[j-nsp] srx ipsec tunnel over mpls l3vpn

Hugo Slabbert hugo at slabnet.com
Fri Jul 12 02:26:27 EDT 2019


Is the other end of this also an SRX configured in a similar way, or 
something else?  This seems to contradict basically any Juniper docs on SRX 
around MPLS traffic re: flow/packet mode.  Specifically given that it's 
showing "drop" for MPLS traffic, I would be confused about how it's passing 
MPLS-encap'd traffic.

Can you pass other non-IPSEC IPv4 traffic from the SRX (or behind it) 
across the l3vpn to validate bidirectional traffic passing?

-- 
Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E   | also on Signal

On Thu 2019-Jul-11 15:34:26 -0500, Aaron Gould <aaron1 at gvtc.com> wrote:

>
>Thanks Emille, Ummm, I may be misunderstanding you , but I don't think I
>have change from SRX flow-mode default.  But I do have ldp neighbor up and
>mpls forwarding is occurring via mpls l3vpn vrf .  ....and I do believe the
>ike phase 1 and phase 2 is working over this mpls l3vpn within the srx....
>but I just don't seem to be able to ping from one side of the st0 tunnel
>interface to the other.
>
>See...
>
>root at demo-srx300> show security flow status
>  Flow forwarding mode:
>    Inet forwarding mode: flow based
>    Inet6 forwarding mode: drop
>    MPLS forwarding mode: drop
>    ISO forwarding mode: drop
>    Enhanced route scaling mode: Disabled
>  Flow trace status
>    Flow tracing status: off
>  Flow session distribution
>    Distribution mode: RR-based
>    GTP-U distribution: Disabled
>  Flow ipsec performance acceleration: off
>  Flow packet ordering
>    Ordering mode: Hardware
>
>
>root at demo-srx300> show route table mpls.0
>
>mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
>+ = Active Route, - = Last Active, * = Both
>
>0                  *[MPLS/0] 04:51:07, metric 1
>                      Receive
>1                  *[MPLS/0] 04:51:07, metric 1
>                      Receive
>2                  *[MPLS/0] 04:51:07, metric 1
>                      Receive
>13                 *[MPLS/0] 04:51:07, metric 1
>                      Receive
>16                 *[VPN/0] 04:51:07
>                      to table one.inet.0, Pop
>345552             *[LDP/9] 04:43:04, metric 3, tag 0
>                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16507
>345568             *[LDP/9] 04:43:04, metric 4, tag 0
>                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16508
>345584             *[LDP/9] 04:43:04, metric 2, tag 0
>                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16512
>345600             *[LDP/9] 04:43:04, metric 3, tag 0
>                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16513
>345616             *[LDP/9] 04:43:04, metric 3, tag 0
>                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16516
>345632             *[LDP/9] 04:43:04, metric 4, tag 0
>                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16517
>345648             *[LDP/9] 04:43:04, metric 3, tag 0
>                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16518
>
>root at demo-srx300> show route table mpls.0 terse
>
>mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
>+ = Active Route, - = Last Active, * = Both
>
>A V Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
>* ? 0                  M   0          1             Receive
>* ? 1                  M   0          1             Receive
>* ? 2                  M   0          1             Receive
>* ? 13                 M   0          1             Receive
>* ? 16                 V   0                        Table
>* ? 345552             L   9          3            >10.101.14.197
>* ? 345568             L   9          4            >10.101.14.197
>* ? 345584             L   9          2            >10.101.14.197
>* ? 345600             L   9          3            >10.101.14.197
>* ? 345616             L   9          3            >10.101.14.197
>* ? 345632             L   9          4            >10.101.14.197
>* ? 345648             L   9          3            >10.101.14.197
>* ? 345664             L   9          7            >10.101.14.197
>* ? 345680             L   9          6            >10.101.14.197
>* ? 345696             L   9          7            >10.101.14.197
>* ? 345712             L   9          7            >10.101.14.197
>* ? 345728             L   9          6            >10.101.14.197
>* ? 345744             L   9          7            >10.101.14.197
>
>root at demo-srx300> show route table mpls.0 terse | count
>Count: 528 lines
>
>root at demo-srx300> show ldp neighbor
>Address            Interface          Label space ID         Hold time
>10.101.14.197      ge-0/0/0.0         10.101.0.254:0           10
>
>root at demo-srx300>
>
>
>
>-----Original Message-----
>From: Emille Blanc [mailto:emille at abccommunications.com]
>Sent: Thursday, July 11, 2019 3:04 PM
>To: Aaron Gould; juniper-nsp at puck.nether.net
>Subject: RE: [j-nsp] srx ipsec tunnel over mpls l3vpn
>
>Based on what you described, it sounds like you already got your MPLS/LDP
>running in a packet-mode routing-instance, as otherwise MPLS is dropped on
>an SRX in flow mode.
>
>No obvious ideas with the output provided otherwise.
>Do the flows in your IPSEC instance get created?
>
>-----Original Message-----
>From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
>Aaron Gould
>Sent: Thursday, July 11, 2019 12:27 PM
>To: juniper-nsp at puck.nether.net
>Subject: [j-nsp] srx ipsec tunnel over mpls l3vpn
>
>Anyone ever done it ?  To be clear, I have mpls/ldp/ospf/bgp enabled the SRX
>such that I have an l3vpn functional into the SRX.
>
>
>
>I have a lo0.99 interface as the external interface used for ike/ipsec.
>Seems that I'm pretty close to getting this done, as i have ike phase 1 up
>and ike phase 2 up, but only seeing encrypted packets as I try to ping
>between the st0.0 interface and the ms-0/0/0.1 inside interface on the other
>side (mx104 with ms-mic-16g)
>
>
>
>Let me know what I'm missing.
>
>
>
>I'm seeing drops in these to show outputs. which seems to coincide with a
>100-packet ping test...
>
>
>
>
>
>root at demo-srx300> show security flow statistics
>
>    Current sessions: 9
>
>    Packets forwarded: 417926
>
>    Packets dropped: 15604
>
>    Fragment packets: 0
>
>    Pre fragments generated: 0
>
>    Post fragments generated: 0
>
>
>
>root at demo-srx300> show security flow status
>
>  Flow forwarding mode:
>
>    Inet forwarding mode: flow based
>
>    Inet6 forwarding mode: drop
>
>    MPLS forwarding mode: drop
>
>    ISO forwarding mode: drop
>
>    Enhanced route scaling mode: Disabled
>
>  Flow trace status
>
>    Flow tracing status: off
>
>  Flow session distribution
>
>    Distribution mode: RR-based
>
>    GTP-U distribution: Disabled
>
>  Flow ipsec performance acceleration: off
>
>  Flow packet ordering
>
>    Ordering mode: Hardware
>
>
>
>root at demo-srx300> show security ipsec statistics
>
>ESP Statistics:
>
>  Encrypted bytes:           252264
>
>  Decrypted bytes:                0
>
>  Encrypted packets:           1618
>
>  Decrypted packets:              0
>
>AH Statistics:
>
>  Input bytes:                    0
>
>  Output bytes:                   0
>
>  Input packets:                  0
>
>  Output packets:                 0
>
>Errors:
>
>  AH authentication failures: 0, Replay errors: 0
>
>  ESP authentication failures: 0, ESP decryption failures: 0
>
>  Bad headers: 0, Bad trailers: 0
>
>
>
>root at demo-srx300> show security flow statistics | grep rop
>
>    Packets dropped: 15650
>
>
>
>root at demo-srx300> ping 10.102.199.66 routing-instance one rapid interval .1
>count 100
>
>PING 10.102.199.66 (10.102.199.66): 56 data bytes
>
>............................................................................
>........................
>
>--- 10.102.199.66 ping statistics ---
>
>100 packets transmitted, 0 packets received, 100% packet loss
>
>
>
>root at demo-srx300> show security ipsec statistics
>
>ESP Statistics:
>
>  Encrypted bytes:           267864
>
>  Decrypted bytes:                0
>
>  Encrypted packets:           1718
>
>  Decrypted packets:              0
>
>AH Statistics:
>
>  Input bytes:                    0
>
>  Output bytes:                   0
>
>  Input packets:                  0
>
>  Output packets:                 0
>
>Errors:
>
>  AH authentication failures: 0, Replay errors: 0
>
>  ESP authentication failures: 0, ESP decryption failures: 0
>
>  Bad headers: 0, Bad trailers: 0
>
>
>
>root at demo-srx300> show security flow statistics | grep rop
>
>    Packets dropped: 15755
>
>
>
>-Aaron
>
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20190711/16696633/attachment-0001.sig>


More information about the juniper-nsp mailing list