SRX Services Gateway
SRX Services Gateway

VPLS over GRE - one end won't come up

[ Edited ]
‎01-02-2020 11:47 AM

I'm following the Juniper example here for VPLS/IPSEC over GRE tunnel. My remote office SRX220 brings up the tunnel but my local office SRX345 doesn't. For testing, I have the public statics on the WAN both on the same /24 (which Juniper's example does too) The remote office shows:

root@srx220> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1 973a7448 3506/ unlim   -   root 500   1.2.3.4
  >131073 ESP:3des/sha1 fb08d49a 3506/ unlim   -   root 500   1.2.3.4
  <131073 ESP:3des/sha1 fa796c85 3567/ unlim   -   root 500   1.2.3.4
  >131073 ESP:3des/sha1 5dfae167 3567/ unlim   -   root 500   1.2.3.4

root@srx220> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:           425808
  Decrypted bytes:                0
  Encrypted packets:           2957
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

And I can ping the 10.1.1.2, but not 10.1.1.1 (local office). On the local office SRX345 it shows:

root@srx345> show security ipsec security-associations
  Total active tunnels: 0

I can ping both WAN interfaces from both units and both units connect to the internet. My config for the non-working local SRX345 looks like:

root@srx345> show configuration | display set
set version 15.1X49-D45
set groups test security policies from-zone trust-flow to-zone vpn policy all match source-address any
set groups test security policies from-zone trust-flow to-zone vpn policy all match destination-address any
set groups test security policies from-zone trust-flow to-zone vpn policy all match application junos-gre
set groups test security policies from-zone trust-flow to-zone vpn policy all then permit tcp-options syn-check-required
set groups test security policies from-zone trust-flow to-zone vpn policy all then permit tcp-options sequence-check-required
set system host-name srx345
set system root-authentication encrypted-password "$"
set security idp idp-policy gre-reassembly rulebase-ips rule match-gre match application junos-gre
set security idp idp-policy gre-reassembly rulebase-ips rule match-gre then action ignore-connection
set security idp active-policy gre-reassembly
set security ike policy SRX mode main
set security ike policy SRX proposal-set standard
set security ike policy SRX pre-shared-key ascii-text "$"
set security ike gateway SRX220 ike-policy SRX
set security ike gateway SRX220 address 1.2.3.5
set security ike gateway SRX220 external-interface ge-0/0/0.0
set security ipsec policy SRX proposal-set standard
set security ipsec vpn SRX220 bind-interface st0.0
set security ipsec vpn SRX220 ike gateway SRX220
set security ipsec vpn SRX220 ike ipsec-policy SRX
set security ipsec vpn SRX220 establish-tunnels immediately
set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-checkset security policies apply-groups test
set security policies from-zone trust-flow to-zone vpn policy gre match source-address any
set security policies from-zone trust-flow to-zone vpn policy gre match destination-address any
set security policies from-zone trust-flow to-zone vpn policy gre match application junos-gre
set security policies from-zone trust-flow to-zone vpn policy gre then permit application-services idp
set security policies from-zone vpn to-zone trust-flow policy gre match source-address any
set security policies from-zone vpn to-zone trust-flow policy gre match destination-address any
set security policies from-zone vpn to-zone trust-flow policy gre match application junos-gre
set security policies from-zone vpn to-zone trust-flow policy gre then permit application-services idp
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces lo0.0
set security zones security-zone untrust interfaces lt-0/0/0.2001
set security zones security-zone untrust interfaces gr-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn host-inbound-traffic protocols all
set security zones security-zone vpn interfaces st0.0
set security zones security-zone trust-flow host-inbound-traffic system-services all
set security zones security-zone trust-flow host-inbound-traffic protocols all
set security zones security-zone trust-flow interfaces lt-0/0/0.2000
set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.4/24
set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 0 tunnel source 10.1.1.1
set interfaces gr-0/0/0 unit 0 tunnel destination 10.1.1.2
set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 0 family inet mtu 1500
set interfaces gr-0/0/0 unit 0 family inet filter input inet-packet-mode
set interfaces gr-0/0/0 unit 0 family mpls mtu 1462
set interfaces gr-0/0/0 unit 0 family mpls filter input mpls-packet-mode
set interfaces lt-0/0/0 unit 0 description "VPLS hub port - Interconnect for CCC to SRX220"
set interfaces lt-0/0/0 unit 0 encapsulation ethernet-vpls
set interfaces lt-0/0/0 unit 0 peer-unit 1000
set interfaces lt-0/0/0 unit 1000 description "Stitch to VPLS for CCC to SRX220"
set interfaces lt-0/0/0 unit 1000 encapsulation ethernet-ccc
set interfaces lt-0/0/0 unit 1000 peer-unit 0
set interfaces lt-0/0/0 unit 1000 family ccc filter input ccc-packet-mode
set interfaces lt-0/0/0 unit 2000 encapsulation frame-relay
set interfaces lt-0/0/0 unit 2000 dlci 1
set interfaces lt-0/0/0 unit 2000 peer-unit 2001
set interfaces lt-0/0/0 unit 2000 family inet
set interfaces lt-0/0/0 unit 2001 encapsulation frame-relay
set interfaces lt-0/0/0 unit 2001 dlci 1
set interfaces lt-0/0/0 unit 2001 peer-unit 2000
set interfaces lt-0/0/0 unit 2001 family inet filter input inet-packet-mode
set interfaces lt-0/0/0 unit 2001 family inet address 10.1.1.1/32
set interfaces ge-0/0/1 encapsulation ethernet-vpls
set interfaces ge-0/0/1 unit 0
set interfaces lo0 unit 0 family inet address 10.2.1.1/32
set interfaces st0 unit 0 multipoint
set routing-options static route 10.1.1.2/32 next-hop lt-0/0/0.2001
set routing-options static route 10.2.1.2/32 next-hop gr-0/0/0.0
set routing-options static route 0.0.0.0/0 next-hop 1.2.3.1
set protocols mpls interface gr-0/0/0.0
set protocols ldp interface gr-0/0/0.0
set protocols ldp interface lo0.0
set protocols l2circuit neighbor 10.2.1.2 interface lt-0/0/0.1000 virtual-circuit-id 1
set firewall family inet filter inet-packet-mode term control-traffic from protocol tcp
set firewall family inet filter inet-packet-mode term control-traffic from port 22
set firewall family inet filter inet-packet-mode term control-traffic from port 80
set firewall family inet filter inet-packet-mode term control-traffic from port 8080
set firewall family inet filter inet-packet-mode term control-traffic then accept
set firewall family inet filter inet-packet-mode term packet-mode then packet-mode
set firewall family inet filter inet-packet-mode term packet-mode then accept
set firewall family mpls filter mpls-packet-mode term packet-mode then packet-mode
set firewall family mpls filter mpls-packet-mode term packet-mode then accept
set firewall family ccc filter ccc-packet-mode term all then packet-mode
set firewall family ccc filter ccc-packet-mode term all then accept
set routing-instances flow-vr instance-type virtual-router
set routing-instances flow-vr interface lt-0/0/0.2000
set routing-instances flow-vr interface st0.0
set routing-instances flow-vr routing-options static route 10.1.1.1/32 next-hop lt-0/0/0.2000
set routing-instances flow-vr routing-options static route 10.1.1.2/32 next-hop st0.0
set routing-instances vpls-hub instance-type vpls
set routing-instances vpls-hub interface lt-0/0/0.0
set routing-instances vpls-hub interface ge-0/0/1.0

What am I missing?

6 REPLIES 6
SRX Services Gateway

Re: VPLS over GRE - one end won't come up

‎01-02-2020 06:01 PM

15.1X49-D45 is way too old to be doing this and i would suggest using the latest juniper recommended releases to avoid hitting any software bugs and save time.

The config provided in the link should work as i remember implementing something similar in lab and it worked!

 

 

SRX Services Gateway

Re: VPLS over GRE - one end won't come up

‎01-02-2020 06:35 PM

Will look into it, but the firmware on the 220 is much older and works fine, is there anything else wrong with my config?

SRX Services Gateway

Re: VPLS over GRE - one end won't come up

‎01-02-2020 07:21 PM

Hello,

You have Your st0.0 interface in zone "vpn" but IKE external-interface ge-0/0/0.0 in zone "untrust" but You have no policy allowing communication between these 2 zones.

Or. since it is a lab, add default allow-all policy and then once You have VPLS working, start tightening policies as appropriate.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: VPLS over GRE - one end won't come up

‎01-03-2020 02:30 PM

Okay, I added:

set security policies from-zone vpn to-zone untrust policy gre match source-address any
set security policies from-zone vpn to-zone untrust policy gre match destination-address any
set security policies from-zone vpn to-zone untrust policy gre match application junos-gre
set security policies from-zone untrust to-zone vpn policy gre then permit application-services idp
set security policies from-zone untrust to-zone vpn policy gre match source-address any
set security policies from-zone untrust to-zone vpn policy gre match destination-address any
set security policies from-zone untrust to-zone vpn policy gre match application junos-gre
set security policies from-zone untrust to-zone vpn policy gre then permit application-services idp

but the tunnel still doesn't seem to come up:

root@srx345> show security ipsec security-associations
  Total active tunnels: 0
SRX Services Gateway

Re: VPLS over GRE - one end won't come up

2 weeks ago

Couldn't get this working, so tried to swap the SRX-345 with another SRX-220 sitting around with newer firmware and it did the same thing.

 

Then I bought a 3-year support contract through CDW to try to ask Juniper, but they have to interface with Juniper somehow to re-instate the SRX-345, which they're not doing for some reason (multiple emails/calls).

 

Meanwhile, I bought a couple Cisco 4321's and had it working in an hour or two (shrugs).

 

I want to get the 345 working, but at some point I just had to find a workaround. Anyone know what I should do, let me know. I prefer Juniper, but had to get something working.

SRX Services Gateway

Re: VPLS over GRE - one end won't come up

2 weeks ago

Hi,

Did you check if you have the same pre-shared keys in your ipsec configuration on both ends ?

putting ike / ipsec in debug mode will help also to have a look what is going on from the moment both devices start handshaking

 

if I am correct your interface st0 unit 0 should be family inet and not as it is now in your config

delete st0 unit0 multipoint
set st0 unit0 inet

Can you also share your SRX220 config with us ? So we are able to look at both configurations and see if these are the same.

 

 

Just my 2 cents

 

 

 

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------