- Application Acceleration 
- BLOG: Community Talk 
- BLOG: Information Experience (iX) 
- Community Feedback 
- Contrail Platform Developers 
- Ethernet Switching 
- Identity & Policy Control - SBR Carrier & SRC 
- Intrusion Prevention 
- Junos 
- Junos Automation (Scripting) 
- Junos Space Developer 
- Junosphere 
- Management 
- Routing 
- ScreenOS Firewalls (NOT SRX) 
- SRX Services Gateway 
- Training, Certification, and Career Topics 
- vMX 
- vSRX 
- Wireless LAN 
- Juniper Open Learning 
- Day One Books Archive 
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
IPsec VPN on Juniper vMX not working .
Issue:
======
IPsec VPN b/w Juniper vMX and Vyatta 5400 not working .
Topology:
========
192.168.100.1/24------Vyatta---------------Cloud--------------AWS ------Juniper vMX---10.0.20.0/24
Corcerns or Problems:
==================
1. since the deployment is in AWS VPC the Public or Revenue interface is not in default Routing instance so both Public ge-0/0/0 and ge0/0/1 are in Routing instance named DATAPLANE-VMX-VPN-WANCLOUDS.And if my understanding is correct both si-0/0/0.1 and si-0/0/0.1 should be part of routing instance DATAPLANE-VMX-VPN-WANCLOUDS but on configuring getting this error.
root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.1
[edit]
root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2
[edit]
root@Juniper-vMX-Wanclouds# commit check
[edit services service-set IPSEC-SITE-TO-SITE]
'ipsec-vpn-options'
The service interface si-0/0/0.2 must be configured under default routing-instance
2. How to enable NAT Traversal for IPsec vpn on vMX as the VMx is deployed behind Internet Gateway 1:1 Nat.But as per my undersatnding its enable by default.
Configuration:
Vyatta5400:
----------------
set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24
set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24
set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24
set groups global interfaces si-0/0/0 unit 0
set groups global interfaces si-0/0/0 unit 1 family inet
set groups global interfaces si-0/0/0 unit 1 service-domain inside
set groups global interfaces si-0/0/0 unit 2 family inet
set groups global interfaces si-0/0/0 unit 2 service-domain outside
set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1
set groups global routing-options static route 0.0.0.0/0 retain
set groups global routing-options static route 0.0.0.0/0 no-readvertise
set apply-groups global
set groups global interfaces si-0/0/0 unit 0
set groups global interfaces si-0/0/0 unit 1 family inet
set groups global interfaces si-0/0/0 unit 1 service-domain inside
set groups global interfaces si-0/0/0 unit 2 family inet
set groups global interfaces si-0/0/0 unit 2 service-domain outside
set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1
set groups global routing-options static route 0.0.0.0/0 retain
set groups global routing-options static route 0.0.0.0/0 no-readvertise
set apply-groups global
set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"
set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1
set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA
set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24
set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24
set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92
set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta
set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta
set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection
set services ipsec-vpn rule IPSec-VYATTA match-direction input
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5
set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400
set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta
set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"
set services ipsec-vpn establish-tunnels immediately
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/1.0
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1
root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.1
[edit]
root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2
[edit]
root@Juniper-vMX-Wanclouds# commit check
[edit services service-set IPSEC-SITE-TO-SITE]
'ipsec-vpn-options'
The service interface si-0/0/0.2 must be configured under default routing-instance
error: configuration check-out failed
ISAKMP packet coming from Vyatta Device.
root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0, capture size 96 bytes
Reverse lookup for 10.0.10.12 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
00:54:34.986840 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:54:44.427606 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:54:44.624821 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:54:54.602837 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:55:14.927376 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Your config doesn’t seem to be correct.
You have both inside and outside interface in same routing-instance DATAPLANE-VMX-VPN-WANCLOUDS.
Your local gateway and outside service interface should be either in global routing-instance or in another routing-instance.
I will correct the config and share if needed
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Topology:
R1----------------------------R2
R1 config:
[edit]
root@R1_re# run show services ipsec-vpn ike sa
Remote Address State Initiator cookie Responder cookie Exchange type
10.1.12.2 Matured 846c851af53cecfd 221279f553a29262 Main
[edit]
root@R1_re#
[edit]
root@R1_re# run show services ipsec-vpn ipsec sa
Service set: test, IKE Routing-instance: outside
Rule: test-vpn, Term: 1, Tunnel index: 1
Local gateway: 10.1.12.1, Remote gateway: 10.1.12.2
IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
NATT Detection: Not Detected, NATT keepalive interval: 0
Direction SPI AUX-SPI Mode Type Protocol
inbound 4044436681 0 tunnel dynamic ESP
outbound 1708770906 0 tunnel dynamic ESP
[edit]
root@R1_re#
[edit]
root@R1_re# show services | display set
set services rpm probe A test PING-A-1 probe-type icmp-ping
set services rpm probe A test PING-A-1 target address 10.1.12.2
set services rpm probe A test PING-A-1 test-interval 3
set services rpm probe A test PING-A-1 thresholds successive-loss 3
set services service-set test next-hop-service inside-service-interface si-0/0/0.1
set services service-set test next-hop-service outside-service-interface si-0/0/0.2
set services service-set test ipsec-vpn-options local-gateway 10.1.12.1
set services service-set test ipsec-vpn-options local-gateway routing-instance outside
set services service-set test ipsec-vpn-rules test-vpn
set services ipsec-vpn rule test-vpn term 1 from source-address 192.168.0.0/24
set services ipsec-vpn rule test-vpn term 1 from destination-address 172.16.0.0/24
set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.2
set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
set services ipsec-vpn rule test-vpn match-direction input
set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal ike-proposal dh-group group5
set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
set services ipsec-vpn ike policy ike-policy proposals ike-proposal
set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
set services ipsec-vpn establish-tunnels immediately
[edit]
root@R1_re#
root@R1_re# show routing-instances | display set
set routing-instances inside instance-type virtual-router
set routing-instances inside interface si-0/0/0.1
set routing-instances inside interface ge-0/0/2.0
set routing-instances inside routing-options static route 172.16.0.0/24 next-hop si-0/0/0.1
set routing-instances inside routing-options static route 192.168.0.0/24 next-hop 10.1.14.4
set routing-instances outside instance-type virtual-router
set routing-instances outside interface si-0/0/0.2
set routing-instances outside interface ge-0/0/1.0
set routing-instances outside routing-options static route 172.16.0.0/24 next-hop 10.1.12.2
[edit]
[edit]
root@R1_re# show interfaces
si-0/0/0 {
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.12.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.1.14.1/24;
}
}
}
R2: Config
[edit]
root@R2_re# show services | display set
set services service-set test next-hop-service inside-service-interface si-0/0/0.1
set services service-set test next-hop-service outside-service-interface si-0/0/0.2
set services service-set test ipsec-vpn-options local-gateway 10.1.12.2
set services service-set test ipsec-vpn-options local-gateway routing-instance outside
set services service-set test ipsec-vpn-rules test-vpn
set services ipsec-vpn rule test-vpn term 1 from source-address 172.16.0.0/24
set services ipsec-vpn rule test-vpn term 1 from destination-address 192.168.0.0/24
set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.1
set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
set services ipsec-vpn rule test-vpn match-direction input
set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal ike-proposal dh-group group5
set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
set services ipsec-vpn ike policy ike-policy proposals ike-proposal
set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
set services ipsec-vpn establish-tunnels immediately
[edit]
root@R2_re#
[edit]
root@R2_re# show routing-instances | display set
set routing-instances inside instance-type virtual-router
set routing-instances inside interface si-0/0/0.1
set routing-instances inside interface ge-0/0/2.0
set routing-instances inside routing-options static route 192.168.0.0/24 next-hop si-0/0/0.1
set routing-instances inside routing-options static route 172.16.0.0/24 next-hop 10.1.23.3
set routing-instances outside instance-type virtual-router
set routing-instances outside interface si-0/0/0.2
set routing-instances outside interface ge-0/0/1.0
set routing-instances outside routing-options static route 192.168.0.0/24 next-hop 10.1.12.1
[edit]
root@R2_re#
[edit]
root@R2_re# show interfaces
si-0/0/0 {
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.12.2/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.1.23.2/24;
}
}
}
[edit]
root@R2_re# run show services ipsec-vpn ike sa
Remote Address State Initiator cookie Responder cookie Exchange type
10.1.12.1 Matured 846c851af53cecfd 221279f553a29262 Main
[edit]
root@R2_re# run show services ipsec-vpn ipsec sa
Service set: test, IKE Routing-instance: outside
Rule: test-vpn, Term: 1, Tunnel index: 1
Local gateway: 10.1.12.2, Remote gateway: 10.1.12.1
IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
NATT Detection: Not Detected, NATT keepalive interval: 0
Direction SPI AUX-SPI Mode Type Protocol
inbound 1708770906 0 tunnel dynamic ESP
outbound 4044436681 0 tunnel dynamic ESP
[edit]
root@R2_re#
HTH
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
set services service-set test ipsec-vpn-options local-gateway 155.1.12.2
set services service-set test ipsec-vpn-options local-gateway routing-instance outside
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Thanks a lot for looking inot it and providing the working configs .Will try to move the inside interface to global routing table and update you .The reason i am using the Routing Instance as i have one public elastic ip and if i attach to fxp management interface then i cannot create ipsec vpn .The only possible option is to move the gig interface from default routing instance .
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Thanks again but i have some doubts and would like to clear before changing the configuration attaching the Topology just to give some background and then would like to understand if i am missing something or my approach is not correct.
Goal :
======
Device connected behind Vyatta 5400 can access the File and DB servers connected to VMX on ge-0/0/1 and ge-0/0/2.
Corncerns:
=========
1.This deployment is in AWS VPC and using Elastic IP which is public and if i attach the eleastic IP to FXP0 then i cannot create IPSec as its Mgmt interface and if i attach this Elastic IP to Revenue or Ge-0/0/0 interface then i cannot access the vMX or device as its in same Routing table that is global routing instance.So i decieded to create a Routing instance "DATAPLANE-VMX-VPN-WANCLOUDS" and move both my ge-0/0/0 interface which is basically public interface and ge-0/0/1 and ge-0/0/2 interafce where the internal File and DB server is connected and i am able to ping from ge-0/0/0 public to vyatta 5400 wan interface.
2.Now i configured the IPSec vpn b/w ge-0/0/0 of vMX and Vyatta5400 device but for that i need to create si
si-0/0/0.1 inside-interface , si-0/0/0.2 outside interface and here i am confused meaning these interface are some how tied to ge-0/0/0 and ge-0/0/1 ? or si-0/0/0.2 outside interface and ge-0/0/0 wan public interface will remain in Routing instance "DATAPLANE-VMX-VPN-WANCLOUDS" and i have to move the si-0/0/0.1 inside-interface and ge-0/0/1 and ge-0/0/2 interfaces ( where internal servers are connected) should be moved to global or default Routing-instance or only si-0/0/0.1 inside-interface should be moved from this "DATAPLANE-VMX-VPN-WANCLOUDS" routing instance.
Regards
Syed.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
The reason i brought the earlier discussion that i have tested the similar setup with vSRX Firewall IPsec VPN and all the interfaces was part of same Routing-Instance DATAPLANE-VPN-WANCLOUDS including st virtual interface. The only difference was zones Trust and Untrust . Wan interface ge-0/0/0 and st0.0 were part of Untrust Zone and ge-0/0/1 Trust zone.
set routing-instances DATAPLANE-VPN-WANCLOUDS instance-type virtual-router
set routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/0.0
set routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/1.0
set routing-instances DATAPLANE-VPN-WANCLOUDS interface st0.0
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
First:
Put Outside interface ( ge-0/0/0 and si-0/0/0.2) in one routing-instance and Inside interface (ge-0/0/1, ge-0/0/2 & si-0/0/0.1 ) in once routing instance.
This config I already shared.
Second:
Keep your (outside interface) ge-0/0/0 and si-0/0/0.2 in DATAPLANE-VMX-VPN-WANCLOUDS and Inside interface (ge-0/0/1, ge-0/0/2 & si-0/0/0.1) in global table.
You need to add a static route in the global table for the traffic destined to Device connected behind Vyatta as below.
Set routing-option static route
Also, make sure you have a route for the destination in DATAPLANE-VMX-VPN-WANCLOUDS routing-instance pointing towards Vyatta.
Topology:
10.1.12.0/24
R1-(.1)--------------------------------------------------------------------(.2)-R2
root@R1_re# show services service-set test
next-hop-service {
inside-service-interface si-0/0/0.1;
outside-service-interface si-0/0/0.2;
}
ipsec-vpn-options {
local-gateway 10.1.12.1 routing-instance DATAPLANE-VMX-VPN-WANCLOUDS;
}
ipsec-vpn-rules test-vpn;
[edit]
root@R1_re#
root@R1_re# show routing-options
static {
route 172.16.0.0/24 next-hop si-0/0/0.1;
route 192.168.0.0/24 next-hop 10.1.14.4;
}
router-id 11.11.11.11;
autonomous-system 100;
[edit]
root@R1_re# show routing-instances DATAPLANE-VMX-VPN-WANCLOUDS
instance-type virtual-router;
interface si-0/0/0.2;
interface ge-0/0/1.0;
routing-options {
static {
route 172.16.0.0/24 next-hop 10.1.12.2;
}
}
[edit]
root@R1_re#
ipsec-vpn {
rule test-vpn {
term 1 {
from {
source-address {
192.168.0.0/24;
}
destination-address {
172.16.0.0/24;
}
}
then {
remote-gateway 10.1.12.2;
dynamic {
ike-policy ike-policy;
ipsec-policy ipsec-policy;
}
}
}
match-direction input;
}
Third Option:
Keep all the interface in DATAPLANE-VMX-VPN-WANCLOUDS as your original configuration.
And make below changes.
Add routing-instance knob with local-gateway as below. (this was missing in your config)
ipsec-vpn-options {
local-gateway 10.1.12.1 routing-instance DATAPLANE-VMX-VPN-WANCLOUDS
Make sure you have all the routing correctly in place so that traffic destined to subnet (behind Vaytta) goes to si-0/0/0.1 interface first for the IPsec encapsulation and then go gout via ge-0/0/0 as per your topology.
I have to put a specific route for the destination subnet to make it work.
[edit]
root@R1_re# show routing-instances DATAPLANE-VMX-VPN-WANCLOUDS
instance-type virtual-router;
interface si-0/0/0.1;
interface si-0/0/0.2;
interface ge-0/0/1.0;
interface ge-0/0/2.0;
routing-options {
static {
route 172.16.0.0/24 next-hop [ 155.1.12.2 si-0/0/0.1 ];
route 192.168.0.0/24 next-hop 155.1.14.4;
}
}
[edit]
root@R1_re# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 172.16.0.100/32 next-hop si-0/0/0.1
[edit]
root@R1_re# commit
commit complete
Let me know if you still have any question.
HTH.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Hi,
Did it work for you?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
[ Edited ]Hi Kingsman,
I have tried with the sugested confguration but still its not working.
1. Routing-Instance DATAPLANE-VMX-VPN-WANCLOUDS
i. ge-0/0/0 and si-0/0/0.2
2. Global Routing-Instance:
i. ge-0/0/1 and si-0/0/0.2
ii. set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1 ( where 192.168.100.1 is connected to Vyatta)
vMX:
====
set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24
set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24
set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24
set groups global interfaces si-0/0/0 unit 0
set groups global interfaces si-0/0/0 unit 1 family inet
set groups global interfaces si-0/0/0 unit 1 service-domain inside
set groups global interfaces si-0/0/0 unit 2 family inet
set groups global interfaces si-0/0/0 unit 2 service-domain outside
set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1
set groups global routing-options static route 0.0.0.0/0 retain
set groups global routing-options static route 0.0.0.0/0 no-readvertise
set apply-groups global
set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"
set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1
set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway routing-instance DATAPLANE-VMX-VPN-WANCLOUDS
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA
set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24
set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24
set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.115.92
set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta
set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta
set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection
set services ipsec-vpn rule IPSec-VYATTA match-direction input
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5
set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400
set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta
set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"
set services ipsec-vpn establish-tunnels immediately
set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 192.168.100.0/24 next-hop 108.1.115.92
root@Juniper-vMX-Wanclouds> show configuration services service-set IPSEC-SITE-TO-SITE
next-hop-service {
inside-service-interface si-0/0/0.1;
outside-service-interface si-0/0/0.2;
}
ipsec-vpn-options {
local-gateway 10.0.10.12 routing-instance DATAPLANE-VMX-VPN-WANCLOUDS;
}
ipsec-vpn-rules IPSec-VYATTA;
root@Juniper-vMX-Wanclouds>
root@Juniper-vMX-Wanclouds>
root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0, capture size 96 bytes
Reverse lookup for 10.0.10.12 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
01:34:30.002214 In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
01:34:30.008571 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
01:34:52.718981 In IP 107.173.40.203.5063 > 10.0.10.12.sip: SIP, length: 416
01:35:10.225491 In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
01:35:10.231659 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
01:35:50.448662 In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
01:35:50.454043 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
01:36:29.670526 In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
01:36:29.676629 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
01:37:09.893797 In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
01:37:09.899046 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
01:37:50.114708 In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
01:37:50.121600 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
01:38:30.344314 In IP 168.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
01:38:30.350602 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 168.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
Vyatta:
vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep vpn
set vpn ipsec esp-group ESP-1H compression 'disable'
set vpn ipsec esp-group ESP-1H lifetime '27000'
set vpn ipsec esp-group ESP-1H mode 'tunnel'
set vpn ipsec esp-group ESP-1H pfs 'dh-group5'
set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'
set vpn ipsec ike-group IKE-1H lifetime '28800'
set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'
set vpn ipsec ipsec-interfaces interface 'bond1'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 35.163.189.77 authentication id '108.1.115.92'
set vpn ipsec site-to-site peer 35.163.189.77 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 35.163.189.77 authentication pre-shared-secret 'cisco1000'
set vpn ipsec site-to-site peer 35.163.189.77 authentication remote-id '35.163.189.77'
set vpn ipsec site-to-site peer 35.163.189.77 connection-type 'initiate'
set vpn ipsec site-to-site peer 35.163.189.77 default-esp-group 'ESP-1H'
set vpn ipsec site-to-site peer 35.163.189.77 ike-group 'IKE-1H'
set vpn ipsec site-to-site peer 35.163.189.77 local-address '108.1.115.92'
set vpn ipsec site-to-site peer 35.163.189.77 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 35.163.189.77 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 35.163.189.77 tunnel 0 local prefix '192.168.100.0/24'
set vpn ipsec site-to-site peer 35.163.189.77 tunnel 0 remote prefix '10.0.20.0/24'
vyatta@gw-melbourne1-02-06-2016:~$
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
The config looks good. Do you have any nat device between the 2 peers?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Vyatta is Public Device in Softlayer Cloud and Juniper vMX is on AWS clouds which is basically 1:1 Nat as its behind Nat-Gateway.And i believe NAT traversal is by default on Juniper vMX.
Regards
Syed
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Get Outlook for Android<>
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
[ Edited ]What’s the command to disable Nat on Vmx but don’t u think it will cause
issues later as this device is behind Nat.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Disable NAT Transversal
set services ipsec-vpn disable-natt
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Thanks again i will try and share the results
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
NATT is officially is supported from 17.4 on MX platform. I need to check it’s the same case with vMX as well but for now, can you try disabling NATT and check if it works?
You can refer to below link.
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/services-ipsec-nat-t-dis...
HTH
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
Thanks Again and will share the output.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: IPsec VPN on Juniper vMX not working .
I have disabled the NAT Traversal on Juniper vMX but still the same issue.
root@Juniper-vMX-Wanclouds> show configuration | display set | grep nat
set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24
set services ipsec-vpn disable-natt
root@Juniper-vMX-Wanclouds> ping 108.1.115.92 routing-instance DATAPLANE-VMX-VPN-WANCLOUDS interface ?
Possible completions:
<interface> Source interface (multicast, all-ones, unrouted packets)
root@Juniper-vMX-Wanclouds> ping 108.1.115.92 routing-instance DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0
PING 108.1.115.92 (108.1.115.92): 56 data bytes
64 bytes from 108.1.115.92: icmp_seq=0 ttl=40 time=193.308 ms
64 bytes from 108.1.115.92: icmp_seq=1 ttl=40 time=192.126 ms
64 bytes from 108.1.115.92: icmp_seq=2 ttl=40 time=189.996 ms
64 bytes from 108.1.115.92: icmp_seq=3 ttl=40 time=189.118 ms
64 bytes from 108.1.115.92: icmp_seq=4 ttl=40 time=189.470 ms
^C
--- 108.1.115.92 ping statistics ---
6 packets transmitted, 5 packets received, 16% packet loss
round-trip min/avg/max/stddev = 189.118/190.804/193.308/1.631 ms
root@Juniper-vMX-Wanclouds> show configuration | display set
set version 17.2R1.13
set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24
set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24
set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24
set groups global interfaces si-0/0/0 unit 0
set groups global interfaces si-0/0/0 unit 1 family inet
set groups global interfaces si-0/0/0 unit 1 service-domain inside
set groups global interfaces si-0/0/0 unit 2 family inet
set groups global interfaces si-0/0/0 unit 2 service-domain outside
set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1
set groups global routing-options static route 0.0.0.0/0 retain
set groups global routing-options static route 0.0.0.0/0 no-readvertise
set apply-groups global
set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"
set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1
set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway routing-instance DATAPLANE-VMX-VPN-WANCLOUDS
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA
set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24
set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24
set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.115.92
set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta
set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta
set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection
set services ipsec-vpn rule IPSec-VYATTA match-direction input
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5
set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400
set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta
set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"
set services ipsec-vpn establish-tunnels immediately
set services ipsec-vpn disable-natt
set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 192.168.100.0/24 next-hop 108.1.115.92
root@Juniper-vMX-Wanclouds>
root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0, capture size 96 bytes
Reverse lookup for 10.0.10.12 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
22:37:27.258324 In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
22:37:27.266412 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]
22:38:06.285971 In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
22:38:06.291761 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]
22:38:46.316629 In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
22:38:46.322870 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]
22:39:27.074786 In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
22:39:27.081587 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]
22:40:06.369408 In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
22:40:06.376011 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]
22:40:16.572681 In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
22:40:16.577964 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]
22:40:36.395870 In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
22:40:36.402259 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]
22:41:16.426245 In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
22:41:16.435971 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]
22:41:56.454951 In IP 108.1.115.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
22:41:56.462379 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.115.92.isakmp: isakmp: phase 2/others R inf: [|n]
^C
98 packets received by filter
0 packets dropped by kernel
set vpn ipsec esp-group ESP-1H compression 'disable'
set vpn ipsec esp-group ESP-1H lifetime '27000'
set vpn ipsec esp-group ESP-1H mode 'tunnel'
set vpn ipsec esp-group ESP-1H pfs 'dh-group5'
set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'
set vpn ipsec ike-group IKE-1H lifetime '28800'
set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'
set vpn ipsec ipsec-interfaces interface 'bond1'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 35.162.145.118 authentication id '108.1.115.92'
set vpn ipsec site-to-site peer 35.162.145.118 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 35.162.145.118 authentication pre-shared-secret 'cisco1000'
set vpn ipsec site-to-site peer 35.162.145.118 authentication remote-id '35.162.145.118'
set vpn ipsec site-to-site peer 35.162.145.118 connection-type 'initiate'
set vpn ipsec site-to-site peer 35.162.145.118 default-esp-group 'ESP-1H'
set vpn ipsec site-to-site peer 35.162.145.118 ike-group 'IKE-1H'
set vpn ipsec site-to-site peer 35.162.145.118 local-address '108.1.115.92'
set vpn ipsec site-to-site peer 35.162.145.118 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 35.162.145.118 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 35.162.145.118 tunnel 0 local prefix '192.168.100.0/24'
set vpn ipsec site-to-site peer 35.162.145.118 tunnel 0 remote prefix '10.0.20.0/24'
vyatta@gw-melbourne1-02-06-2016:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
35.162.145.118 108.1.115.92
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
init n/a n/a n/a no 0 28800
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
35.162.145.118 108.1.115.92
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 down n/a n/a n/a no 0 27000 all
Regards
syed