- Application Acceleration 
- BLOG: Community Talk 
- BLOG: Information Experience (iX) 
- Community Feedback 
- Contrail Platform Developers 
- Ethernet Switching 
- Identity & Policy Control - SBR Carrier & SRC 
- Intrusion Prevention 
- Junos 
- Junos Automation (Scripting) 
- Junos Space Developer 
- Junosphere 
- Management 
- Routing 
- ScreenOS Firewalls (NOT SRX) 
- SRX Services Gateway 
- Training, Certification, and Career Topics 
- vMX 
- vSRX 
- Wireless LAN 
- Juniper Open Learning 
- Day One Books Archive 
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/traceopti...
Use level all and flag all while enabling the trace options.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
I am attaching the ouput of log file.
Attachments
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Feb 7 00:22:33 [10.0.10.12 <-> 168.1.114.92] Instance: IPSEC-SITE-TO-SITE is down as service interface: si-0/0/0.2 is not up, Lookup failed.
Do you have tunnel-services enabled on the FPC? I don’t see tunnel-service configured in your configuration.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Hi ,
Not sure how to enable tunnel services on FPC , checked some of the output to make sure if fpc status is ok .Can u share the command to enable tunnel services on FPC.
root@Juniper-vMX-Wanclouds> show chassis hardware detail
Hardware inventory:
Item Version Part number Serial number Description
Chassis VM5A5406B749 VMX
Midplane
Routing Engine 0 RE-VMX
vtbd0 0 MB Hard Disk
CB 0 VMX SCB
CB 1 VMX SCB
FPC 0 Virtual FPC
CPU Rev. 1.0 RIOT BUILTIN
MIC 0 Virtual
PIC 0 BUILTIN BUILTIN Virtual
root@Juniper-vMX-Wanclouds> show chassis fpc pic-status
Slot 0 Online Virtual FPC
PIC 0 Online Virtual
root@Juniper-vMX-Wanclouds> show chassis network-services
Network Services Mode: IP
root@Juniper-vMX-Wanclouds>
Regards
Syed
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Here x is the pic and pfc no.
Do you see your sister interface up on your box?
Can you paste the output of "show interface terse | match si"
Also make sure you are using the correct si interface.
Get Outlook for Android<>
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Here is the output and i enabled tunnel services on Tunnel.
root@Juniper-vMX-Wanclouds> show interfaces terse | match si -->Before enabling tunnel services on tunnel
esi up up
lsi up up
root@Juniper-vMX-Wanclouds> show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis VM5A5406B749 VMX
Midplane
Routing Engine 0 RE-VMX
CB 0 VMX SCB
CB 1 VMX SCB
FPC 0 Virtual FPC
CPU Rev. 1.0 RIOT BUILTIN
MIC 0 Virtual
PIC 0 BUILTIN BUILTIN Virtual
root@Juniper-vMX-Wanclouds> set ch
^
syntax error.
root@Juniper-vMX-Wanclouds> configure
Entering configuration mode
[edit]
root@Juniper-vMX-Wanclouds# set chassis fpc 0 pic 0 tunnel-services bandwidth ?
Possible completions:
<bandwidth> Bandwidth reserved for tunnel service
100g 100 gigabits per second
10g 10 gigabits per second
1g 1 gigabit per second
200g 200 gigabits per second
20g 20 gigabits per second
300g 300 gigabits per second
30g 30 gigabits per second
400g 400 gigabits per second
40g 40 gigabits per second
50g 50 gigabits per second
60g 60 gigabits per second
70g 70 gigabits per second
80g 80 gigabits per second
90g 90 gigabits per second
[edit]
root@Juniper-vMX-Wanclouds# set chassis fpc 0 pic 0 tunnel-services bandwidth 1g
[edit]
root@Juniper-vMX-Wanclouds# commit
commit complete
[edit]
root@Juniper-vMX-Wanclouds#
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
It should work now.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Still its not working i have tried all options , including the output from device and debug from vmx in attachment.Still complaining in debug the si interface down but interface output saying its up i think there is some issue vMX.
root@Juniper-vMX-Wanclouds> show interfaces terse | match si
esi up up
lsi up up
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_isakmp_select_sa: Taking reference to fallback negotiation 8d16400 (now 2 references)
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ssh_set_thread_debug_info: ikev2_fb_isakmp_select_sa: set thread debug info - local 0xc0a000a remote 0x5c7201a8neg 0x8d16400 neg->ike_sa 0x8cad200 ike_sa 0x0
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ike_state_step: Input function[1] = ike_st_i_sa_proposal asked retry later
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ike_process_packet: No output packet, returning
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_st_select_ike_sa: FB; Calling v2 policy function select_ike_sa
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] In kmd_pm_spd_select_ike_sa: Enter SA 8cad200 ED 8e25028
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] Looking up IKE gateway for server: 10.0.10.12 and routing instance id: 8
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] instance: IPSEC-SITE-TO-SITE found for server: 10.0.10.12 in routing instance id: 8
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] Instance: IPSEC-SITE-TO-SITE is down as service interface: si-0/0/0.2 is not up, Lookup failed.
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] No instance available to serve this request
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error Invalid argument (neg 8d16400)
root@Juniper-vMX-Wanclouds> show configuration | display set
set version 17.2R1.13
set groups global system host-name Juniper-vMX-Wanclouds
set groups global system login user jnpr uid 2000
set groups global system login user jnpr class super-user
set groups global system login user jnpr authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxHi+V3riqQj4QPAksAAs2ATrbJlUCyPzWEZtBtQS5pdjm6xa9xXVYcyxwEu3CmmyMDAf4xt6thJvvNZbFZRoo9k0W4cTn4BiqeBBhjfaPeowkErpNugCyJZMkmId/sdLuZ/TrcGV0ZFI8l8ojAZFt8Q/bh0vMBgbs2nfA/oVRk8RWh5fIVadC0ocjhKahO6QkZmlDQLKssWDHUBJSqjutCVTJlkvWfq3ieISxlGavYEcx99vycbyMExcOsl2kNetxNcd6hHNCJjsRaRJQd3TGzjsFYw8/nRwa1TacUts4Y7ni1QvObOdcGu4Hla8roGqAFr6vrPrZqs/I2ehTr4WT ix_vMX_key_pair_Jan7_Khalid"
set groups global system services ssh
set groups global system syslog user * any emergency
set groups global system syslog file messages any notice
set groups global system syslog file messages authorization info
set groups global system syslog file interactive-commands interactive-commands any
set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24
set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24
set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24
set groups global interfaces si-0/0/0 unit 0
set groups global interfaces si-0/0/0 unit 1 family inet
set groups global interfaces si-0/0/0 unit 1 service-domain inside
set groups global interfaces si-0/0/0 unit 2 family inet
set groups global interfaces si-0/0/0 unit 2 service-domain outside
set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1
set groups global routing-options static route 0.0.0.0/0 retain
set groups global routing-options static route 0.0.0.0/0 no-readvertise
set apply-groups global
set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"
set chassis fpc 0 pic 0 tunnel-services bandwidth 1g
set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1
set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway routing-instance DATAPLANE-VMX-VPN-WANCLOUDS
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA
set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24
set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24
set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92
set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta
set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta
set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection
set services ipsec-vpn rule IPSec-VYATTA match-direction input
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5
set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400
set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta
set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"
set services ipsec-vpn traceoptions file VmxIPSECCommunity
set services ipsec-vpn traceoptions file size 10m
set services ipsec-vpn traceoptions file files 2
set services ipsec-vpn traceoptions level all
set services ipsec-vpn traceoptions flag all
set services ipsec-vpn establish-tunnels immediately
set services ipsec-vpn disable-natt
set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 192.168.100.0/24 next-hop 108.1.114.92
root@Juniper-vMX-Wanclouds> show services ipsec-vpn ipsec security-associations
Service set: IPSEC-SITE-TO-SITE, IKE Routing-instance: DATAPLANE-VMX-VPN-WANCLOUDS
Rule: IPSec-VYATTA, Term: 1, Tunnel index: 1
Local gateway: 10.0.10.12, Remote gateway: 108.1.114.92
IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
--- No IPSec SA information available ---
root@Juniper-vMX-Wanclouds> show interfaces terse | match si
esi up up
lsi up up
root@Juniper-vMX-Wanclouds> show chassis hardware detail
Hardware inventory:
Item Version Part number Serial number Description
Chassis VM5A5406B749 VMX
Midplane
Routing Engine 0 RE-VMX
vtbd0 0 MB Hard Disk
CB 0 VMX SCB
CB 1 VMX SCB
FPC 0 Virtual FPC
CPU Rev. 1.0 RIOT BUILTIN
MIC 0 Virtual
PIC 0 BUILTIN BUILTIN Virtual
root@Juniper-vMX-Wanclouds> show services ipsec-vpn ike security-associations
root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0, capture size 96 bytes
Reverse lookup for 10.0.10.12 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
00:54:04.606186 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:54:04.707330 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
00:54:44.094174 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:54:44.200468 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
00:55:24.234474 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:55:24.328674 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
00:56:04.807564 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:56:04.908874 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
00:56:44.502941 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:56:44.602296 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
00:57:24.887299 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:57:25.005052 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
^C
92 packets received by filter
0 packets dropped by kernel
root@Juniper-vMX-Wanclouds> show interfaces terse | grep ge
ge-0/0/0 up up
ge-0/0/0.0 up up inet 10.0.10.12/24
ge-0/0/1 up up
ge-0/0/1.0 up up inet 10.0.20.81/24
ge-0/0/2 up down
ge-0/0/3 up down
ge-0/0/4 up down
ge-0/0/5 up down
ge-0/0/6 up down
ge-0/0/7 up down
ge-0/0/8 up down
ge-0/0/9 up down
root@Juniper-vMX-Wanclouds> show interfaces terse | grep si
esi up up
lsi up up
Brocade-Vyatta:
=============
vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep vpn
set vpn ipsec esp-group ESP-1H compression 'disable'
set vpn ipsec esp-group ESP-1H lifetime '27000'
set vpn ipsec esp-group ESP-1H mode 'tunnel'
set vpn ipsec esp-group ESP-1H pfs 'dh-group5'
set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'
set vpn ipsec ike-group IKE-1H lifetime '28800'
set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'
set vpn ipsec ike-group IKE-1H proposal 1 hash 'md5'
set vpn ipsec ipsec-interfaces interface 'bond1'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 34.218.101.112 authentication id '108.1.114.92'
set vpn ipsec site-to-site peer 34.218.101.112 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 34.218.101.112 authentication pre-shared-secret 'cisco1000'
set vpn ipsec site-to-site peer 34.218.101.112 authentication remote-id '10.0.10.12'
set vpn ipsec site-to-site peer 34.218.101.112 connection-type 'initiate'
set vpn ipsec site-to-site peer 34.218.101.112 default-esp-group 'ESP-1H'
set vpn ipsec site-to-site peer 34.218.101.112 ike-group 'IKE-1H'
set vpn ipsec site-to-site peer 34.218.101.112 local-address '108.1.114.92'
set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 local prefix '192.168.100.0/24'
set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 remote prefix '10.0.20.0/24'
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
34.218.101.112 108.1.114.92
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
init n/a n/a n/a no 0 28800
vyatta@gw-melbourne1-02-06-2016:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
34.218.101.112 108.1.114.92
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 down n/a n/a n/a no 0 27000 all
vyatta@gw-melbourne1-02-06-2016:~$
Attachments
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Hi Syed,
Still si-* interface is not created on your VMX box. Please share <show configuration chassis>
vmx> show interfaces terse | match si
esi up up
lsi up up
Above is output is not si-* interface.
vmx# set chassis fpc 0 pic 0 inline-services
[edit]
vmx# commit
commit complete
[edit]
vmx# run show interfaces terse | match si-
si-0/0/0 up up
[edit]
Hope this helps
--------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
--------------------------------------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
As I said earlier, you don’t have si-0/0/0 interface configured in your box.
Can you try with below command and check?
root@PE1_re> show interfaces terse | match si
esi up up
lsi up up
lsi.1 up up inet
root@PE1_re>
[edit]
root@PE1_re# set chassis fpc 0 pic 0 inline-services
[edit]
root@PE1_re# commit
commit complete
[edit]
root@PE1_re#
root@PE1_re# run show interfaces terse | match si
si-0/0/0 up up
esi up up
lsi up up
lsi.1 up up inet
[edit]
root@PE1_re#
Regards
Harpreet
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
I Had the configuration for Si interfaces the only thing missing was "set chassis fpc 0 pic 0 inline-services" and its working now special thanks to Kingsman (Harpreet) and vvadivel.
root@Juniper-vMX-Wanclouds> show configuration | display set
set version 17.2R1.13
set groups global system host-name Juniper-vMX-Wanclouds
set groups global system login user jnpr uid 2000
set groups global system login user jnpr class super-user
set groups global system services ssh
set groups global system syslog user * any emergency
set groups global system syslog file messages any notice
set groups global system syslog file messages authorization info
set groups global system syslog file interactive-commands interactive-commands any
set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24
set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24
set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24
set groups global interfaces si-0/0/0 unit 0
set groups global interfaces si-0/0/0 unit 1 family inet
set groups global interfaces si-0/0/0 unit 1 service-domain inside
set groups global interfaces si-0/0/0 unit 2 family inet
set groups global interfaces si-0/0/0 unit 2 service-domain outside
set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1
set groups global routing-options static route 0.0.0.0/0 retain
set groups global routing-options static route 0.0.0.0/0 no-readvertise
set apply-groups global
set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"
set chassis fpc 0 pic 0 tunnel-services bandwidth 1g
set chassis fpc 0 pic 0 inline-services
set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1
set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway routing-instance DATAPLANE-VMX-VPN-WANCLOUDS
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA
set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24
set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24
set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92
set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta
set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta
set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection
set services ipsec-vpn rule IPSec-VYATTA match-direction input
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5
set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400
set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta
set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"
set services ipsec-vpn traceoptions file VmxIPSECCommunity
set services ipsec-vpn traceoptions file size 10m
set services ipsec-vpn traceoptions file files 2
set services ipsec-vpn traceoptions level all
set services ipsec-vpn traceoptions flag all
set services ipsec-vpn establish-tunnels immediately
set services ipsec-vpn disable-natt
set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 192.168.100.0/24 next-hop 108.1.114.92
root@Juniper-vMX-Wanclouds> show interfaces terse | match si
si-0/0/0 up up
si-0/0/0.0 up up
si-0/0/0.1 up up inet
si-0/0/0.2 up up inet
esi up up
lsi up up
Regards
syed.
- « Previous
-
- 1
- 2
- Next »