[j-nsp] srx ipsec tunnel over mpls l3vpn

Aaron Gould aaron1 at gvtc.com
Thu Jul 11 16:34:26 EDT 2019 

Thanks Emille, Ummm, I may be misunderstanding you , but I don't think I
have change from SRX flow-mode default.  But I do have ldp neighbor up and
mpls forwarding is occurring via mpls l3vpn vrf .  ....and I do believe the
ike phase 1 and phase 2 is working over this mpls l3vpn within the srx....
but I just don't seem to be able to ping from one side of the st0 tunnel
interface to the other.

See...

root at demo-srx300> show security flow status
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Enhanced route scaling mode: Disabled
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
    GTP-U distribution: Disabled
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware


root at demo-srx300> show route table mpls.0

mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0                  *[MPLS/0] 04:51:07, metric 1
                      Receive
1                  *[MPLS/0] 04:51:07, metric 1
                      Receive
2                  *[MPLS/0] 04:51:07, metric 1
                      Receive
13                 *[MPLS/0] 04:51:07, metric 1
                      Receive
16                 *[VPN/0] 04:51:07
                      to table one.inet.0, Pop
345552             *[LDP/9] 04:43:04, metric 3, tag 0
                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16507
345568             *[LDP/9] 04:43:04, metric 4, tag 0
                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16508
345584             *[LDP/9] 04:43:04, metric 2, tag 0
                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16512
345600             *[LDP/9] 04:43:04, metric 3, tag 0
                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16513
345616             *[LDP/9] 04:43:04, metric 3, tag 0
                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16516
345632             *[LDP/9] 04:43:04, metric 4, tag 0
                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16517
345648             *[LDP/9] 04:43:04, metric 3, tag 0
                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16518

root at demo-srx300> show route table mpls.0 terse

mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A V Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* ? 0                  M   0          1             Receive
* ? 1                  M   0          1             Receive
* ? 2                  M   0          1             Receive
* ? 13                 M   0          1             Receive
* ? 16                 V   0                        Table
* ? 345552             L   9          3            >10.101.14.197
* ? 345568             L   9          4            >10.101.14.197
* ? 345584             L   9          2            >10.101.14.197
* ? 345600             L   9          3            >10.101.14.197
* ? 345616             L   9          3            >10.101.14.197
* ? 345632             L   9          4            >10.101.14.197
* ? 345648             L   9          3            >10.101.14.197
* ? 345664             L   9          7            >10.101.14.197
* ? 345680             L   9          6            >10.101.14.197
* ? 345696             L   9          7            >10.101.14.197
* ? 345712             L   9          7            >10.101.14.197
* ? 345728             L   9          6            >10.101.14.197
* ? 345744             L   9          7            >10.101.14.197

root at demo-srx300> show route table mpls.0 terse | count
Count: 528 lines

root at demo-srx300> show ldp neighbor
Address            Interface          Label space ID         Hold time
10.101.14.197      ge-0/0/0.0         10.101.0.254:0           10

root at demo-srx300>



-----Original Message-----
From: Emille Blanc [mailto:emille at abccommunications.com] 
Sent: Thursday, July 11, 2019 3:04 PM
To: Aaron Gould; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] srx ipsec tunnel over mpls l3vpn

Based on what you described, it sounds like you already got your MPLS/LDP
running in a packet-mode routing-instance, as otherwise MPLS is dropped on
an SRX in flow mode.

No obvious ideas with the output provided otherwise.
Do the flows in your IPSEC instance get created?

-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
Aaron Gould
Sent: Thursday, July 11, 2019 12:27 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] srx ipsec tunnel over mpls l3vpn

Anyone ever done it ?  To be clear, I have mpls/ldp/ospf/bgp enabled the SRX
such that I have an l3vpn functional into the SRX.

 

I have a lo0.99 interface as the external interface used for ike/ipsec.
Seems that I'm pretty close to getting this done, as i have ike phase 1 up
and ike phase 2 up, but only seeing encrypted packets as I try to ping
between the st0.0 interface and the ms-0/0/0.1 inside interface on the other
side (mx104 with ms-mic-16g)

 

Let me know what I'm missing.

 

I'm seeing drops in these to show outputs. which seems to coincide with a
100-packet ping test...

 

 

root at demo-srx300> show security flow statistics

    Current sessions: 9

    Packets forwarded: 417926

    Packets dropped: 15604

    Fragment packets: 0

    Pre fragments generated: 0

    Post fragments generated: 0

 

root at demo-srx300> show security flow status

  Flow forwarding mode:

    Inet forwarding mode: flow based

    Inet6 forwarding mode: drop

    MPLS forwarding mode: drop

    ISO forwarding mode: drop

    Enhanced route scaling mode: Disabled

  Flow trace status

    Flow tracing status: off

  Flow session distribution

    Distribution mode: RR-based

    GTP-U distribution: Disabled

  Flow ipsec performance acceleration: off

  Flow packet ordering

    Ordering mode: Hardware

 

root at demo-srx300> show security ipsec statistics

ESP Statistics:

  Encrypted bytes:           252264

  Decrypted bytes:                0

  Encrypted packets:           1618

  Decrypted packets:              0

AH Statistics:

  Input bytes:                    0

  Output bytes:                   0

  Input packets:                  0

  Output packets:                 0

Errors:

  AH authentication failures: 0, Replay errors: 0

  ESP authentication failures: 0, ESP decryption failures: 0

  Bad headers: 0, Bad trailers: 0

 

root at demo-srx300> show security flow statistics | grep rop

    Packets dropped: 15650

 

root at demo-srx300> ping 10.102.199.66 routing-instance one rapid interval .1
count 100

PING 10.102.199.66 (10.102.199.66): 56 data bytes

............................................................................
........................

--- 10.102.199.66 ping statistics ---

100 packets transmitted, 0 packets received, 100% packet loss

 

root at demo-srx300> show security ipsec statistics

ESP Statistics:

  Encrypted bytes:           267864

  Decrypted bytes:                0

  Encrypted packets:           1718

  Decrypted packets:              0

AH Statistics:

  Input bytes:                    0

  Output bytes:                   0

  Input packets:                  0

  Output packets:                 0

Errors:

  AH authentication failures: 0, Replay errors: 0

  ESP authentication failures: 0, ESP decryption failures: 0

  Bad headers: 0, Bad trailers: 0

 

root at demo-srx300> show security flow statistics | grep rop

    Packets dropped: 15755

 

-Aaron

 

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list