[j-nsp] srx ipsec tunnel over mpls l3vpn

Aaron Gould aaron1 at gvtc.com
Thu Jul 11 15:26:39 EDT 2019 

Anyone ever done it ?  To be clear, I have mpls/ldp/ospf/bgp enabled the SRX
such that I have an l3vpn functional into the SRX.

 

I have a lo0.99 interface as the external interface used for ike/ipsec.
Seems that I'm pretty close to getting this done, as i have ike phase 1 up
and ike phase 2 up, but only seeing encrypted packets as I try to ping
between the st0.0 interface and the ms-0/0/0.1 inside interface on the other
side (mx104 with ms-mic-16g)

 

Let me know what I'm missing.

 

I'm seeing drops in these to show outputs. which seems to coincide with a
100-packet ping test...

 

 

root at demo-srx300> show security flow statistics

    Current sessions: 9

    Packets forwarded: 417926

    Packets dropped: 15604

    Fragment packets: 0

    Pre fragments generated: 0

    Post fragments generated: 0

 

root at demo-srx300> show security flow status

  Flow forwarding mode:

    Inet forwarding mode: flow based

    Inet6 forwarding mode: drop

    MPLS forwarding mode: drop

    ISO forwarding mode: drop

    Enhanced route scaling mode: Disabled

  Flow trace status

    Flow tracing status: off

  Flow session distribution

    Distribution mode: RR-based

    GTP-U distribution: Disabled

  Flow ipsec performance acceleration: off

  Flow packet ordering

    Ordering mode: Hardware

 

root at demo-srx300> show security ipsec statistics

ESP Statistics:

  Encrypted bytes:           252264

  Decrypted bytes:                0

  Encrypted packets:           1618

  Decrypted packets:              0

AH Statistics:

  Input bytes:                    0

  Output bytes:                   0

  Input packets:                  0

  Output packets:                 0

Errors:

  AH authentication failures: 0, Replay errors: 0

  ESP authentication failures: 0, ESP decryption failures: 0

  Bad headers: 0, Bad trailers: 0

 

root at demo-srx300> show security flow statistics | grep rop

    Packets dropped: 15650

 

root at demo-srx300> ping 10.102.199.66 routing-instance one rapid interval .1
count 100

PING 10.102.199.66 (10.102.199.66): 56 data bytes

............................................................................
........................

--- 10.102.199.66 ping statistics ---

100 packets transmitted, 0 packets received, 100% packet loss

 

root at demo-srx300> show security ipsec statistics

ESP Statistics:

  Encrypted bytes:           267864

  Decrypted bytes:                0

  Encrypted packets:           1718

  Decrypted packets:              0

AH Statistics:

  Input bytes:                    0

  Output bytes:                   0

  Input packets:                  0

  Output packets:                 0

Errors:

  AH authentication failures: 0, Replay errors: 0

  ESP authentication failures: 0, ESP decryption failures: 0

  Bad headers: 0, Bad trailers: 0

 

root at demo-srx300> show security flow statistics | grep rop

    Packets dropped: 15755

 

-Aaron

More information about the juniper-nsp mailing list