IPsec VPN on Juniper vMX not working . - Page 2 - J-Net Community

Kingsman · ‎02-05-2018

Can you enable ipsec traceoption and attached the tracelog file here ?

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/traceopti...

Use level all and flag all while enabling the trace options.

fsyed · ‎02-06-2018

I am attaching the ouput of log file.

Kingsman · ‎02-07-2018

Hi I see this in the logs.

Feb 7 00:22:33 [10.0.10.12 <-> 168.1.114.92] Instance: IPSEC-SITE-TO-SITE is down as service interface: si-0/0/0.2 is not up, Lookup failed.

Do you have tunnel-services enabled on the FPC? I don’t see tunnel-service configured in your configuration.

fsyed · ‎02-12-2018

Hi ,

Not sure how to enable tunnel services on FPC , checked some of the output to make sure if fpc status is ok .Can u share the command to enable tunnel services on FPC.

root@Juniper-vMX-Wanclouds> show chassis hardware detail

Hardware inventory:

Item Version Part number Serial number Description

Chassis VM5A5406B749 VMX

Midplane

Routing Engine 0 RE-VMX

vtbd0 0 MB Hard Disk

CB 0 VMX SCB

CB 1 VMX SCB

FPC 0 Virtual FPC

CPU Rev. 1.0 RIOT BUILTIN

MIC 0 Virtual

PIC 0 BUILTIN BUILTIN Virtual

root@Juniper-vMX-Wanclouds> show chassis fpc pic-status

Slot 0 Online Virtual FPC

PIC 0 Online Virtual

root@Juniper-vMX-Wanclouds> show chassis network-services

Network Services Mode: IP

root@Juniper-vMX-Wanclouds>

Regards

Syed

Kingsman · ‎02-12-2018

Set chassis fpc x pic x tunnel-services bandwidth 1/10g

Here x is the pic and pfc no.

Do you see your sister interface up on your box?

Can you paste the output of "show interface terse | match si"

Also make sure you are using the correct si interface.

Get Outlook for Android<>

fsyed · ‎02-13-2018

Here is the output and i enabled tunnel services on Tunnel.

root@Juniper-vMX-Wanclouds> show interfaces terse | match si -->Before enabling tunnel services on tunnel

esi up up

lsi up up

root@Juniper-vMX-Wanclouds> show chassis hardware

Hardware inventory:

Item Version Part number Serial number Description

Chassis VM5A5406B749 VMX

Midplane

Routing Engine 0 RE-VMX

CB 0 VMX SCB

CB 1 VMX SCB

FPC 0 Virtual FPC

CPU Rev. 1.0 RIOT BUILTIN

MIC 0 Virtual

PIC 0 BUILTIN BUILTIN Virtual

root@Juniper-vMX-Wanclouds> set ch

^

syntax error.

root@Juniper-vMX-Wanclouds> configure

Entering configuration mode

[edit]

root@Juniper-vMX-Wanclouds# set chassis fpc 0 pic 0 tunnel-services bandwidth ?

Possible completions:

<bandwidth> Bandwidth reserved for tunnel service

100g 100 gigabits per second

10g 10 gigabits per second

1g 1 gigabit per second

200g 200 gigabits per second

20g 20 gigabits per second

300g 300 gigabits per second

30g 30 gigabits per second

400g 400 gigabits per second

40g 40 gigabits per second

50g 50 gigabits per second

60g 60 gigabits per second

70g 70 gigabits per second

80g 80 gigabits per second

90g 90 gigabits per second

[edit]

root@Juniper-vMX-Wanclouds# set chassis fpc 0 pic 0 tunnel-services bandwidth 1g

[edit]

root@Juniper-vMX-Wanclouds# commit

commit complete

[edit]

root@Juniper-vMX-Wanclouds#

Kingsman · ‎02-13-2018

Is it working now? You didn’t see si interface in the output (before enabling tunneling)

It should work now.

fsyed · ‎03-02-2018

Still its not working i have tried all options , including the output from device and debug from vmx in attachment.Still complaining in debug the si interface down but interface output saying its up i think there is some issue vMX.

root@Juniper-vMX-Wanclouds> show interfaces terse | match si

esi up up

lsi up up

Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_isakmp_select_sa: Taking reference to fallback negotiation 8d16400 (now 2 references)

Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ssh_set_thread_debug_info: ikev2_fb_isakmp_select_sa: set thread debug info - local 0xc0a000a remote 0x5c7201a8neg 0x8d16400 neg->ike_sa 0x8cad200 ike_sa 0x0

Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ike_state_step: Input function[1] = ike_st_i_sa_proposal asked retry later

Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ike_process_packet: No output packet, returning

Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_st_select_ike_sa: FB; Calling v2 policy function select_ike_sa

Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] In kmd_pm_spd_select_ike_sa: Enter SA 8cad200 ED 8e25028

Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] Looking up IKE gateway for server: 10.0.10.12 and routing instance id: 8

Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] instance: IPSEC-SITE-TO-SITE found for server: 10.0.10.12 in routing instance id: 8

Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] Instance: IPSEC-SITE-TO-SITE is down as service interface: si-0/0/0.2 is not up, Lookup failed.

Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] No instance available to serve this request

Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error Invalid argument (neg 8d16400)

root@Juniper-vMX-Wanclouds> show configuration | display set

set version 17.2R1.13

set groups global system host-name Juniper-vMX-Wanclouds

set groups global system login user jnpr uid 2000

set groups global system login user jnpr class super-user

set groups global system login user jnpr authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxHi+V3riqQj4QPAksAAs2ATrbJlUCyPzWEZtBtQS5pdjm6xa9xXVYcyxwEu3CmmyMDAf4xt6thJvvNZbFZRoo9k0W4cTn4BiqeBBhjfaPeowkErpNugCyJZMkmId/sdLuZ/TrcGV0ZFI8l8ojAZFt8Q/bh0vMBgbs2nfA/oVRk8RWh5fIVadC0ocjhKahO6QkZmlDQLKssWDHUBJSqjutCVTJlkvWfq3ieISxlGavYEcx99vycbyMExcOsl2kNetxNcd6hHNCJjsRaRJQd3TGzjsFYw8/nRwa1TacUts4Y7ni1QvObOdcGu4Hla8roGqAFr6vrPrZqs/I2ehTr4WT ix_vMX_key_pair_Jan7_Khalid"

set groups global system services ssh

set groups global system syslog user * any emergency

set groups global system syslog file messages any notice

set groups global system syslog file messages authorization info

set groups global system syslog file interactive-commands interactive-commands any

set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

set groups global interfaces si-0/0/0 unit 0

set groups global interfaces si-0/0/0 unit 1 family inet

set groups global interfaces si-0/0/0 unit 1 service-domain inside

set groups global interfaces si-0/0/0 unit 2 family inet

set groups global interfaces si-0/0/0 unit 2 service-domain outside

set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

set groups global routing-options static route 0.0.0.0/0 retain

set groups global routing-options static route 0.0.0.0/0 no-readvertise

set apply-groups global

set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

set chassis fpc 0 pic 0 tunnel-services bandwidth 1g

set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1

set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway routing-instance DATAPLANE-VMX-VPN-WANCLOUDS

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA

set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24

set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92

set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta

set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta

set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection

set services ipsec-vpn rule IPSec-VYATTA match-direction input

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc

set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5

set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400

set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta

set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"

set services ipsec-vpn traceoptions file VmxIPSECCommunity

set services ipsec-vpn traceoptions file size 10m

set services ipsec-vpn traceoptions file files 2

set services ipsec-vpn traceoptions level all

set services ipsec-vpn traceoptions flag all

set services ipsec-vpn establish-tunnels immediately

set services ipsec-vpn disable-natt

set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 192.168.100.0/24 next-hop 108.1.114.92

root@Juniper-vMX-Wanclouds> show services ipsec-vpn ipsec security-associations

Service set: IPSEC-SITE-TO-SITE, IKE Routing-instance: DATAPLANE-VMX-VPN-WANCLOUDS

Rule: IPSec-VYATTA, Term: 1, Tunnel index: 1

Local gateway: 10.0.10.12, Remote gateway: 108.1.114.92

IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500

UDP encapsulate: Disabled, UDP Destination port: 0

--- No IPSec SA information available ---

root@Juniper-vMX-Wanclouds> show interfaces terse | match si

esi up up

lsi up up

root@Juniper-vMX-Wanclouds> show chassis hardware detail

Hardware inventory:

Item Version Part number Serial number Description

Chassis VM5A5406B749 VMX

Midplane

Routing Engine 0 RE-VMX

vtbd0 0 MB Hard Disk

CB 0 VMX SCB

CB 1 VMX SCB

FPC 0 Virtual FPC

CPU Rev. 1.0 RIOT BUILTIN

MIC 0 Virtual

PIC 0 BUILTIN BUILTIN Virtual

root@Juniper-vMX-Wanclouds> show services ipsec-vpn ike security-associations

root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp

verbose output suppressed, use <detail> or <extensive> for full protocol decode

Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.

Address resolution timeout is 4s.

Listening on ge-0/0/0, capture size 96 bytes

Reverse lookup for 10.0.10.12 failed (check DNS reachability).

Other reverse lookup failures will not be reported.

Use <no-resolve> to avoid reverse lookups on IP addresses.

00:54:04.606186 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:54:04.707330 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

00:54:44.094174 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:54:44.200468 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

00:55:24.234474 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:55:24.328674 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

00:56:04.807564 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:56:04.908874 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

00:56:44.502941 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:56:44.602296 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

00:57:24.887299 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:57:25.005052 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

^C

92 packets received by filter

0 packets dropped by kernel

root@Juniper-vMX-Wanclouds> show interfaces terse | grep ge

ge-0/0/0 up up

ge-0/0/0.0 up up inet 10.0.10.12/24

ge-0/0/1 up up

ge-0/0/1.0 up up inet 10.0.20.81/24

ge-0/0/2 up down

ge-0/0/3 up down

ge-0/0/4 up down

ge-0/0/5 up down

ge-0/0/6 up down

ge-0/0/7 up down

ge-0/0/8 up down

ge-0/0/9 up down

root@Juniper-vMX-Wanclouds> show interfaces terse | grep si

esi up up

lsi up up

Brocade-Vyatta:

=============

vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep vpn

set vpn ipsec esp-group ESP-1H compression 'disable'

set vpn ipsec esp-group ESP-1H lifetime '27000'

set vpn ipsec esp-group ESP-1H mode 'tunnel'

set vpn ipsec esp-group ESP-1H pfs 'dh-group5'

set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'

set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'

set vpn ipsec ike-group IKE-1H lifetime '28800'

set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'

set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'

set vpn ipsec ike-group IKE-1H proposal 1 hash 'md5'

set vpn ipsec ipsec-interfaces interface 'bond1'

set vpn ipsec nat-traversal 'enable'

set vpn ipsec site-to-site peer 34.218.101.112 authentication id '108.1.114.92'

set vpn ipsec site-to-site peer 34.218.101.112 authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer 34.218.101.112 authentication pre-shared-secret 'cisco1000'

set vpn ipsec site-to-site peer 34.218.101.112 authentication remote-id '10.0.10.12'

set vpn ipsec site-to-site peer 34.218.101.112 connection-type 'initiate'

set vpn ipsec site-to-site peer 34.218.101.112 default-esp-group 'ESP-1H'

set vpn ipsec site-to-site peer 34.218.101.112 ike-group 'IKE-1H'

set vpn ipsec site-to-site peer 34.218.101.112 local-address '108.1.114.92'

set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 allow-nat-networks 'disable'

set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 allow-public-networks 'disable'

set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 local prefix '192.168.100.0/24'

set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 remote prefix '10.0.20.0/24'

vyatta@gw-melbourne1-02-06-2016:~$

vyatta@gw-melbourne1-02-06-2016:~$ show vpn ike sa

Peer ID / IP Local ID / IP

------------ -------------

34.218.101.112 108.1.114.92

State Encrypt Hash D-H Grp NAT-T A-Time L-Time

----- ------- ---- ------- ----- ------ ------

init n/a n/a n/a no 0 28800

vyatta@gw-melbourne1-02-06-2016:~$ show vpn ipsec sa

Peer ID / IP Local ID / IP

------------ -------------

34.218.101.112 108.1.114.92

Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto

------ ----- ------------- ------- ---- ----- ------ ------ -----

0 down n/a n/a n/a no 0 27000 all

vyatta@gw-melbourne1-02-06-2016:~$

vvadivel · ‎03-02-2018

Hi Syed,

Still si-* interface is not created on your VMX box. Please share <show configuration chassis>

vmx> show interfaces terse | match si

esi up up
lsi up up

Above is output is not si-* interface.

vmx# set chassis fpc 0 pic 0 inline-services

[edit]
vmx# commit
commit complete

[edit]
vmx# run show interfaces terse | match si-
si-0/0/0 up up

[edit]

Hope this helps

--------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
--------------------------------------------------------------------------------------------------------

Kingsman · ‎03-02-2018

Hi,

As I said earlier, you don’t have si-0/0/0 interface configured in your box.
Can you try with below command and check?

root@PE1_re> show interfaces terse | match si
esi up up
lsi up up
lsi.1 up up inet

root@PE1_re>
[edit]
root@PE1_re# set chassis fpc 0 pic 0 inline-services

[edit]
root@PE1_re# commit
commit complete

[edit]
root@PE1_re#
root@PE1_re# run show interfaces terse | match si
si-0/0/0 up up
esi up up
lsi up up
lsi.1 up up inet

[edit]
root@PE1_re#

Regards
Harpreet

fsyed · ‎03-03-2018

I Had the configuration for Si interfaces the only thing missing was "set chassis fpc 0 pic 0 inline-services" and its working now special thanks to Kingsman (Harpreet) and vvadivel.

root@Juniper-vMX-Wanclouds> show configuration | display set

set version 17.2R1.13

set groups global system host-name Juniper-vMX-Wanclouds

set groups global system login user jnpr uid 2000

set groups global system login user jnpr class super-user

set groups global system services ssh

set groups global system syslog user * any emergency

set groups global system syslog file messages any notice

set groups global system syslog file messages authorization info

set groups global system syslog file interactive-commands interactive-commands any

set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

set groups global interfaces si-0/0/0 unit 0

set groups global interfaces si-0/0/0 unit 1 family inet

set groups global interfaces si-0/0/0 unit 1 service-domain inside

set groups global interfaces si-0/0/0 unit 2 family inet

set groups global interfaces si-0/0/0 unit 2 service-domain outside

set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

set groups global routing-options static route 0.0.0.0/0 retain

set groups global routing-options static route 0.0.0.0/0 no-readvertise

set apply-groups global

set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

set chassis fpc 0 pic 0 tunnel-services bandwidth 1g

set chassis fpc 0 pic 0 inline-services