IPsec VPN on Juniper vMX not working .

fsyed · ‎01-10-2018

Issue:

======

IPsec VPN b/w Juniper vMX and Vyatta 5400 not working .

Topology:

========

192.168.100.1/24------Vyatta---------------Cloud--------------AWS ------Juniper vMX---10.0.20.0/24

Corcerns or Problems:

==================

1. since the deployment is in AWS VPC the Public or Revenue interface is not in default Routing instance so both Public ge-0/0/0 and ge0/0/1 are in Routing instance named DATAPLANE-VMX-VPN-WANCLOUDS.And if my understanding is correct both si-0/0/0.1 and si-0/0/0.1 should be part of routing instance DATAPLANE-VMX-VPN-WANCLOUDS but on configuring getting this error.

root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.1

[edit]

root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2

[edit]

root@Juniper-vMX-Wanclouds# commit check

[edit services service-set IPSEC-SITE-TO-SITE]

'ipsec-vpn-options'

The service interface si-0/0/0.2 must be configured under default routing-instance

2. How to enable NAT Traversal for IPsec vpn on vMX as the VMx is deployed behind Internet Gateway 1:1 Nat.But as per my undersatnding its enable by default.

Configuration:

Vyatta5400:

----------------

vyatta:~$ show configuration commands | grep vpn

set vpn ipsec esp-group ESP-1H compression 'disable'

set vpn ipsec esp-group ESP-1H lifetime '27000'

set vpn ipsec esp-group ESP-1H mode 'tunnel'

set vpn ipsec esp-group ESP-1H pfs 'dh-group5'

set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'

set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'

set vpn ipsec ike-group IKE-1H lifetime '28800'

set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'

set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'

set vpn ipsec ipsec-interfaces interface 'bond1'

set vpn ipsec nat-traversal 'enable'

set vpn ipsec site-to-site peer 34.210.108.160 authentication id '108.1.114.92'

set vpn ipsec site-to-site peer 34.210.108.160 authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer 34.210.108.160 authentication pre-shared-secret 'cisco1000'

set vpn ipsec site-to-site peer 34.210.108.160 authentication remote-id '34.210.108.160'

set vpn ipsec site-to-site peer 34.210.108.160 connection-type 'initiate'

set vpn ipsec site-to-site peer 34.210.108.160 default-esp-group 'ESP-1H'

set vpn ipsec site-to-site peer 34.210.108.160 ike-group 'IKE-1H'

set vpn ipsec site-to-site peer 34.210.108.160 local-address '108.1.114.92'

set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 allow-nat-networks 'disable'

set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 allow-public-networks 'disable'

set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 local prefix '192.168.100.0/24'

set vpn ipsec site-to-site peer 34.210.108.160 tunnel 0 remote prefix '10.0.20.0/24'

Juniper-VMX:

-----------------

set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

set groups global interfaces si-0/0/0 unit 0

set groups global interfaces si-0/0/0 unit 1 family inet

set groups global interfaces si-0/0/0 unit 1 service-domain inside

set groups global interfaces si-0/0/0 unit 2 family inet

set groups global interfaces si-0/0/0 unit 2 service-domain outside

set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

set groups global routing-options static route 0.0.0.0/0 retain

set groups global routing-options static route 0.0.0.0/0 no-readvertise

set apply-groups global

IPsec Configuration

set groups global interfaces si-0/0/0 unit 0

set groups global interfaces si-0/0/0 unit 1 family inet

set groups global interfaces si-0/0/0 unit 1 service-domain inside

set groups global interfaces si-0/0/0 unit 2 family inet

set groups global interfaces si-0/0/0 unit 2 service-domain outside

set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

set groups global routing-options static route 0.0.0.0/0 retain

set groups global routing-options static route 0.0.0.0/0 no-readvertise

set apply-groups global

set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1

set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA

set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24

set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92

set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta

set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta

set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection

set services ipsec-vpn rule IPSec-VYATTA match-direction input

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc

set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5

set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400

set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta

set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"

set services ipsec-vpn establish-tunnels immediately

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/1.0

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.1

[edit]

root@Juniper-vMX-Wanclouds# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2

[edit]

root@Juniper-vMX-Wanclouds# commit check

[edit services service-set IPSEC-SITE-TO-SITE]

'ipsec-vpn-options'

The service interface si-0/0/0.2 must be configured under default routing-instance

error: configuration check-out failed

ISAKMP packet coming from Vyatta Device.

root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp

verbose output suppressed, use <detail> or <extensive> for full protocol decode

Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.

Address resolution timeout is 4s.

Listening on ge-0/0/0, capture size 96 bytes

Reverse lookup for 10.0.10.12 failed (check DNS reachability).

Other reverse lookup failures will not be reported.

Use <no-resolve> to avoid reverse lookups on IP addresses.

00:54:34.986840 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:54:44.427606 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:54:44.624821 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:54:54.602837 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:55:14.927376 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

Kingsman · ‎01-10-2018

Hi,

Your config doesn’t seem to be correct.
You have both inside and outside interface in same routing-instance DATAPLANE-VMX-VPN-WANCLOUDS.

Your local gateway and outside service interface should be either in global routing-instance or in another routing-instance.

I will correct the config and share if needed

Kingsman · ‎01-10-2018

Here’s the config for your reference.

Topology:

R1----------------------------R2

R1 config:

[edit]
root@R1_re# run show services ipsec-vpn ike sa
Remote Address State Initiator cookie Responder cookie Exchange type
10.1.12.2 Matured 846c851af53cecfd 221279f553a29262 Main

[edit]
root@R1_re#

[edit]
root@R1_re# run show services ipsec-vpn ipsec sa
Service set: test, IKE Routing-instance: outside

Rule: test-vpn, Term: 1, Tunnel index: 1
Local gateway: 10.1.12.1, Remote gateway: 10.1.12.2
IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
NATT Detection: Not Detected, NATT keepalive interval: 0
Direction SPI AUX-SPI Mode Type Protocol
inbound 4044436681 0 tunnel dynamic ESP
outbound 1708770906 0 tunnel dynamic ESP

[edit]
root@R1_re#

[edit]
root@R1_re# show services | display set
set services rpm probe A test PING-A-1 probe-type icmp-ping
set services rpm probe A test PING-A-1 target address 10.1.12.2
set services rpm probe A test PING-A-1 test-interval 3
set services rpm probe A test PING-A-1 thresholds successive-loss 3
set services service-set test next-hop-service inside-service-interface si-0/0/0.1
set services service-set test next-hop-service outside-service-interface si-0/0/0.2
set services service-set test ipsec-vpn-options local-gateway 10.1.12.1
set services service-set test ipsec-vpn-options local-gateway routing-instance outside
set services service-set test ipsec-vpn-rules test-vpn
set services ipsec-vpn rule test-vpn term 1 from source-address 192.168.0.0/24
set services ipsec-vpn rule test-vpn term 1 from destination-address 172.16.0.0/24
set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.2
set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
set services ipsec-vpn rule test-vpn match-direction input
set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal ike-proposal dh-group group5
set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
set services ipsec-vpn ike policy ike-policy proposals ike-proposal
set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
set services ipsec-vpn establish-tunnels immediately

[edit]
root@R1_re#

root@R1_re# show routing-instances | display set
set routing-instances inside instance-type virtual-router
set routing-instances inside interface si-0/0/0.1
set routing-instances inside interface ge-0/0/2.0
set routing-instances inside routing-options static route 172.16.0.0/24 next-hop si-0/0/0.1
set routing-instances inside routing-options static route 192.168.0.0/24 next-hop 10.1.14.4
set routing-instances outside instance-type virtual-router
set routing-instances outside interface si-0/0/0.2
set routing-instances outside interface ge-0/0/1.0
set routing-instances outside routing-options static route 172.16.0.0/24 next-hop 10.1.12.2

[edit]
[edit]
root@R1_re# show interfaces
si-0/0/0 {
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.12.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.1.14.1/24;
}
}
}

R2: Config

[edit]
root@R2_re# show services | display set
set services service-set test next-hop-service inside-service-interface si-0/0/0.1
set services service-set test next-hop-service outside-service-interface si-0/0/0.2
set services service-set test ipsec-vpn-options local-gateway 10.1.12.2
set services service-set test ipsec-vpn-options local-gateway routing-instance outside
set services service-set test ipsec-vpn-rules test-vpn
set services ipsec-vpn rule test-vpn term 1 from source-address 172.16.0.0/24
set services ipsec-vpn rule test-vpn term 1 from destination-address 192.168.0.0/24
set services ipsec-vpn rule test-vpn term 1 then remote-gateway 10.1.12.1
set services ipsec-vpn rule test-vpn term 1 then dynamic ike-policy ike-policy
set services ipsec-vpn rule test-vpn term 1 then dynamic ipsec-policy ipsec-policy
set services ipsec-vpn rule test-vpn match-direction input
set services ipsec-vpn ipsec proposal ipsec-proposal authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy ipsec-policy proposals ipsec-proposal
set services ipsec-vpn ike proposal ike-proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal ike-proposal dh-group group5
set services ipsec-vpn ike proposal ike-proposal encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal ike-proposal lifetime-seconds 500
set services ipsec-vpn ike policy ike-policy proposals ike-proposal
set services ipsec-vpn ike policy ike-policy pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X"
set services ipsec-vpn establish-tunnels immediately

[edit]
root@R2_re#

[edit]
root@R2_re# show routing-instances | display set
set routing-instances inside instance-type virtual-router
set routing-instances inside interface si-0/0/0.1
set routing-instances inside interface ge-0/0/2.0
set routing-instances inside routing-options static route 192.168.0.0/24 next-hop si-0/0/0.1
set routing-instances inside routing-options static route 172.16.0.0/24 next-hop 10.1.23.3
set routing-instances outside instance-type virtual-router
set routing-instances outside interface si-0/0/0.2
set routing-instances outside interface ge-0/0/1.0
set routing-instances outside routing-options static route 192.168.0.0/24 next-hop 10.1.12.1

[edit]
root@R2_re#
[edit]
root@R2_re# show interfaces
si-0/0/0 {
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.12.2/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.1.23.2/24;
}
}
}

[edit]
root@R2_re# run show services ipsec-vpn ike sa
Remote Address State Initiator cookie Responder cookie Exchange type
10.1.12.1 Matured 846c851af53cecfd 221279f553a29262 Main

[edit]
root@R2_re# run show services ipsec-vpn ipsec sa
Service set: test, IKE Routing-instance: outside

Rule: test-vpn, Term: 1, Tunnel index: 1
Local gateway: 10.1.12.2, Remote gateway: 10.1.12.1
IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
NATT Detection: Not Detected, NATT keepalive interval: 0
Direction SPI AUX-SPI Mode Type Protocol
inbound 1708770906 0 tunnel dynamic ESP
outbound 4044436681 0 tunnel dynamic ESP

[edit]
root@R2_re#

HTH

Kingsman · ‎01-10-2018

You can also do it without “outside routing-instance” as well. just keep your local gateway and outside service interface in global table and remove the routing-instance statement from below command.

set services service-set test ipsec-vpn-options local-gateway 155.1.12.2
set services service-set test ipsec-vpn-options local-gateway routing-instance outside

fsyed · ‎01-10-2018

Thanks a lot for looking inot it and providing the working configs .Will try to move the inside interface to global routing table and update you .The reason i am using the Routing Instance as i have one public elastic ip and if i attach to fxp management interface then i cannot create ipsec vpn .The only possible option is to move the gig interface from default routing instance .

Kingsman · ‎01-10-2018

I believe, it was the outside (WAN) interface which is used as a local-gateway for the IPsec-tunnel.

fsyed · ‎01-11-2018

Thanks again but i have some doubts and would like to clear before changing the configuration attaching the Topology just to give some background and then would like to understand if i am missing something or my approach is not correct.

Goal :

======

Device connected behind Vyatta 5400 can access the File and DB servers connected to VMX on ge-0/0/1 and ge-0/0/2.

Corncerns:

=========

1.This deployment is in AWS VPC and using Elastic IP which is public and if i attach the eleastic IP to FXP0 then i cannot create IPSec as its Mgmt interface and if i attach this Elastic IP to Revenue or Ge-0/0/0 interface then i cannot access the vMX or device as its in same Routing table that is global routing instance.So i decieded to create a Routing instance "DATAPLANE-VMX-VPN-WANCLOUDS" and move both my ge-0/0/0 interface which is basically public interface and ge-0/0/1 and ge-0/0/2 interafce where the internal File and DB server is connected and i am able to ping from ge-0/0/0 public to vyatta 5400 wan interface.

2.Now i configured the IPSec vpn b/w ge-0/0/0 of vMX and Vyatta5400 device but for that i need to create si

si-0/0/0.1 inside-interface , si-0/0/0.2 outside interface and here i am confused meaning these interface are some how tied to ge-0/0/0 and ge-0/0/1 ? or si-0/0/0.2 outside interface and ge-0/0/0 wan public interface will remain in Routing instance "DATAPLANE-VMX-VPN-WANCLOUDS" and i have to move the si-0/0/0.1 inside-interface and ge-0/0/1 and ge-0/0/2 interfaces ( where internal servers are connected) should be moved to global or default Routing-instance or only si-0/0/0.1 inside-interface should be moved from this "DATAPLANE-VMX-VPN-WANCLOUDS" routing instance.

Regards

Syed.

fsyed · ‎01-11-2018

The reason i brought the earlier discussion that i have tested the similar setup with vSRX Firewall IPsec VPN and all the interfaces was part of same Routing-Instance DATAPLANE-VPN-WANCLOUDS including st virtual interface. The only difference was zones Trust and Untrust . Wan interface ge-0/0/0 and st0.0 were part of Untrust Zone and ge-0/0/1 Trust zone.

set routing-instances DATAPLANE-VPN-WANCLOUDS instance-type virtual-router

set routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/0.0

set routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/1.0

set routing-instances DATAPLANE-VPN-WANCLOUDS interface st0.0

Kingsman · ‎01-12-2018

Ok.. So you can configure IPsec VPN in 3 ways in this case.

First:

Put Outside interface ( ge-0/0/0 and si-0/0/0.2) in one routing-instance and Inside interface (ge-0/0/1, ge-0/0/2 & si-0/0/0.1 ) in once routing instance.
This config I already shared.

Second:

Keep your (outside interface) ge-0/0/0 and si-0/0/0.2 in DATAPLANE-VMX-VPN-WANCLOUDS and Inside interface (ge-0/0/1, ge-0/0/2 & si-0/0/0.1) in global table.

You need to add a static route in the global table for the traffic destined to Device connected behind Vyatta as below.

Set routing-option static route next-hop si-0/0/0.1

Also, make sure you have a route for the destination in DATAPLANE-VMX-VPN-WANCLOUDS routing-instance pointing towards Vyatta.

Topology:
10.1.12.0/24
R1-(.1)--------------------------------------------------------------------(.2)-R2

root@R1_re# show services service-set test
next-hop-service {
inside-service-interface si-0/0/0.1;
outside-service-interface si-0/0/0.2;
}
ipsec-vpn-options {
local-gateway 10.1.12.1 routing-instance DATAPLANE-VMX-VPN-WANCLOUDS;
}
ipsec-vpn-rules test-vpn;

[edit]
root@R1_re#

root@R1_re# show routing-options
static {
route 172.16.0.0/24 next-hop si-0/0/0.1;
route 192.168.0.0/24 next-hop 10.1.14.4;
}
router-id 11.11.11.11;
autonomous-system 100;

[edit]
root@R1_re# show routing-instances DATAPLANE-VMX-VPN-WANCLOUDS
instance-type virtual-router;
interface si-0/0/0.2;
interface ge-0/0/1.0;
routing-options {
static {
route 172.16.0.0/24 next-hop 10.1.12.2;
}
}

[edit]
root@R1_re#

ipsec-vpn {
rule test-vpn {
term 1 {
from {
source-address {
192.168.0.0/24;
}
destination-address {
172.16.0.0/24;
}
}
then {
remote-gateway 10.1.12.2;
dynamic {
ike-policy ike-policy;
ipsec-policy ipsec-policy;
}
}
}
match-direction input;
}

Third Option:

Keep all the interface in DATAPLANE-VMX-VPN-WANCLOUDS as your original configuration.

And make below changes.

Add routing-instance knob with local-gateway as below. (this was missing in your config)

ipsec-vpn-options {
local-gateway 10.1.12.1 routing-instance DATAPLANE-VMX-VPN-WANCLOUDS

Make sure you have all the routing correctly in place so that traffic destined to subnet (behind Vaytta) goes to si-0/0/0.1 interface first for the IPsec encapsulation and then go gout via ge-0/0/0 as per your topology.

I have to put a specific route for the destination subnet to make it work.

[edit]
root@R1_re# show routing-instances DATAPLANE-VMX-VPN-WANCLOUDS
instance-type virtual-router;
interface si-0/0/0.1;
interface si-0/0/0.2;
interface ge-0/0/1.0;
interface ge-0/0/2.0;
routing-options {
static {
route 172.16.0.0/24 next-hop [ 155.1.12.2 si-0/0/0.1 ];
route 192.168.0.0/24 next-hop 155.1.14.4;
}
}

[edit]
root@R1_re# set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 172.16.0.100/32 next-hop si-0/0/0.1

[edit]
root@R1_re# commit
commit complete

Let me know if you still have any question.

HTH.

Kingsman · ‎01-18-2018

Hi,

Did it work for you?

fsyed · ‎01-30-2018

Hi Kingsman,

I have tried with the sugested confguration but still its not working.

1. Routing-Instance DATAPLANE-VMX-VPN-WANCLOUDS

i. ge-0/0/0 and si-0/0/0.2

2. Global Routing-Instance:

i. ge-0/0/1 and si-0/0/0.2

ii. set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1 ( where 192.168.100.1 is connected to Vyatta)

vMX:

====

set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

set groups global interfaces si-0/0/0 unit 0

set groups global interfaces si-0/0/0 unit 1 family inet

set groups global interfaces si-0/0/0 unit 1 service-domain inside

set groups global interfaces si-0/0/0 unit 2 family inet

set groups global interfaces si-0/0/0 unit 2 service-domain outside

set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

set groups global routing-options static route 0.0.0.0/0 retain

set groups global routing-options static route 0.0.0.0/0 no-readvertise

set apply-groups global

set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1

set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway routing-instance DATAPLANE-VMX-VPN-WANCLOUDS

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA

set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24

set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.115.92