vMX
vMX

Re: IPsec VPN on Juniper vMX not working .

‎02-05-2018 11:01 PM
Can you enable ipsec traceoption and attached the tracelog file here ?

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/traceopti...

Use level all and flag all while enabling the trace options.
vMX

Re: IPsec VPN on Juniper vMX not working .

‎02-06-2018 04:47 PM

I am attaching the ouput of log file.

Attachments

vMX

Re: IPsec VPN on Juniper vMX not working .

‎02-07-2018 01:58 AM
Hi I see this in the logs.

Feb 7 00:22:33 [10.0.10.12 <-> 168.1.114.92] Instance: IPSEC-SITE-TO-SITE is down as service interface: si-0/0/0.2 is not up, Lookup failed.

Do you have tunnel-services enabled on the FPC? I don’t see tunnel-service configured in your configuration.
vMX

Re: IPsec VPN on Juniper vMX not working .

‎02-12-2018 12:48 PM

 

Hi ,

  Not sure how to enable tunnel services on FPC , checked some of the output to make sure if fpc status is ok .Can u share the command to enable tunnel services on FPC.

 

root@Juniper-vMX-Wanclouds> show chassis hardware detail     

Hardware inventory:

Item             Version  Part number  Serial number     Description

Chassis                                VM5A5406B749      VMX

Midplane        

Routing Engine 0                                         RE-VMX

  vtbd0     0 MB                                         Hard Disk

CB 0                                                     VMX SCB

CB 1                                                     VMX SCB

FPC 0                                                    Virtual FPC

  CPU            Rev. 1.0 RIOT         BUILTIN          

  MIC 0                                                  Virtual

    PIC 0                 BUILTIN      BUILTIN           Virtual

 

root@Juniper-vMX-Wanclouds> show chassis fpc pic-status      

Slot 0   Online       Virtual FPC                                   

  PIC 0  Online       Virtual

 

 

 

 

root@Juniper-vMX-Wanclouds> show chassis network-services 

Network Services Mode: IP

 

root@Juniper-vMX-Wanclouds> 

 

Regards

Syed

 

vMX

Re: IPsec VPN on Juniper vMX not working .

‎02-12-2018 09:29 PM
Set chassis fpc x pic x tunnel-services bandwidth 1/10g

Here x is the pic and pfc no.

Do you see your sister interface up on your box?

Can you paste the output of "show interface terse | match si"

Also make sure you are using the correct si interface.

Get Outlook for Android<>
vMX

Re: IPsec VPN on Juniper vMX not working .

‎02-13-2018 06:36 PM

Here is the output and i enabled tunnel services on Tunnel.

 

root@Juniper-vMX-Wanclouds> show interfaces terse | match si    -->Before enabling tunnel services on tunnel

esi                     up    up

lsi                     up    up

 

root@Juniper-vMX-Wanclouds> show chassis hardware 

Hardware inventory:

Item             Version  Part number  Serial number     Description

Chassis                                VM5A5406B749      VMX

Midplane        

Routing Engine 0                                         RE-VMX

CB 0                                                     VMX SCB

CB 1                                                     VMX SCB

FPC 0                                                    Virtual FPC

  CPU            Rev. 1.0 RIOT         BUILTIN          

  MIC 0                                                  Virtual

    PIC 0                 BUILTIN      BUILTIN           Virtual

 

root@Juniper-vMX-Wanclouds> set ch

                                  ^

syntax error.

root@Juniper-vMX-Wanclouds> configure 

Entering configuration mode

 

[edit]

root@Juniper-vMX-Wanclouds# set chassis fpc 0 pic 0 tunnel-services bandwidth ?

Possible completions:

  <bandwidth>          Bandwidth reserved for tunnel service

  100g                 100 gigabits per second

  10g                  10 gigabits per second

  1g                   1 gigabit per second

  200g                 200 gigabits per second

  20g                  20 gigabits per second

  300g                 300 gigabits per second

  30g                  30 gigabits per second

  400g                 400 gigabits per second

  40g                  40 gigabits per second

  50g                  50 gigabits per second

  60g                  60 gigabits per second

  70g                  70 gigabits per second

  80g                  80 gigabits per second

  90g                  90 gigabits per second

[edit]

 

root@Juniper-vMX-Wanclouds# set chassis fpc 0 pic 0 tunnel-services bandwidth 1g  

 

[edit]

root@Juniper-vMX-Wanclouds# commit 

commit complete

 

[edit]

root@Juniper-vMX-Wanclouds# 

 

vMX

Re: IPsec VPN on Juniper vMX not working .

‎02-13-2018 08:21 PM
Is it working now? You didn’t see si interface in the output (before enabling tunneling)

It should work now.
vMX

Re: IPsec VPN on Juniper vMX not working .

‎03-02-2018 05:44 PM

Still its not working i have tried all options , including the output from device and debug from vmx in attachment.Still complaining in debug the si interface down but interface output saying its up i think there is some issue vMX.

 

root@Juniper-vMX-Wanclouds> show interfaces terse | match si 

esi                     up    up

lsi                     up    up

 

Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_isakmp_select_sa: Taking reference to fallback negotiation 8d16400 (now 2 references)

Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ssh_set_thread_debug_info: ikev2_fb_isakmp_select_sa: set thread debug info - local 0xc0a000a remote 0x5c7201a8neg 0x8d16400 neg->ike_sa 0x8cad200 ike_sa 0x0

Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ike_state_step: Input function[1] = ike_st_i_sa_proposal asked retry later

Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ike_process_packet: No output packet, returning

Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_st_select_ike_sa: FB; Calling v2 policy function select_ike_sa

Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] In kmd_pm_spd_select_ike_sa: Enter SA 8cad200 ED 8e25028

Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] Looking up IKE gateway for server: 10.0.10.12 and routing instance id: 8

Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] instance: IPSEC-SITE-TO-SITE found for server: 10.0.10.12 in routing instance id: 8

Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] Instance: IPSEC-SITE-TO-SITE is down as service interface: si-0/0/0.2 is not up, Lookup failed.

Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] No instance available to serve this request

Mar  3 01:05:55 [10.0.10.12 <-> 108.1.114.92] ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error Invalid argument (neg 8d16400)

 

root@Juniper-vMX-Wanclouds> show configuration | display set 

set version 17.2R1.13

set groups global system host-name Juniper-vMX-Wanclouds

set groups global system login user jnpr uid 2000

set groups global system login user jnpr class super-user

set groups global system login user jnpr authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxHi+V3riqQj4QPAksAAs2ATrbJlUCyPzWEZtBtQS5pdjm6xa9xXVYcyxwEu3CmmyMDAf4xt6thJvvNZbFZRoo9k0W4cTn4BiqeBBhjfaPeowkErpNugCyJZMkmId/sdLuZ/TrcGV0ZFI8l8ojAZFt8Q/bh0vMBgbs2nfA/oVRk8RWh5fIVadC0ocjhKahO6QkZmlDQLKssWDHUBJSqjutCVTJlkvWfq3ieISxlGavYEcx99vycbyMExcOsl2kNetxNcd6hHNCJjsRaRJQd3TGzjsFYw8/nRwa1TacUts4Y7ni1QvObOdcGu4Hla8roGqAFr6vrPrZqs/I2ehTr4WT ix_vMX_key_pair_Jan7_Khalid"

set groups global system services ssh

set groups global system syslog user * any emergency

set groups global system syslog file messages any notice

set groups global system syslog file messages authorization info

set groups global system syslog file interactive-commands interactive-commands any

set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

set groups global interfaces si-0/0/0 unit 0

set groups global interfaces si-0/0/0 unit 1 family inet

set groups global interfaces si-0/0/0 unit 1 service-domain inside

set groups global interfaces si-0/0/0 unit 2 family inet

set groups global interfaces si-0/0/0 unit 2 service-domain outside

set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

set groups global routing-options static route 0.0.0.0/0 retain

set groups global routing-options static route 0.0.0.0/0 no-readvertise

set apply-groups global

set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

set chassis fpc 0 pic 0 tunnel-services bandwidth 1g

set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1

set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway routing-instance DATAPLANE-VMX-VPN-WANCLOUDS

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA

set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24

set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92

set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta

set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta

set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection

set services ipsec-vpn rule IPSec-VYATTA match-direction input

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc

set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5

set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400

set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta

set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"

set services ipsec-vpn traceoptions file VmxIPSECCommunity

set services ipsec-vpn traceoptions file size 10m

set services ipsec-vpn traceoptions file files 2

set services ipsec-vpn traceoptions level all

set services ipsec-vpn traceoptions flag all

set services ipsec-vpn establish-tunnels immediately

set services ipsec-vpn disable-natt

set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 192.168.100.0/24 next-hop 108.1.114.92

 

root@Juniper-vMX-Wanclouds> show services ipsec-vpn ipsec security-associations 

Service set: IPSEC-SITE-TO-SITE, IKE Routing-instance: DATAPLANE-VMX-VPN-WANCLOUDS

 

  Rule: IPSec-VYATTA, Term: 1, Tunnel index: 1

  Local gateway: 10.0.10.12, Remote gateway: 108.1.114.92

  IPSec inside interface: si-0/0/0.1, Tunnel MTU: 1500

  UDP encapsulate: Disabled, UDP Destination port: 0

  

  --- No IPSec SA information available ---

 

root@Juniper-vMX-Wanclouds> show interfaces terse | match si 

esi                     up    up

lsi                     up    up

 

 

 

root@Juniper-vMX-Wanclouds> show chassis hardware detail 

Hardware inventory:

Item             Version  Part number  Serial number     Description

Chassis                                VM5A5406B749      VMX

Midplane        

Routing Engine 0                                         RE-VMX

  vtbd0     0 MB                                         Hard Disk

CB 0                                                     VMX SCB

CB 1                                                     VMX SCB

FPC 0                                                    Virtual FPC

  CPU            Rev. 1.0 RIOT         BUILTIN          

  MIC 0                                                  Virtual

    PIC 0                 BUILTIN      BUILTIN           Virtual

 

 

 

root@Juniper-vMX-Wanclouds> show services ipsec-vpn ike security-associations            

 

root@Juniper-vMX-Wanclouds> monitor traffic interface ge-0/0/0 matching udp 

verbose output suppressed, use <detail> or <extensive> for full protocol decode

Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.

Address resolution timeout is 4s.

Listening on ge-0/0/0, capture size 96 bytes

 

Reverse lookup for 10.0.10.12 failed (check DNS reachability).

Other reverse lookup failures will not be reported.

Use <no-resolve> to avoid reverse lookups on IP addresses.

 

00:54:04.606186  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:54:04.707330 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

00:54:44.094174  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:54:44.200468 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

00:55:24.234474  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:55:24.328674 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

00:56:04.807564  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:56:04.908874 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

00:56:44.502941  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:56:44.602296 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

00:57:24.887299  In IP 108.1.114.92.isakmp > 10.0.10.12.isakmp: isakmp: phase 1 I ident: [|sa]

00:57:25.005052 Out IP truncated-ip - 70 bytes missing! 10.0.10.12.isakmp > 108.1.114.92.isakmp: isakmp: phase 2/others R inf: [|n]

^C

92 packets received by filter

0 packets dropped by kernel

 

root@Juniper-vMX-Wanclouds> show interfaces terse | grep ge 

ge-0/0/0                up    up

ge-0/0/0.0              up    up   inet     10.0.10.12/24   

ge-0/0/1                up    up

ge-0/0/1.0              up    up   inet     10.0.20.81/24   

ge-0/0/2                up    down

ge-0/0/3                up    down

ge-0/0/4                up    down

ge-0/0/5                up    down

ge-0/0/6                up    down

ge-0/0/7                up    down

ge-0/0/8                up    down

ge-0/0/9                up    down

 

root@Juniper-vMX-Wanclouds> show interfaces terse | grep si    

esi                     up    up

lsi                     up    up

 

 

 

 

Brocade-Vyatta:

=============

 

vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep vpn

set vpn ipsec esp-group ESP-1H compression 'disable'

set vpn ipsec esp-group ESP-1H lifetime '27000'

set vpn ipsec esp-group ESP-1H mode 'tunnel'

set vpn ipsec esp-group ESP-1H pfs 'dh-group5'

set vpn ipsec esp-group ESP-1H proposal 1 encryption '3des'

set vpn ipsec esp-group ESP-1H proposal 1 hash 'md5'

set vpn ipsec ike-group IKE-1H lifetime '28800'

set vpn ipsec ike-group IKE-1H proposal 1 dh-group '5'

set vpn ipsec ike-group IKE-1H proposal 1 encryption '3des'

set vpn ipsec ike-group IKE-1H proposal 1 hash 'md5'

set vpn ipsec ipsec-interfaces interface 'bond1'

set vpn ipsec nat-traversal 'enable'

set vpn ipsec site-to-site peer 34.218.101.112 authentication id '108.1.114.92'

set vpn ipsec site-to-site peer 34.218.101.112 authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer 34.218.101.112 authentication pre-shared-secret 'cisco1000'

set vpn ipsec site-to-site peer 34.218.101.112 authentication remote-id '10.0.10.12'

set vpn ipsec site-to-site peer 34.218.101.112 connection-type 'initiate'

set vpn ipsec site-to-site peer 34.218.101.112 default-esp-group 'ESP-1H'

set vpn ipsec site-to-site peer 34.218.101.112 ike-group 'IKE-1H'

set vpn ipsec site-to-site peer 34.218.101.112 local-address '108.1.114.92'

set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 allow-nat-networks 'disable'

set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 allow-public-networks 'disable'

set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 local prefix '192.168.100.0/24'

set vpn ipsec site-to-site peer 34.218.101.112 tunnel 0 remote prefix '10.0.20.0/24'

vyatta@gw-melbourne1-02-06-2016:~$ 

vyatta@gw-melbourne1-02-06-2016:~$ 

vyatta@gw-melbourne1-02-06-2016:~$ 

vyatta@gw-melbourne1-02-06-2016:~$ show vpn ike sa

Peer ID / IP                            Local ID / IP               

------------                            -------------

34.218.101.112                          108.1.114.92                           

 

    State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time

    -----  -------  ----  -------  -----  ------  ------

    init   n/a      n/a   n/a      no     0       28800  

 

 

vyatta@gw-melbourne1-02-06-2016:~$ show vpn ipsec sa

Peer ID / IP                            Local ID / IP               

------------                            -------------

34.218.101.112                          108.1.114.92                           

 

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto

    ------  -----  -------------  -------  ----  -----  ------  ------  -----

    0       down   n/a            n/a      n/a   no     0       27000   all

 

 

vyatta@gw-melbourne1-02-06-2016:~$

Attachments

vMX

Re: IPsec VPN on Juniper vMX not working .

‎03-02-2018 07:22 PM

Hi Syed,

 

Still si-* interface is not created on your VMX box.  Please share <show configuration chassis>

 

vmx> show interfaces terse | match si 

esi up up
lsi up up

 

Above is output is not si-* interface.

 

vmx# set chassis fpc 0 pic 0 inline-services

[edit]
vmx# commit
commit complete

[edit]
vmx# run show interfaces terse | match si-
si-0/0/0 up up 

[edit]

 

Hope this helps

--------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
--------------------------------------------------------------------------------------------------------

vMX

Re: IPsec VPN on Juniper vMX not working .

‎03-02-2018 10:17 PM
Hi,

As I said earlier, you don’t have si-0/0/0 interface configured in your box.
Can you try with below command and check?

root@PE1_re> show interfaces terse | match si
esi up up
lsi up up
lsi.1 up up inet

root@PE1_re>
[edit]
root@PE1_re# set chassis fpc 0 pic 0 inline-services

[edit]
root@PE1_re# commit
commit complete

[edit]
root@PE1_re#
root@PE1_re# run show interfaces terse | match si
si-0/0/0 up up
esi up up
lsi up up
lsi.1 up up inet

[edit]
root@PE1_re#

Regards
Harpreet
Highlighted
vMX

Re: IPsec VPN on Juniper vMX not working .

‎03-03-2018 01:18 PM

I Had  the configuration for Si interfaces the only thing missing was "set chassis fpc 0 pic 0 inline-services" and its working now special thanks to Kingsman (Harpreet) and vvadivel.

 

 

root@Juniper-vMX-Wanclouds> show configuration | display set 

set version 17.2R1.13

set groups global system host-name Juniper-vMX-Wanclouds

set groups global system login user jnpr uid 2000

set groups global system login user jnpr class super-user

set groups global system services ssh

set groups global system syslog user * any emergency

set groups global system syslog file messages any notice

set groups global system syslog file messages authorization info

set groups global system syslog file interactive-commands interactive-commands any

set groups global interfaces fxp0 unit 0 family inet address 10.0.254.223/24

set groups global interfaces ge-0/0/0 unit 0 family inet address 10.0.10.12/24

set groups global interfaces ge-0/0/1 unit 0 family inet address 10.0.20.81/24

set groups global interfaces si-0/0/0 unit 0

set groups global interfaces si-0/0/0 unit 1 family inet

set groups global interfaces si-0/0/0 unit 1 service-domain inside

set groups global interfaces si-0/0/0 unit 2 family inet

set groups global interfaces si-0/0/0 unit 2 service-domain outside

set groups global routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

set groups global routing-options static route 0.0.0.0/0 retain

set groups global routing-options static route 0.0.0.0/0 no-readvertise

set apply-groups global

set system root-authentication encrypted-password "$6$bVjvwR9a$fVRP/hbL8YGMmDjlU/ez1uqaogl9XPTrHo3dVHc2iPxwb1tcdUle1j.aOcVc2TGPIkr.EAoFHPz6oCXkb0E271"

set chassis fpc 0 pic 0 tunnel-services bandwidth 1g

set chassis fpc 0 pic 0 inline-services

set services service-set IPSEC-SITE-TO-SITE next-hop-service inside-service-interface si-0/0/0.1

set services service-set IPSEC-SITE-TO-SITE next-hop-service outside-service-interface si-0/0/0.2

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway 10.0.10.12

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-options local-gateway routing-instance DATAPLANE-VMX-VPN-WANCLOUDS

set services service-set IPSEC-SITE-TO-SITE ipsec-vpn-rules IPSec-VYATTA

set services ipsec-vpn rule IPSec-VYATTA term 1 from source-address 10.0.20.0/24

set services ipsec-vpn rule IPSec-VYATTA term 1 from destination-address 192.168.100.0/24

set services ipsec-vpn rule IPSec-VYATTA term 1 then remote-gateway 108.1.114.92

set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ike-policy IKE-Policy-Vyatta

set services ipsec-vpn rule IPSec-VYATTA term 1 then dynamic ipsec-policy IPSec-Policy-Vyatta

set services ipsec-vpn rule IPSec-VYATTA term 1 then initiate-dead-peer-detection

set services ipsec-vpn rule IPSec-VYATTA match-direction input

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta protocol esp

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta authentication-algorithm hmac-md5-96

set services ipsec-vpn ipsec proposal IPSEC-Proposal-Vyatta encryption-algorithm 3des-cbc

set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta perfect-forward-secrecy keys group5

set services ipsec-vpn ipsec policy IPSec-Policy-Vyatta proposals IPSEC-Proposal-Vyatta

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-method pre-shared-keys

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta dh-group group5

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta authentication-algorithm md5

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta encryption-algorithm 3des-cbc

set services ipsec-vpn ike proposal IKE-Proposal-Vyatta lifetime-seconds 86400

set services ipsec-vpn ike policy IKE-Policy-Vyatta proposals IKE-Proposal-Vyatta

set services ipsec-vpn ike policy IKE-Policy-Vyatta pre-shared-key ascii-text "$9$EVryrvdVYoZjlKYo"

set services ipsec-vpn traceoptions file VmxIPSECCommunity

set services ipsec-vpn traceoptions file size 10m

set services ipsec-vpn traceoptions file files 2

set services ipsec-vpn traceoptions level all

set services ipsec-vpn traceoptions flag all

set services ipsec-vpn establish-tunnels immediately

set services ipsec-vpn disable-natt

set routing-options static route 192.168.100.0/24 next-hop si-0/0/0.1

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS instance-type virtual-router

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface ge-0/0/0.0

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS interface si-0/0/0.2

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

set routing-instances DATAPLANE-VMX-VPN-WANCLOUDS routing-options static route 192.168.100.0/24 next-hop 108.1.114.92

                                        

root@Juniper-vMX-Wanclouds> show interfaces terse | match si 

si-0/0/0                up    up

si-0/0/0.0              up    up  

si-0/0/0.1              up    up   inet    

si-0/0/0.2              up    up   inet    

esi                     up    up

lsi                     up    up

 

 

Regards

syed.