[j-nsp] srx ipsec tunnel over mpls l3vpn
Hugo Slabbert
hugo at slabnet.com
Fri Jul 12 02:26:27 EDT 2019
Is the other end of this also an SRX configured in a similar way, or
something else? This seems to contradict basically any Juniper docs on SRX
around MPLS traffic re: flow/packet mode. Specifically given that it's
showing "drop" for MPLS traffic, I would be confused about how it's passing
MPLS-encap'd traffic.
Can you pass other non-IPSEC IPv4 traffic from the SRX (or behind it)
across the l3vpn to validate bidirectional traffic passing?
--
Hugo Slabbert | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E | also on Signal
On Thu 2019-Jul-11 15:34:26 -0500, Aaron Gould <aaron1 at gvtc.com> wrote:
>
>Thanks Emille, Ummm, I may be misunderstanding you , but I don't think I
>have change from SRX flow-mode default. But I do have ldp neighbor up and
>mpls forwarding is occurring via mpls l3vpn vrf . ....and I do believe the
>ike phase 1 and phase 2 is working over this mpls l3vpn within the srx....
>but I just don't seem to be able to ping from one side of the st0 tunnel
>interface to the other.
>
>See...
>
>root at demo-srx300> show security flow status
> Flow forwarding mode:
> Inet forwarding mode: flow based
> Inet6 forwarding mode: drop
> MPLS forwarding mode: drop
> ISO forwarding mode: drop
> Enhanced route scaling mode: Disabled
> Flow trace status
> Flow tracing status: off
> Flow session distribution
> Distribution mode: RR-based
> GTP-U distribution: Disabled
> Flow ipsec performance acceleration: off
> Flow packet ordering
> Ordering mode: Hardware
>
>
>root at demo-srx300> show route table mpls.0
>
>mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
>+ = Active Route, - = Last Active, * = Both
>
>0 *[MPLS/0] 04:51:07, metric 1
> Receive
>1 *[MPLS/0] 04:51:07, metric 1
> Receive
>2 *[MPLS/0] 04:51:07, metric 1
> Receive
>13 *[MPLS/0] 04:51:07, metric 1
> Receive
>16 *[VPN/0] 04:51:07
> to table one.inet.0, Pop
>345552 *[LDP/9] 04:43:04, metric 3, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16507
>345568 *[LDP/9] 04:43:04, metric 4, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16508
>345584 *[LDP/9] 04:43:04, metric 2, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16512
>345600 *[LDP/9] 04:43:04, metric 3, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16513
>345616 *[LDP/9] 04:43:04, metric 3, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16516
>345632 *[LDP/9] 04:43:04, metric 4, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16517
>345648 *[LDP/9] 04:43:04, metric 3, tag 0
> > to 10.101.14.197 via ge-0/0/0.0, Swap 16518
>
>root at demo-srx300> show route table mpls.0 terse
>
>mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
>+ = Active Route, - = Last Active, * = Both
>
>A V Destination P Prf Metric 1 Metric 2 Next hop AS path
>* ? 0 M 0 1 Receive
>* ? 1 M 0 1 Receive
>* ? 2 M 0 1 Receive
>* ? 13 M 0 1 Receive
>* ? 16 V 0 Table
>* ? 345552 L 9 3 >10.101.14.197
>* ? 345568 L 9 4 >10.101.14.197
>* ? 345584 L 9 2 >10.101.14.197
>* ? 345600 L 9 3 >10.101.14.197
>* ? 345616 L 9 3 >10.101.14.197
>* ? 345632 L 9 4 >10.101.14.197
>* ? 345648 L 9 3 >10.101.14.197
>* ? 345664 L 9 7 >10.101.14.197
>* ? 345680 L 9 6 >10.101.14.197
>* ? 345696 L 9 7 >10.101.14.197
>* ? 345712 L 9 7 >10.101.14.197
>* ? 345728 L 9 6 >10.101.14.197
>* ? 345744 L 9 7 >10.101.14.197
>
>root at demo-srx300> show route table mpls.0 terse | count
>Count: 528 lines
>
>root at demo-srx300> show ldp neighbor
>Address Interface Label space ID Hold time
>10.101.14.197 ge-0/0/0.0 10.101.0.254:0 10
>
>root at demo-srx300>
>
>
>
>-----Original Message-----
>From: Emille Blanc [mailto:emille at abccommunications.com]
>Sent: Thursday, July 11, 2019 3:04 PM
>To: Aaron Gould; juniper-nsp at puck.nether.net
>Subject: RE: [j-nsp] srx ipsec tunnel over mpls l3vpn
>
>Based on what you described, it sounds like you already got your MPLS/LDP
>running in a packet-mode routing-instance, as otherwise MPLS is dropped on
>an SRX in flow mode.
>
>No obvious ideas with the output provided otherwise.
>Do the flows in your IPSEC instance get created?
>
>-----Original Message-----
>From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
>Aaron Gould
>Sent: Thursday, July 11, 2019 12:27 PM
>To: juniper-nsp at puck.nether.net
>Subject: [j-nsp] srx ipsec tunnel over mpls l3vpn
>
>Anyone ever done it ? To be clear, I have mpls/ldp/ospf/bgp enabled the SRX
>such that I have an l3vpn functional into the SRX.
>
>
>
>I have a lo0.99 interface as the external interface used for ike/ipsec.
>Seems that I'm pretty close to getting this done, as i have ike phase 1 up
>and ike phase 2 up, but only seeing encrypted packets as I try to ping
>between the st0.0 interface and the ms-0/0/0.1 inside interface on the other
>side (mx104 with ms-mic-16g)
>
>
>
>Let me know what I'm missing.
>
>
>
>I'm seeing drops in these to show outputs. which seems to coincide with a
>100-packet ping test...
>
>
>
>
>
>root at demo-srx300> show security flow statistics
>
> Current sessions: 9
>
> Packets forwarded: 417926
>
> Packets dropped: 15604
>
> Fragment packets: 0
>
> Pre fragments generated: 0
>
> Post fragments generated: 0
>
>
>
>root at demo-srx300> show security flow status
>
> Flow forwarding mode:
>
> Inet forwarding mode: flow based
>
> Inet6 forwarding mode: drop
>
> MPLS forwarding mode: drop
>
> ISO forwarding mode: drop
>
> Enhanced route scaling mode: Disabled
>
> Flow trace status
>
> Flow tracing status: off
>
> Flow session distribution
>
> Distribution mode: RR-based
>
> GTP-U distribution: Disabled
>
> Flow ipsec performance acceleration: off
>
> Flow packet ordering
>
> Ordering mode: Hardware
>
>
>
>root at demo-srx300> show security ipsec statistics
>
>ESP Statistics:
>
> Encrypted bytes: 252264
>
> Decrypted bytes: 0
>
> Encrypted packets: 1618
>
> Decrypted packets: 0
>
>AH Statistics:
>
> Input bytes: 0
>
> Output bytes: 0
>
> Input packets: 0
>
> Output packets: 0
>
>Errors:
>
> AH authentication failures: 0, Replay errors: 0
>
> ESP authentication failures: 0, ESP decryption failures: 0
>
> Bad headers: 0, Bad trailers: 0
>
>
>
>root at demo-srx300> show security flow statistics | grep rop
>
> Packets dropped: 15650
>
>
>
>root at demo-srx300> ping 10.102.199.66 routing-instance one rapid interval .1
>count 100
>
>PING 10.102.199.66 (10.102.199.66): 56 data bytes
>
>............................................................................
>........................
>
>--- 10.102.199.66 ping statistics ---
>
>100 packets transmitted, 0 packets received, 100% packet loss
>
>
>
>root at demo-srx300> show security ipsec statistics
>
>ESP Statistics:
>
> Encrypted bytes: 267864
>
> Decrypted bytes: 0
>
> Encrypted packets: 1718
>
> Decrypted packets: 0
>
>AH Statistics:
>
> Input bytes: 0
>
> Output bytes: 0
>
> Input packets: 0
>
> Output packets: 0
>
>Errors:
>
> AH authentication failures: 0, Replay errors: 0
>
> ESP authentication failures: 0, ESP decryption failures: 0
>
> Bad headers: 0, Bad trailers: 0
>
>
>
>root at demo-srx300> show security flow statistics | grep rop
>
> Packets dropped: 15755
>
>
>
>-Aaron
>
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20190711/16696633/attachment-0001.sig>
More information about the juniper-nsp
mailing list