vMX
Highlighted
vMX

IPSec VPN with vMX (multiple FPCs)

‎06-11-2020 12:48 AM

Hello,

I am trying to get a ipsec VPN set up with vMX ( multiple cards : 2 RE, vMS-MPC Slot 0, FPC slot 1).

I built vMX on EVE, firmware 18.1R2.6

Resource for vMS-MPC: 8vCPU, 8GB RAM, 3 NICs ( type e1000 ) (use metadata-usb-service-pic-2g.img ).

I saw vMX can boot up successfully with all cards, interfaces (lite-mode for FPC 0).  

I tried to configure VPN between vMX and vASA. Once the VPN tunnel is established

I beleive I have been able to get the initial tunnel to build based on the output of some verfication commands that I have done. However, when I try to ping IP address from vMX side of the tunnel (192.168.2.10 to 192.168.1.10), I am unable to do so. I also have a packet capture running between the VMXs and I don't even see ESP packets. When I try to ping from vASA side(192.168.1.10 to 192.168.2.10), I can see ESP traffic.  It looks to me like the traffic is not even getting put into the tunnel for whatever reason from vMX site. That is where my confusion is, and that's where I am stuck right now.

In my experience, I connect physical port ge-1/0/1 on EVE, I should configure ge-1/0/0 in the configuration.

 I connect ge-0/0/0 each FPC as “fabric link” between FPCs. I am not sure about this link is useful or not. It is useful when I need packets switching between normal FPCs.

I have attached the configs, as well as some verificaiton commands in a file (vmx_broke.txt) along with the diagram, vmx_setup.

If someone would be able to take a look at the configs and tell me what I am doing wrong, I would really appreciate it.

There really isn't too much documentation around setting up a VPN on an MX series besides the article that I found above which is frusterating as well. 

Thanks for any help that can be provided, and please let me know if there is any additonal information that I can provide.

4 REPLIES 4
Highlighted
vMX

Re: IPSec VPN with vMX (multiple FPCs)

‎06-11-2020 01:09 AM

Hi,

 

vMS-MPC is no more recommended for vMX. this may have performance impact.

Also multiple FPC's is not qualified for vMX. This would be the reason for this kind of bhevaiour.

 

vMX is only qualified, for single vFP.

-
VR
# Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Highlighted
vMX

Re: IPSec VPN with vMX (multiple FPCs)

‎06-11-2020 02:06 AM

Thanks Vishruth,

Is there any official document about it. 

Highlighted
vMX

Re: IPSec VPN with vMX (multiple FPCs)

‎06-11-2020 07:52 PM

There is no official doc on this, becaseu its not supported/qualified. 

 

It will be documented only when the feature/behaviour is supported/Qualified.

 

-
VR
# Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Highlighted
vMX

Re: IPSec VPN with vMX (multiple FPCs)

‎07-15-2020 10:10 AM

Hi khanhnguyen911,

 

 

Could u snapshot how do you connect using EVE-NG? I'm still cannot bring the vMS-MPC online.

 

 

Thanks and appreciate your feedback

Feedback