IPsec VPN on Juniper vMX not working .

last person joined: 3 days ago

Ask questions and share experiences about vMX.

Back to discussions

Expand all | Collapse all

IPsec VPN on Juniper vMX not working .

1. IPsec VPN on Juniper vMX not working .

0 Recommend
fsyed
Posted 01-10-2018 17:39

Reply Reply Privately
Issue:

======

IPsec VPN b/w Juniper vMX and Vyatta 5400 not working .

Topology:

========

192.168.100.1/24------Vyatta---------------Cloud--------------AWS ------Juniper vMX---10.0.20.0/24

Corcerns or Problems:

==================

1. since the deployment is in AWS VPC the Public or Revenue interface is not in default Routing instance so both Public ge-0/0/0 and ge0/0/1 are in Routing instance named DATAPLANE-VMX-VPN-WANCLOUDS.And if my understanding is correct both si-0/0/0.1 and si-0/0/0.1 should be part of routing instance DATAPLANE-VMX-VPN-WANCLOUDS but on configuring getting this error.

root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.1

[edit]

root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2

[edit]

root@Juniper-vMX-Wanclouds# commit check

[edit services service-set IPSEC-SITE-TO-SITE]

'ipsec-vpn-options'

The service interface si-0/0/0.2 must be configured under default routing-instance

2. How to enable NAT Traversal for IPsec vpn on vMX as the VMx is deployed behind Internet Gateway 1:1 Nat.But as per my undersatnding its enable by default.

Configuration:

Vyatta5400:

----------------

vyatta:~$ show configuration commands | grep vpn

set vpn ipsec esp-group ESP-1H compression 'disable'

set vpn ipsec esp-group ESP-1H lifetime '27000'

set vpn ipsec esp-group ESP-1H mode 'tunnel'

set vpn ipsec esp-group ESP-1H pfs 'dh-group5'

set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'

set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'

set vpn ipsec ike-group IKE-1H lifetime '28800'

set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'

set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'

set vpn ipsec ipsec-interfaces interface 'bond1'

set vpn ipsec nat-traversal 'enable'

set vpn ipsec site-to-site peer 34.210.108.160 authentication id '108.1.114.92'

set vpn ipsec site-to-site peer 34.210.108.160 authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer 34.210.108.160 authentication pre-shared-secret 'cisco1000'

set vpn ipsec site-to-site peer 34.210.108.160 authentication remote-id '34.210.108.160'

set vpn ipsec site-to-site peer 34.210.108.160 connection-type 'initiate'

set vpn ipsec site-to-site peer 34.210.108.160 default-esp-group 'ESP-1H'

set vpn ipsec site-to-site peer 34.210.108.160 ike-group 'IKE-1H'

set vpn ipsec site-to-site peer 34.210.108.160 local-address '108.1.114.92'

set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 allow-nat-networks 'disable'

set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 allow-public-networks 'disable'

set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 local prefix '192.168.100.0/24'

set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 remote prefix '10.0.20.0/24'

Juniper-VMX:

-----------------

set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

set groups global interfaces si-0/0/0 unit 0

set groups global interfaces si-0/0/0 unit 1 family inet

set groups global interfaces si-0/0/0 unit 1 service-domain inside

set groups global interfaces si-0/0/0 unit 2 family inet

set groups global interfaces si-0/0/0 unit 2 service-domain outside

set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

set groups global routing-options static route 0.0.0.0/0 retain

set groups global routing-options static route 0.0.0.0/0 no-readvertise

set apply-groups global

IPsec Configuration

set groups global interfaces si-0/0/0 unit 0

set groups global interfaces si-0/0/0 unit 1 family inet

set groups global interfaces si-0/0/0 unit 1 service-domain inside

set groups global interfaces si-0/0/0 unit 2 family inet

set groups global interfaces si-0/0/0 unit 2 service-domain outside

set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

set groups global routing-options static route 0.0.0.0/0 retain

set groups global routing-options static route 0.0.0.0/0 no-readvertise

set apply-groups global

set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1

set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA

set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24

set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92

set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta

set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta

set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection

set services ipsec-vpn rule IPSec-VYATTA match-direction input

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc

set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5

set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400

set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta

set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"

set services ipsec-vpn establish-tunnels immediately

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/1.0

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.1

[edit]

root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2

[edit]

root@Juniper-vMX-Wanclouds# commit check

[edit services service-set IPSEC-SITE-TO-SITE]

'ipsec-vpn-options'

The service interface si-0/0/0.2 must be configured under default routing-instance

error: configuration check-out failed

ISAKMP packet coming from Vyatta Device.

root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp

verbose output suppressed, use <detail> or <extensive> for full protocol decode

Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.

Address resolution timeout is 4s.

Listening on ge-0/0/0, capture size 96 bytes

Reverse lookup for 10.0.10.12 failed (check DNS reachability).

Other reverse lookup failures will not be reported.

Use <no-resolve> to avoid reverse lookups on IP addresses.

00:54:34.986840 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:54:44.427606 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:54:44.624821 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:54:54.602837 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:55:14.927376 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

#vmx
#NAT
#vyatta
#routing-instance
#IPSec
2. RE: IPsec VPN on Juniper vMX not working .

0 Recommend
Erdem
Posted 01-10-2018 19:58

Reply Reply Privately
Hi,

Your config doesn’t seem to be correct.
You have both inside and outside interface in same routing-instance DATAPLANE-VMX-VPN-WANCLOUDS.

Your local gateway and outside service interface should be either in global routing-instance or in another routing-instance.

I will correct the config and share if needed
3. RE: IPsec VPN on Juniper vMX not working .

0 Recommend
Erdem
Posted 01-10-2018 20:33

Reply Reply Privately
Here’s the config for your reference.

Topology:

R1----------------------------R2

R1 config:

[edit]
root@R1_re# run show services ipsec-vpn ike sa
Remote Address State Initiator cookie Responder cookie Exchange type
10.1.12.2 Matured 846c851af53cecfd 221279f553a29262 Main

[edit]
root@R1_re#

[edit]
root@R1_re# run show services ipsec-vpn ipsec sa
Service set: test, IKE Routing-instance: outside

Rule: test-vpn, Term: 1, Tunnel index: 1
Local gateway: 10.1.12.1, Remote gateway: 10.1.12.2
IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
NATT Detection: Not Detected, NATT keepalive interval: 0
Direction SPI AUX-SPI Mode Type Protocol
inbound 4044436681 0 tunnel dynamic ESP
outbound 1708770906 0 tunnel dynamic ESP

[edit]
root@R1_re#

[edit]
root@R1_re# show services | display set
set services rpm probe A test PING-A-1 probe-type icmp-ping
set services rpm probe A test PING-A-1 target address 10.1.12.2
set services rpm probe A test PING-A-1 test-interval 3
set services rpm probe A test PING-A-1 thresholds successive-loss 3
set services service-set test next-hop-service inside-service-interface si-0/0/0.1
set services service-set test next-hop-service outside-service-interface si-0/0/0.2
set services service-set test ipsec-vpn-options local-gateway 10.1.12.1
set services service-set test ipsec-vpn-options local-gateway routing-instance outside
set services service-set test ipsec-vpn-rules test-vpn
set services ipsec-vpn rule test-vpn term 1 from source-address 192.168.0.0/24
set services ipsec-vpn rule test-vpn term 1 from destination-address 172.16.0.0/24
set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.2
set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
set services ipsec-vpn rule test-vpn match-direction input
set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal ike-proposal dh-group group5
set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
set services ipsec-vpn ike policy ike-policy proposals ike-proposal
set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
set services ipsec-vpn establish-tunnels immediately

[edit]
root@R1_re#

root@R1_re# show routing-instances | display set
set routing-instances inside instance-type virtual-router
set routing-instances inside interface si-0/0/0.1
set routing-instances inside interface ge-0/0/2.0
set routing-instances inside routing-options static route 172.16.0.0/24 next-hop si-0/0/0.1
set routing-instances inside routing-options static route 192.168.0.0/24 next-hop 10.1.14.4
set routing-instances outside instance-type virtual-router
set routing-instances outside interface si-0/0/0.2
set routing-instances outside interface ge-0/0/1.0
set routing-instances outside routing-options static route 172.16.0.0/24 next-hop 10.1.12.2

[edit]
[edit]
root@R1_re# show interfaces
si-0/0/0 {
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.12.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.1.14.1/24;
}
}
}

R2: Config

[edit]
root@R2_re# show services | display set
set services service-set test next-hop-service inside-service-interface si-0/0/0.1
set services service-set test next-hop-service outside-service-interface si-0/0/0.2
set services service-set test ipsec-vpn-options local-gateway 10.1.12.2
set services service-set test ipsec-vpn-options local-gateway routing-instance outside
set services service-set test ipsec-vpn-rules test-vpn
set services ipsec-vpn rule test-vpn term 1 from source-address 172.16.0.0/24
set services ipsec-vpn rule test-vpn term 1 from destination-address 192.168.0.0/24
set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.1
set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
set services ipsec-vpn rule test-vpn match-direction input
set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal ike-proposal dh-group group5
set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
set services ipsec-vpn ike policy ike-policy proposals ike-proposal
set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
set services ipsec-vpn establish-tunnels immediately

[edit]
root@R2_re#

[edit]
root@R2_re# show routing-instances | display set
set routing-instances inside instance-type virtual-router
set routing-instances inside interface si-0/0/0.1
set routing-instances inside interface ge-0/0/2.0
set routing-instances inside routing-options static route 192.168.0.0/24 next-hop si-0/0/0.1
set routing-instances inside routing-options static route 172.16.0.0/24 next-hop 10.1.23.3
set routing-instances outside instance-type virtual-router
set routing-instances outside interface si-0/0/0.2
set routing-instances outside interface ge-0/0/1.0
set routing-instances outside routing-options static route 192.168.0.0/24 next-hop 10.1.12.1

[edit]
root@R2_re#
[edit]
root@R2_re# show interfaces
si-0/0/0 {
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.12.2/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.1.23.2/24;
}
}
}

[edit]
root@R2_re# run show services ipsec-vpn ike sa
Remote Address State Initiator cookie Responder cookie Exchange type
10.1.12.1 Matured 846c851af53cecfd 221279f553a29262 Main

[edit]
root@R2_re# run show services ipsec-vpn ipsec sa
Service set: test, IKE Routing-instance: outside

Rule: test-vpn, Term: 1, Tunnel index: 1
Local gateway: 10.1.12.2, Remote gateway: 10.1.12.1
IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
NATT Detection: Not Detected, NATT keepalive interval: 0
Direction SPI AUX-SPI Mode Type Protocol
inbound 1708770906 0 tunnel dynamic ESP
outbound 4044436681 0 tunnel dynamic ESP

[edit]
root@R2_re#

HTH
4. RE: IPsec VPN on Juniper vMX not working .

0 Recommend
Erdem
Posted 01-10-2018 21:05

Reply Reply Privately
You can also do it without “outside routing-instance” as well. just keep your local gateway and outside service interface in global table and remove the routing-instance statement from below command.

set services service-set test ipsec-vpn-options local-gateway 155.1.12.2
set services service-set test ipsec-vpn-options local-gateway routing-instance outside
5. RE: IPsec VPN on Juniper vMX not working .

0 Recommend

vMX

IPsec VPN on Juniper vMX not working .

fsyed01-10-2018 17:39

Erdem01-10-2018 19:58

Erdem01-10-2018 20:33

Erdem01-10-2018 21:05

fsyed01-10-2018 23:34

Erdem01-10-2018 23:42

fsyed01-11-2018 14:08

fsyed01-11-2018 15:59

Erdem01-12-2018 01:43

Erdem01-18-2018 00:01

fsyed01-30-2018 18:11

Erdem02-04-2018 09:11

fsyed02-04-2018 09:41

Erdem02-04-2018 21:14

fsyed02-04-2018 21:38

Erdem02-04-2018 22:15

fsyed02-04-2018 22:20

Erdem02-04-2018 22:26

fsyed02-04-2018 22:28

fsyed02-05-2018 15:48

Erdem02-05-2018 23:02

fsyed02-06-2018 16:48

Erdem02-07-2018 01:58

fsyed02-12-2018 12:49

Erdem02-12-2018 21:29

fsyed02-13-2018 18:36

Erdem02-13-2018 20:21

fsyed03-02-2018 17:45

Erdem03-02-2018 19:23

Erdem03-02-2018 22:17

fsyed03-03-2018 13:19

Anonymous05-13-2023 06:25

sayed05-13-2023 06:40

1. IPsec VPN on Juniper vMX not working .

2. RE: IPsec VPN on Juniper vMX not working .

3. RE: IPsec VPN on Juniper vMX not working .

4. RE: IPsec VPN on Juniper vMX not working .

5. RE: IPsec VPN on Juniper vMX not working .