vMX
vMX

Not able to get IPSec to work on vMX for Dynamic End Points

‎11-10-2019 08:29 PM

Hi,

 

I am trying to use vMX release  JUNOS 18.4R1.8 to set up an IPSEc site to Site tunnel between a router with Dynamic IP and vMX.

I am not able to get it to work at all.

 

Junos-ipsec.PNG

The config is pasted below for reference.

jnpr@ip-10-1-1-11> show configuration interfaces | display set
set interfaces ge-0/0/0 unit 0 family inet address 10.1.2.4/24
set interfaces si-0/0/0 unit 0
set interfaces si-0/0/0 unit 1 dial-options ipsec-interface-id 200
set interfaces si-0/0/0 unit 1 dial-options dedicated
set interfaces si-0/0/0 unit 1 family inet address 10.240.157.161/24
deactivate interfaces si-0/0/0 unit 1 family inet address 10.240.157.161/24
set interfaces si-0/0/0 unit 1 service-domain inside
set interfaces si-0/0/0 unit 2 family inet address 172.10.11.12/24
set interfaces si-0/0/0 unit 2 service-domain outside
set interfaces ge-0/0/1 unit 0 family inet address 10.3.166.211/24

set services service-set mx-ipsec-svc-set next-hop-service inside-service-interface si-0/0/0.1
set services service-set mx-ipsec-svc-set next-hop-service outside-service-interface si-0/0/0.2
set services service-set mx-ipsec-svc-set ipsec-vpn-options local-gateway 172.10.11.12
set services service-set mx-ipsec-svc-set ipsec-vpn-options ike-access-profile mx-ike-profile
set services service-set mx-ipsec-svc-set ipsec-vpn-options passive-mode-tunneling
set services service-set mx-ipsec-svc-set ipsec-vpn-rules mx-ipsec-rule
deactivate services service-set mx-ipsec-svc-set ipsec-vpn-rules mx-ipsec-rule
set services ipsec-vpn ipsec proposal mx-ipsec-proposal protocol esp
set services ipsec-vpn ipsec proposal mx-ipsec-proposal authentication-algorithm hmac-sha1-96
set services ipsec-vpn ipsec proposal mx-ipsec-proposal encryption-algorithm aes-128-cbc
set services ipsec-vpn ipsec policy mx-ipsec-policy perfect-forward-secrecy keys group2
set services ipsec-vpn ipsec policy mx-ipsec-policy proposals mx-ipsec-proposal
set services ipsec-vpn ike proposal mx-ike-proposal authentication-method pre-shared-keys
set services ipsec-vpn ike proposal mx-ike-proposal dh-group group2
set services ipsec-vpn ike proposal mx-ike-proposal authentication-algorithm sha1
set services ipsec-vpn ike proposal mx-ike-proposal encryption-algorithm aes-128-cbc
set services ipsec-vpn ike proposal mx-ike-proposal lifetime-seconds 28800
set services ipsec-vpn ike policy mx-ike-policy mode main
set services ipsec-vpn ike policy mx-ike-policy version 1
set services ipsec-vpn ike policy mx-ike-policy proposals mx-ike-proposal
set services ipsec-vpn ike policy mx-ike-policy local-id ipv4_addr 10.1.2.4
set services ipsec-vpn ike policy mx-ike-policy remote-id any-remote-id
set services ipsec-vpn ike policy mx-ike-policy remote-id ipv4_addr 192.168.99.1
set services ipsec-vpn ike policy mx-ike-policy remote-id ipv4_addr 157.45.213.140
set services ipsec-vpn ike policy mx-ike-policy pre-shared-key ascii-text "$9$IKnEhrKvLN-w0BclvW-d4aZGjq3nCp0IzFhSleW8GDjiP5n/CBRhpu-Vw2aJ"
set services ipsec-vpn traceoptions file mx-vivek
set services ipsec-vpn traceoptions level all
set services ipsec-vpn traceoptions flag all
set services ipsec-vpn establish-tunnels immediately
set access profile mx-ike-profile client * ike allowed-proxy-pair local 10.3.166.0/24 remote 192.168.99.0/24
set access profile mx-ike-profile client * ike initiate-dead-peer-detection
set access profile mx-ike-profile client * ike dead-peer-detection
set access profile mx-ike-profile client * ike ike-policy mx-ike-policy
set access profile mx-ike-profile client * ike ipsec-policy mx-ipsec-policy
set access profile mx-ike-profile client * ike interface-id 200

jnpr@ip-10-1-1-11> show configuration routing-instances | display set
set routing-instances aws instance-type virtual-router
set routing-instances aws interface ge-0/0/0.0
set routing-instances aws interface si-0/0/0.1
set routing-instances aws routing-options static route 0.0.0.0/0 next-hop 10.1.2.1

set routing-options interface-routes rib-group inet group1
set routing-options rib-groups group1 import-rib inet.0
set routing-options rib-groups group1 import-rib aws.inet.0

However, in the logs, I keep on seeing the error that Unexpected ikev2 packet received.

 

Nov 11 03:34:03 [10.1.2.4 <-> 157.49.197.161] ssh_set_debug_gw_info: ssh_set_debug_gw_info: set gw debug info - local 10.1.2.4 remote 157.49.197.161
Nov 11 03:34:03 [10.1.2.4 <-> 157.49.197.161] Looking up instance for server: 10.1.2.4 and routing instance id: 7
Nov 11 03:34:03 [10.1.2.4 <-> 157.49.197.161] ikev2_udp_recv: Unexpected IKE packet received on routing table id: 7, with local address: 10.1.2.4 and remote address: 157.49.197.161
Nov 11 03:34:07 [10.1.2.4 <-> 157.49.197.161] ssh_set_debug_gw_info: ssh_set_debug_gw_info: set gw debug info - local 10.1.2.4 remote 157.49.197.161
Nov 11 03:34:07 [10.1.2.4 <-> 157.49.197.161] Looking up instance for server: 10.1.2.4 and routing instance id: 7
Nov 11 03:34:07 [10.1.2.4 <-> 157.49.197.161] ikev2_udp_recv: Unexpected IKE packet received on routing table id: 7, with local address: 10.1.2.4 and remote address: 157.49.197.161
Nov 11 03:34:14 [10.1.2.4 <-> 157.49.197.161] ssh_set_debug_gw_info: ssh_set_debug_gw_info: set gw debug info - local 10.1.2.4 remote 157.49.197.161
Nov 11 03:34:14 [10.1.2.4 <-> 157.49.197.161] Looking up instance for server: 10.1.2.4 and routing instance id: 7
Nov 11 03:34:14 [10.1.2.4 <-> 157.49.197.161] ikev2_udp_recv: Unexpected IKE packet received on routing table id: 7, with local address: 10.1.2.4 and remote address: 157.49.197.161
Nov 11 03:34:27 [10.1.2.4 <-> 157.49.197.161] ssh_set_debug_gw_info: ssh_set_debug_gw_info: set gw debug info - local 10.1.2.4 remote 157.49.197.161
Nov 11 03:34:27 [10.1.2.4 <-> 157.49.197.161] Looking up instance for server: 10.1.2.4 and routing instance id: 7
Nov 11 03:34:27 [10.1.2.4 <-> 157.49.197.161] ikev2_udp_recv: Unexpected IKE packet received on routing table id: 7, with local address: 10.1.2.4 and remote address: 157.49.197.161
Nov 11 03:34:37 In kmd_pm_process_all_delayed_requests
Nov 11 03:34:37 Triggering all tunnels
Nov 11 03:34:37 kmd_is_sa_tobe_skipped: RT-SA does not have a valid address
Nov 11 03:34:37 kmd_pm_trigger_all: Skip tunnel RT-SA
Nov 11 03:34:37 Global timer started with 60 seconds timeout
Nov 11 03:34:37 Inside kmd_poll_sa_incoming_stats.....
Nov 11 03:34:50 [10.1.2.4 <-> 157.49.197.161] ssh_set_debug_gw_info: ssh_set_debug_gw_info: set gw debug info - local 10.1.2.4 remote 157.49.197.161
Nov 11 03:34:50 [10.1.2.4 <-> 157.49.197.161] Looking up instance for server: 10.1.2.4 and routing instance id: 7
Nov 11 03:34:50 [10.1.2.4 <-> 157.49.197.161] ikev2_udp_recv: Unexpected IKE packet received on routing table id: 7, with local address: 10.1.2.4 and remote address: 157.49.197.161
Nov 11 03:35:32 [10.1.2.4 <-> 157.49.197.161] ssh_set_debug_gw_info: ssh_set_debug_gw_info: set gw debug info - local 10.1.2.4 remote 157.49.197.161
Nov 11 03:35:32 [10.1.2.4 <-> 157.49.197.161] Looking up instance for server: 10.1.2.4 and routing instance id: 7
Nov 11 03:35:32 [10.1.2.4 <-> 157.49.197.161] ikev2_udp_recv: Unexpected IKE packet received on routing table id: 7, with local address: 10.1.2.4 and remote address: 157.49.197.161

 

Please let us know what are we missing here or what is wrong in our configuration.

 

Regards,

Vivek

 

4 REPLIES 4
vMX

Re: Not able to get IPSec to work on vMX for Dynamic End Points

‎11-10-2019 09:58 PM

IPSEC is not qualified in vMX. Kindly use vSRX.

For the issue, please use routing-instance under the ipsec-vpn-options.

set services service-set mx-ipsec-svc-set ipsec-vpn-options local-gateway routing-instance

vMX

Re: Not able to get IPSec to work on vMX for Dynamic End Points

‎11-10-2019 10:42 PM

please refer to KB35122, IPSEC is not recommended on vMX.

-
VR
# Please mark my solution as accepted if it helped, Kudos are appreciated as well.
vMX

Re: Not able to get IPSec to work on vMX for Dynamic End Points

‎11-10-2019 11:23 PM

Hi,

We have been able to make it work on vSRX. But now our requirement is to make it work in vMX.

Regarding,

"

For the issue, please use routing-instance under the ipsec-vpn-options.

set services service-set mx-ipsec-svc-set ipsec-vpn-options local-gateway routing-instance"

Which routing instance the local-gateway should lie? I had set it up in default routing instance and hence didn't configure the same. I am assuming that the local gateway should be in the outside service domain and not inside. 

Please confirm.

 

Regards,

Vivek 

 

 

vMX

Re: Not able to get IPSec to work on vMX for Dynamic End Points

‎11-10-2019 11:35 PM

IPSEC remote site is reachable via AWS ge-0/0/0. So you should try giving routing-instance aws and check once.