vMX
vMX

tracking if IPsec tunnel is down and forward traffic wihtout ipsec

‎01-16-2018 01:46 AM

Hi,

 

I have IPsec working in VMX, with also a backup tunnel.

In the configuration I have a static route to the service inline interface to encrypt traffic to specific ´destination.

 

As last way I would like to send the traffic without any encryption if both tunnels are down.

How can I track that the tunnels are down and redraw the static route?

 

 

chassis {                               
    fpc 0 {
        pic 0 {
            interface-type xe;
            inline-services {
                bandwidth 1g;
            }
        }
        lite-mode;
    }
    network-services enhanced-ip;
}
services {
    service-set IPSec_SS1 {
        next-hop-service {
            inside-service-interface si-0/0/0.1;
            outside-service-interface si-0/0/0.2;
        }
        ipsec-vpn-options {
            local-gateway 10.254.0.9;
        }
        ipsec-vpn-rules IPSec;
    }
    ipsec-vpn {                         
        rule IPSec {
            term 1 {
                then {
                    remote-gateway 10.0.0.2;
                    backup-remote-gateway 10.0.0.14;
                    dynamic {
                        ike-policy IKE-Policy;
                        ipsec-policy IPSec_policy;
                    }
                    
                    tunnel-mtu 1600;
                    copy-tos-from-inner-ip-header;
                    initiate-dead-peer-detection;
                }
            }
            match-direction input;
        }
        ipsec {
            proposal IPSec-proposal {
                protocol esp;
                authentication-algorithm hmac-sha1-96;
                encryption-algorithm aes-128-cbc;
            }                           
            policy IPSec_policy {
                perfect-forward-secrecy {
                    keys group19;
                }
                proposals IPSec-proposal;
            }
        }
        ike {
            proposal IKE-Proposal {
                authentication-method pre-shared-keys;
                dh-group group19;
                authentication-algorithm sha-256;
                encryption-algorithm aes-128-cbc;
                lifetime-seconds 14400;
            }
            policy IKE-Policy {
                proposals IKE-Proposal;
                pre-shared-key ascii-text "9$ddddddd./.P"; ## SECRET-DATA
            }
        }
        establish-tunnels immediately;
    }
}
interfaces {
    si-0/0/0 {
        unit 0 {
            family inet;
        }
        unit 1 {
            family inet;
            service-domain inside;
        }
        unit 2 {
            family inet;
            service-domain outside;
        }
    }
    xe-0/0/0 {
        unit 0 {
            family inet {
                address 10.0.0.1/30;
            }                           
        }
    }
    xe-0/0/1 {
        mtu 1514;
        unit 0 {
            family inet {
                address 10.0.0.10/30;
            }
        }
    }
    xe-0/0/2 {
        unit 0 {
            family inet {
                address 10.0.0.17/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 10.254.0.9/32;
            }
        }                               
    }
}
routing-options {
    static {
        route 192.168.0.0/24 next-hop si-0/0/0.1;
    }
}
protocols {
    ospf {
        area 0.0.0.0 {
            interface xe-0/0/0.0;
            interface xe-0/0/1.0;
            interface lo0.0 {
                passive;
            }
            interface xe-0/0/2.0;
        }
    }
}

Thanks Niklas

 

4 REPLIES 4
vMX

Re: tracking if IPsec tunnel is down and forward traffic wihtout ipsec

‎01-16-2018 02:35 AM
Service IP monitoring is not supported on mx.

You can use the script to achieve this.

Please refer to below posts.

https://forums.juniper.net/t5/Routing/MX480-IP-SLA/m-p/312325

https://forums.juniper.net/t5/Junos-Automation-Scripting/write-scripts-delete-next-hop-for-static-ro...


HTH
vMX

Re: tracking if IPsec tunnel is down and forward traffic wihtout ipsec

‎01-16-2018 06:39 AM

Hi,

Thanks for the advice.

Did following event-options, unfortunately it does not work.

Has anyone a hint how is should look?

 

policy tunnel_up {
    events KMD_PM_SA_ESTABLISHED;
    then {
        change-configuration {
            commands {
                "set routing-options static route 192.168.0.0/24 next-hop si-0/0/0.1";
            }
        }
    }
}
policy tunnel_down {
    events KMD_PM_SA_DELETED;
    then {
        change-configuration {
            commands {
                "delete routing-options static route 192.168.0/24 next-hop si-0/0/0.1";
            }
        }
    }
}
vMX
Solution
Accepted by topic author Niklas
‎01-16-2018 07:29 AM

Re: tracking if IPsec tunnel is down and forward traffic wihtout ipsec

‎01-16-2018 07:28 AM

Hi again,

With following event-options is work

 

policy tunnel_up {
    events SYSTEM;
    attributes-match {
        system.message matches KMD_PM_SA_ESTABLISHED;
    }
    then {
        change-configuration {
            commands {
                "set routing-options static route 192.168.0.0/24 next-hop si-0/0/0.1";
            }
        }
    }
}
policy tunnel_down {
    events SYSTEM;
    attributes-match {
        system.message matches KMD_PM_SA_DELETED;
    }
    then {
        change-configuration {
            commands {
                "delete routing-options static route 192.168.0.0/24 next-hop si-0/0/0.1";
            }
        }
    }
}
vMX

Re: tracking if IPsec tunnel is down and forward traffic wihtout ipsec

‎01-16-2018 10:12 AM

Glad to know that it worked for you Smiley Happy

 

Cheers!