Hello,
I am trying to set up a Group VPN between a cisco GC/KS and 3 vMX router (14.1R1.10) and another cisco router as a member. I've managed to get the Group VPN working between the two cisco router, but I have dificulties configuring the vMX routers an maybe someone here can help.
Config for GM-1 (juniper vMX router as a group member).
Config for GC/KS (cisco router as the Group Controller)
Config for GM-6 (cisco router as a group member)
The connection between GM-6 and GC-KS is up:
GM-6#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: Ethernet0/3
Session status: UP-ACTIVE
Peer: 0.0.0.0 port 848 fvrf: (none) ivrf: (none)
Phase1_id: 4.4.4.2
Desc: (none)
Session ID: 0
IKEv1 SA: local 6.6.6.2/848 remote 4.4.4.2/848 Active
Capabilities:(none) connid:1001 lifetime:23:22:03
IPSEC FLOW: permit ip 192.168.0.0/255.255.0.0 192.168.0.0/255.255.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/1964
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/1964
The problem is at the vMX configuration under edit services service-set, when I try the si interfaces it gives me the following error:
rokk@GM-1# show | compare
[edit]
+ services {
+ service-set SER-SET {
+ interface-service {
+ service-interface si-0/0/0;
+ }
+ ipsec-group-vpn ABC;
+ }
+ }
[edit interfaces]
+ si-0/0/0 {
+ unit 0 {
+ family inet;
+ }
+ }
[edit]
rokk@GM-1# commit check
[edit services]
'service-set SER-SET'
nat-rules or nat-rule-sets or softwire-rules or softwire-rule-sets or ip-reassembly-rule or ip-reassembly-rule-sets must be configured when si is the service-interface
error: configuration check-out failed
So, has anyone tryed to configure Group VPN on the vMX router? and if yes, can you give me an example? or can you show me what else I must do? because I see that I can configure the router as a member under security group-vpn member .
See topology attached.
Thank you.
#vmx#Group_VPN