 'pre-shared-secret'
    set vpn ipsec site-to-site peer 34.210.108.160 authentication pre-shared-secret 'cisco1000'
    set vpn ipsec site-to-site peer 34.210.108.160 authentication remote-id '34.210.108.160'
    set vpn ipsec site-to-site peer 34.210.108.160 connection-type 'initiate'
    set vpn ipsec site-to-site peer 34.210.108.160 default-esp-group 'ESP-1H'
    set vpn ipsec site-to-site peer 34.210.108.160 ike-group 'IKE-1H'
    set vpn ipsec site-to-site peer 34.210.108.160 local-address '108.1.114.92'
    set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 allow-nat-networks 'disable'
    set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 allow-public-networks 'disable'
    set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 local prefix '192.168.100.0/24'
    set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 remote prefix '10.0.20.0/24'
     
     
    Juniper-VMX:
    -----------------

    set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

    set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

    set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

    set groups global interfaces si-0/0/0 unit 0

    set groups global interfaces si-0/0/0 unit 1 family inet

    set groups global interfaces si-0/0/0 unit 1 service-domain inside

    set groups global interfaces si-0/0/0 unit 2 family inet

    set groups global interfaces si-0/0/0 unit 2 service-domain outside

    set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

    set groups global routing-options static route 0.0.0.0/0 retain

    set groups global routing-options static route 0.0.0.0/0 no-readvertise

    set apply-groups global

     

     
    IPsec Configuration

    set groups global interfaces si-0/0/0 unit 0

    set groups global interfaces si-0/0/0 unit 1 family inet

    set groups global interfaces si-0/0/0 unit 1 service-domain inside

    set groups global interfaces si-0/0/0 unit 2 family inet

    set groups global interfaces si-0/0/0 unit 2 service-domain outside

    set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

    set groups global routing-options static route 0.0.0.0/0 retain

    set groups global routing-options static route 0.0.0.0/0 no-readvertise

    set apply-groups global

    set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

    set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1

    set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12

    set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA

    set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

    set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta

    set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection

    set services ipsec-vpn rule IPSec-VYATTA match-direction input

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96

    set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5

    set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc

    set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400

    set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta

    set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"

    set services ipsec-vpn establish-tunnels immediately

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/1.0

     

    set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

     

     

    root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.1 

     

    [edit]

    root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2    

     

    [edit]

    root@Juniper-vMX-Wanclouds# commit check 

    [edit services service-set IPSEC-SITE-TO-SITE]

      'ipsec-vpn-options'

        The service interface si-0/0/0.2 must be configured under default routing-instance

     

    error: configuration check-out failed

     

     

    ISAKMP packet coming from Vyatta Device.

     

    root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp      

    verbose output suppressed, use <detail> or <extensive> for full protocol decode

    Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.

    Address resolution timeout is 4s.

    Listening on ge-0/0/0, capture size 96 bytes

     

    Reverse lookup for 10.0.10.12 failed (check DNS reachability).

    Other reverse lookup failures will not be reported.

    Use <no-resolve> to avoid reverse lookups on IP addresses.

     

    00:54:34.986840  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:54:44.427606  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:54:44.624821  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

    00:54:54.602837  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

     

    00:55:14.927376  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

     
     

    #vmx
    #NAT
    #vyatta
    #routing-instance
    #IPSec


  • 2.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 19:58
    Hi,

    Your config doesn’t seem to be correct.
    You have both inside and outside interface in same routing-instance DATAPLANE-VMX-VPN-WANCLOUDS.

    Your local gateway and outside service interface should be either in global routing-instance or in another routing-instance.

    I will correct the config and share if needed


  • 3.  RE: IPsec VPN on Juniper vMX not working .

    Posted 01-10-2018 20:33
    Here’s the config for your reference.

    Topology:

    R1----------------------------R2

    R1 config:


    [edit]
    root@R1_re# run show services ipsec-vpn ike sa
    Remote Address State Initiator cookie Responder cookie Exchange type
    10.1.12.2 Matured 846c851af53cecfd 221279f553a29262 Main

    [edit]
    root@R1_re#

    [edit]
    root@R1_re# run show services ipsec-vpn ipsec sa
    Service set: test, IKE Routing-instance: outside

    Rule: test-vpn, Term: 1, Tunnel index: 1
    Local gateway: 10.1.12.1, Remote gateway: 10.1.12.2
    IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
    UDP encapsulate: Disabled, UDP Destination port: 0
    NATT Detection: Not Detected, NATT keepalive interval: 0
    Direction SPI AUX-SPI Mode Type Protocol
    inbound 4044436681 0 tunnel dynamic ESP
    outbound 1708770906 0 tunnel dynamic ESP

    [edit]
    root@R1_re#

    [edit]
    root@R1_re# show services | display set
    set services rpm probe A test PING-A-1 probe-type icmp-ping
    set services rpm probe A test PING-A-1 target address 10.1.12.2
    set services rpm probe A test PING-A-1 test-interval 3
    set services rpm probe A test PING-A-1 thresholds successive-loss 3
    set services service-set test next-hop-service inside-service-interface si-0/0/0.1
    set services service-set test next-hop-service outside-service-interface si-0/0/0.2
    set services service-set test ipsec-vpn-options local-gateway 10.1.12.1
    set services service-set test ipsec-vpn-options local-gateway routing-instance outside
    set services service-set test ipsec-vpn-rules test-vpn
    set services ipsec-vpn rule test-vpn term 1 from source-address 192.168.0.0/24
    set services ipsec-vpn rule test-vpn term 1 from destination-address 172.16.0.0/24
    set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.2
    set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
    set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
    set services ipsec-vpn rule test-vpn match-direction input
    set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
    set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
    set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
    set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
    set services ipsec-vpn ike proposal ike-proposal dh-group group5
    set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
    set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
    set services ipsec-vpn ike policy ike-policy proposals ike-proposal
    set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
    set services ipsec-vpn establish-tunnels immediately

    [edit]
    root@R1_re#

    root@R1_re# show routing-instances | display set
    set routing-instances inside instance-type virtual-router
    set routing-instances inside interface si-0/0/0.1
    set routing-instances inside interface ge-0/0/2.0
    set routing-instances inside routing-options static route 172.16.0.0/24 next-hop si-0/0/0.1
    set routing-instances inside routing-options static route 192.168.0.0/24 next-hop 10.1.14.4
    set routing-instances outside instance-type virtual-router
    set routing-instances outside interface si-0/0/0.2
    set routing-instances outside interface ge-0/0/1.0
    set routing-instances outside routing-options static route 172.16.0.0/24 next-hop 10.1.12.2

    [edit]
    [edit]
    root@R1_re# show interfaces
    si-0/0/0 {
    unit 1 {
    family inet;
    service-domain inside;
    }
    unit 2 {
    family inet;
    service-domain outside;
    }
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 10.1.12.1/24;
    }
    }
    }
    ge-0/0/2 {
    unit 0 {
    family inet {
    address 10.1.14.1/24;
    }
    }
    }


    R2: Config



    [edit]
    root@R2_re# show services | display set
    set services service-set test next-hop-service inside-service-interface si-0/0/0.1
    set services service-set test next-hop-service outside-service-interface si-0/0/0.2
    set services service-set test ipsec-vpn-options local-gateway 10.1.12.2
    set services service-set test ipsec-vpn-options local-gateway routing-instance outside
    set services service-set test ipsec-vpn-rules test-vpn
    set services ipsec-vpn rule test-vpn term 1 from source-address 172.16.0.0/24
    set services ipsec-vpn rule test-vpn term 1 from destination-address 192.168.0.0/24
    set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.1
    set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
    set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
    set services ipsec-vpn rule test-vpn match-direction input
    set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
    set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
    set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
    set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
    set services ipsec-vpn ike proposal ike-proposal dh-group group5
    set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
    set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
    set services ipsec-vpn ike policy ike-policy proposals ike-proposal
    set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
    set services ipsec-vpn establish-tunnels immediately

    [edit]
    root@R2_re#

    [edit]
    root@R2_re# show routing-instances | display set
    set routing-instances inside instance-type virtual-router
    set routing-instances inside interface si-0/0/0.1
    set routing-instances inside interface ge-0/0/2.0
    set routing-instances inside routing-options static route 192.168.0.0/24 next-hop si-0/0/0.1
    set routing-instances inside routing-options static route 172.16.0.0/24 next-hop 10.1.23.3
    set routing-instances outside instance-type virtual-router
    set routing-instances outside interface si-0/0/0.2
    set routing-instances outside interface ge-0/0/1.0
    set routing-instances outside routing-options static route 192.168.0.0/24 next-hop 10.1.12.1

    [edit]
    root@R2_re#
    [edit]
    root@R2_re# show interfaces
    si-0/0/0 {
    unit 1 {
    family inet;
    service-domain inside;
    }
    unit 2 {
    family inet;
    service-domain outside;
    }
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 10.1.12.2/24;
    }
    }
    }
    ge-0/0/2 {
    unit 0 {
    family inet {
    address 10.1.23.2/24;
    }
    }
    }

    [edit]
    root@R2_re# run show services ipsec-vpn ike sa
    Remote Address State Initiator cookie Responder cookie Exchange type
    10.1.12.1 Matured 846c851af53cecfd 221279f553a29262 Main

    [edit]
    root@R2_re# run show services ipsec-vpn ipsec sa
    Service set: test, IKE Routing-instance: outside

    Rule: test-vpn, Term: 1, Tunnel index: 1
    Local gateway: 10.1.12.2, Remote gateway: 10.1.12.1
    IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
    UDP encapsulate: Disabled, UDP Destination port: 0
    NATT Detection: Not Detected, NATT keepalive interval: 0
    Direction SPI AUX-SPI Mode Type Protocol
    inbound 1708770906 0 tunnel dynamic ESP
    outbound 4044436681 0 tunnel dynamic ESP

    [edit]
    root@R2_re#



    HTH