Still its not working i have tried all options , including the output from device and debug from vmx in attachment.Still complaining in debug the si interface down but interface output saying its up i think there is some issue vMX.
root@Juniper-vMX-Wanclouds> show interfaces terse | match si
esi up up
lsi up up
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_isakmp_select_sa: Taking reference to fallback negotiation 8d16400 (now 2 references)
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ssh_set_thread_debug_info: ikev2_fb_isakmp_select_sa: set thread debug info - local 0xc0a000a remote 0x5c7201a8neg 0x8d16400 neg->ike_sa 0x8cad200 ike_sa 0x0
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ike_state_step: Input function[1] = ike_st_i_sa_proposal asked retry later
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ike_process_packet: No output packet, returning
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_st_select_ike_sa: FB; Calling v2 policy function select_ike_sa
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] In kmd_pm_spd_select_ike_sa: Enter SA 8cad200 ED 8e25028
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] Looking up IKE gateway for server: 10.0.10.12 and routing instance id: 8
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] instance: IPSEC-SITE-TO-SITE found for server: 10.0.10.12 in routing instance id: 8
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] Instance: IPSEC-SITE-TO-SITE is down as service interface: si-0/0/0.2 is not up, Lookup failed.
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] No instance available to serve this request
Mar 3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error Invalid argument (neg 8d16400)
root@Juniper-vMX-Wanclouds> show configuration | display set
set version 17.2R1.13
set groups global system host-name Juniper-vMX-Wanclouds
set groups global system login user jnpr uid 2000
set groups global system login user jnpr class super-user
set groups global system login user jnpr authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxHi+V3riqQj4QPAksAAs2ATrbJlUCyPzWEZtBtQS5pdjm6xa9xXVYcyxwEu3CmmyMDAf4xt6thJvvNZbFZRoo9k0W4cTn4BiqeBBhjfaPeowkErpNugCyJZMkmId/sdLuZ/TrcGV0ZFI8l8ojAZFt8Q/bh0vMBgbs2nfA/oVRk8RWh5fIVadC0ocjhKahO6QkZmlDQLKssWDHUBJSqjutCVTJlkvWfq3ieISxlGavYEcx99vycbyMExcOsl2kNetxNcd6hHNCJjsRaRJQd3TGzjsFYw8/nRwa1TacUts4Y7ni1QvObOdcGu4Hla8roGqAFr6vrPrZqs/I2ehTr4WT ix_vMX_key_pair_Jan7_Khalid"
set groups global system services ssh
set groups global system syslog user * any emergency
set groups global system syslog file messages any notice
set groups global system syslog file messages authorization info
set groups global system syslog file interactive-commands interactive-commands any
set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24
set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24
set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24
set groups global interfaces si-0/0/0 unit 0
set groups global interfaces si-0/0/0 unit 1 family inet
set groups global interfaces si-0/0/0 unit 1 service-domain inside
set groups global interfaces si-0/0/0 unit 2 family inet
set groups global interfaces si-0/0/0 unit 2 service-domain outside
set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1
set groups global routing-options static route 0.0.0.0/0 retain
set groups global routing-options static route 0.0.0.0/0 no-readvertise
set apply-groups global
set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"
set chassis fpc 0 pic 0 tunnel-services bandwidth 1g
set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1
set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway routing-instance DATAPLANE-VMX-VPN-WANCLOUDS
set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA
set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24
set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24
set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92
set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta
set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta
set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection
set services ipsec-vpn rule IPSec-VYATTA match-direction input
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc
set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5
set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc
set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400
set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta
set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"
set services ipsec-vpn traceoptions file VmxIPSECCommunity
set services ipsec-vpn traceoptions file size 10m
set services ipsec-vpn traceoptions file files 2
set services ipsec-vpn traceoptions level all
set services ipsec-vpn traceoptions flag all
set services ipsec-vpn establish-tunnels immediately
set services ipsec-vpn disable-natt
set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1
set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 192.168.100.0/24 next-hop 108.1.114.92
root@Juniper-vMX-Wanclouds> show services ipsec-vpn ipsec security-associations
Service set: IPSEC-SITE-TO-SITE, IKE Routing-instance: DATAPLANE-VMX-VPN-WANCLOUDS
Rule: IPSec-VYATTA, Term: 1, Tunnel index: 1
Local gateway: 10.0.10.12, Remote gateway: 108.1.114.92
IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
--- No IPSec SA information available ---
root@Juniper-vMX-Wanclouds> show interfaces terse | match si
esi up up
lsi up up
root@Juniper-vMX-Wanclouds> show chassis hardware detail
Hardware inventory:
Item Version Part number Serial number Description
Chassis VM5A5406B749 VMX
Midplane
Routing Engine 0 RE-VMX
vtbd0 0 MB Hard Disk
CB 0 VMX SCB
CB 1 VMX SCB
FPC 0 Virtual FPC
CPU Rev. 1.0 RIOT BUILTIN
MIC 0 Virtual
PIC 0 BUILTIN BUILTIN Virtual
root@Juniper-vMX-Wanclouds> show services ipsec-vpn ike security-associations
root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0, capture size 96 bytes
Reverse lookup for 10.0.10.12 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
00:54:04.606186 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:54:04.707330 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
00:54:44.094174 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:54:44.200468 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
00:55:24.234474 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:55:24.328674 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
00:56:04.807564 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:56:04.908874 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
00:56:44.502941 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:56:44.602296 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
00:57:24.887299 In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]
00:57:25.005052 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]
^C
92 packets received by filter
0 packets dropped by kernel
root@Juniper-vMX-Wanclouds> show interfaces terse | grep ge
ge-0/0/0 up up
ge-0/0/0.0 up up inet 10.0.10.12/24
ge-0/0/1 up up
ge-0/0/1.0 up up inet 10.0.20.81/24
ge-0/0/2 up down
ge-0/0/3 up down
ge-0/0/4 up down
ge-0/0/5 up down
ge-0/0/6 up down
ge-0/0/7 up down
ge-0/0/8 up down
ge-0/0/9 up down
root@Juniper-vMX-Wanclouds> show interfaces terse | grep si
esi up up
lsi up up
Brocade-Vyatta:
=============
vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep vpn
set vpn ipsec esp-group ESP-1H compression 'disable'
set vpn ipsec esp-group ESP-1H lifetime '27000'
set vpn ipsec esp-group ESP-1H mode 'tunnel'
set vpn ipsec esp-group ESP-1H pfs 'dh-group5'
set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'
set vpn ipsec ike-group IKE-1H lifetime '28800'
set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'
set vpn ipsec ike-group IKE-1H proposal 1 hash 'md5'
set vpn ipsec ipsec-interfaces interface 'bond1'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 34.218.101.112 authentication id '108.1.114.92'
set vpn ipsec site-to-site peer 34.218.101.112 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 34.218.101.112 authentication pre-shared-secret 'cisco1000'
set vpn ipsec site-to-site peer 34.218.101.112 authentication remote-id '10.0.10.12'
set vpn ipsec site-to-site peer 34.218.101.112 connection-type 'initiate'
set vpn ipsec site-to-site peer 34.218.101.112 default-esp-group 'ESP-1H'
set vpn ipsec site-to-site peer 34.218.101.112 ike-group 'IKE-1H'
set vpn ipsec site-to-site peer 34.218.101.112 local-address '108.1.114.92'
set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 local prefix '192.168.100.0/24'
set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 remote prefix '10.0.20.0/24'
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
34.218.101.112 108.1.114.92
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
init n/a n/a n/a no 0 28800
vyatta@gw-melbourne1-02-06-2016:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
34.218.101.112 108.1.114.92
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 down n/a n/a n/a no 0 27000 all
vyatta@gw-melbourne1-02-06-2016:~$