Hello,
I am trying to get a ipsec VPN set up between two vMXs to prove out a design for a physical MX-104. I have attached a picture outlining the setup. I have two VMXs, one with an external IP address of 74.116.50.69 (hostname DS_MX), and the other with an external IP address of 34.207.46.5 (hostname FAUX_AWS_MX). I am attempting to get a VPN tunnel established between both VMXs.
Once the VPN tunnel is established, I would then like to build a BGP session over between the peering endpoints of 169.254.46.194/30 and 169.254.46.193/30. I have assigned these IP addresses to the si-0/0/0.1 interfaces as shown in the diagram vmx_setup. Note that the diagram refernces the MX-104 interface names-on the vMX, the xe interfaces are ge-0/0/0. ms-4/0/0 is si-0/0/0.
I used this article as a reference
https://www.juniper.net/documentation/en_US/junos/topics/example/ipsec-configuring-on-ms-mic.html
I beleive I have been able to get the initial tunnel to build based on the output of some verfication commands that I have done. However, when I try to ping the corresponding 169 IP address on the other side of the tunnel, I am unable to do so. I also have a packet capture running between the VMXs and I don't even see ESP packets. It looks to me like the traffic is not even getting put into the tunnel for whatever reason. That;s where my confusion is, and that's where I am stuck right now.
I have attached the configs, as well as some verificaiton commands in a file (vmx_broke.txt) along with the diagram, vmx_setup.
If someone would be able to take a look at the configs and tell me what I am doing wrong, I would really appreciate it.
As a side note, this is all to prove out what kind of configuraiton is needed on an MX-104 with an MS-MIC card in order to connect to a VPN endpoint in AWS. If anyone has actually done this already, I would really appreciate any information or tips on how to go about setting up things on the MX-104 side. Right now, I have a SRX device that is terminating the VPN to AWS. AWS autogenerates the VPN config for the SRX, so it's pretty straight forward.
However, I am struggling with the equivalent MX-104 config-it looks to me like thee is no way to bind a tunnel interface to a VPN like there is on the SRX series. It looks like I need to create a VPN rule at some level. I don't have a MS-MIC card in my possesion to test with on my actual MX-104. and I'd prefer not to buy one until I can prove this design out on a vMX and get an idea for what the config looks like.
There really isn't too much documentation around setting up a VPN on an MX series besides the article that I found above which is frusterating as well.
Thanks for any help that can be provided, and please let me know if there is any additonal information that I can provide.
#vpn#vmx