I am trying to get a ipsec VPN set up between two vMXs to prove out a design for a physical MX-104. I have attached a picture outlining the setup. I have two VMXs, one with an external IP address of 18.104.22.168 (hostname DS_MX), and the other with an external IP address of 22.214.171.124 (hostname FAUX_AWS_MX). I am attempting to get a VPN tunnel established between both VMXs.
Once the VPN tunnel is established, I would then like to build a BGP session over between the peering endpoints of 169.254.46.194/30 and 169.254.46.193/30. I have assigned these IP addresses to the si-0/0/0.1 interfaces as shown in the diagram vmx_setup. Note that the diagram refernces the MX-104 interface names-on the vMX, the xe interfaces are ge-0/0/0. ms-4/0/0 is si-0/0/0.
I beleive I have been able to get the initial tunnel to build based on the output of some verfication commands that I have done. However, when I try to ping the corresponding 169 IP address on the other side of the tunnel, I am unable to do so. I also have a packet capture running between the VMXs and I don't even see ESP packets. It looks to me like the traffic is not even getting put into the tunnel for whatever reason. That;s where my confusion is, and that's where I am stuck right now.
I have attached the configs, as well as some verificaiton commands in a file (vmx_broke.txt) along with the diagram, vmx_setup.
If someone would be able to take a look at the configs and tell me what I am doing wrong, I would really appreciate it.
As a side note, this is all to prove out what kind of configuraiton is needed on an MX-104 with an MS-MIC card in order to connect to a VPN endpoint in AWS. If anyone has actually done this already, I would really appreciate any information or tips on how to go about setting up things on the MX-104 side. Right now, I have a SRX device that is terminating the VPN to AWS. AWS autogenerates the VPN config for the SRX, so it's pretty straight forward.
However, I am struggling with the equivalent MX-104 config-it looks to me like thee is no way to bind a tunnel interface to a VPN like there is on the SRX series. It looks like I need to create a VPN rule at some level. I don't have a MS-MIC card in my possesion to test with on my actual MX-104. and I'd prefer not to buy one until I can prove this design out on a vMX and get an idea for what the config looks like.
There really isn't too much documentation around setting up a VPN on an MX series besides the article that I found above which is frusterating as well.
Thanks for any help that can be provided, and please let me know if there is any additonal information that I can provide.
I got the same issue with vpn but this is physical box where the vpn is in between two sites. the box on the other site is MX480. in my case the vpn is up and active and the bgp is active but not established yet. currently our MX104 box is running on 15.1 so do i need to upgrade it for 17.2.? please post all other possibilities why i am not getting any traffic through tunnel.
Yes i got MS-DPC on MX480 and MS-MIC on MX104. all the configurations are good and the connectivity is good but i am unable to get the traffic through vpn and the bgp is not getting established in between two sites.