[j-nsp] srx ipsec tunnel over mpls l3vpn

Craig Askings caskings at ionetworks.com.au
Fri Jul 12 02:59:17 EDT 2019 

I've used a combo of a VR routing instance in flow mode to terminate the
ipsec traffic and lt interface pair to cycle the traffic back into the mpls
side of things.

On Fri, 12 Jul 2019 at 16:26, Hugo Slabbert <hugo at slabnet.com> wrote:

> Is the other end of this also an SRX configured in a similar way, or
> something else?  This seems to contradict basically any Juniper docs on
> SRX
> around MPLS traffic re: flow/packet mode.  Specifically given that it's
> showing "drop" for MPLS traffic, I would be confused about how it's
> passing
> MPLS-encap'd traffic.
>
> Can you pass other non-IPSEC IPv4 traffic from the SRX (or behind it)
> across the l3vpn to validate bidirectional traffic passing?
>
> --
> Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
> pgp key: B178313E   | also on Signal
>
> On Thu 2019-Jul-11 15:34:26 -0500, Aaron Gould <aaron1 at gvtc.com> wrote:
>
> >
> >Thanks Emille, Ummm, I may be misunderstanding you , but I don't think I
> >have change from SRX flow-mode default.  But I do have ldp neighbor up and
> >mpls forwarding is occurring via mpls l3vpn vrf .  ....and I do believe
> the
> >ike phase 1 and phase 2 is working over this mpls l3vpn within the srx....
> >but I just don't seem to be able to ping from one side of the st0 tunnel
> >interface to the other.
> >
> >See...
> >
> >root at demo-srx300> show security flow status
> >  Flow forwarding mode:
> >    Inet forwarding mode: flow based
> >    Inet6 forwarding mode: drop
> >    MPLS forwarding mode: drop
> >    ISO forwarding mode: drop
> >    Enhanced route scaling mode: Disabled
> >  Flow trace status
> >    Flow tracing status: off
> >  Flow session distribution
> >    Distribution mode: RR-based
> >    GTP-U distribution: Disabled
> >  Flow ipsec performance acceleration: off
> >  Flow packet ordering
> >    Ordering mode: Hardware
> >
> >
> >root at demo-srx300> show route table mpls.0
> >
> >mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
> >+ = Active Route, - = Last Active, * = Both
> >
> >0                  *[MPLS/0] 04:51:07, metric 1
> >                      Receive
> >1                  *[MPLS/0] 04:51:07, metric 1
> >                      Receive
> >2                  *[MPLS/0] 04:51:07, metric 1
> >                      Receive
> >13                 *[MPLS/0] 04:51:07, metric 1
> >                      Receive
> >16                 *[VPN/0] 04:51:07
> >                      to table one.inet.0, Pop
> >345552             *[LDP/9] 04:43:04, metric 3, tag 0
> >                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16507
> >345568             *[LDP/9] 04:43:04, metric 4, tag 0
> >                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16508
> >345584             *[LDP/9] 04:43:04, metric 2, tag 0
> >                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16512
> >345600             *[LDP/9] 04:43:04, metric 3, tag 0
> >                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16513
> >345616             *[LDP/9] 04:43:04, metric 3, tag 0
> >                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16516
> >345632             *[LDP/9] 04:43:04, metric 4, tag 0
> >                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16517
> >345648             *[LDP/9] 04:43:04, metric 3, tag 0
> >                    > to 10.101.14.197 via ge-0/0/0.0, Swap 16518
> >
> >root at demo-srx300> show route table mpls.0 terse
> >
> >mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden)
> >+ = Active Route, - = Last Active, * = Both
> >
> >A V Destination        P Prf   Metric 1   Metric 2  Next hop        AS
> path
> >* ? 0                  M   0          1             Receive
> >* ? 1                  M   0          1             Receive
> >* ? 2                  M   0          1             Receive
> >* ? 13                 M   0          1             Receive
> >* ? 16                 V   0                        Table
> >* ? 345552             L   9          3            >10.101.14.197
> >* ? 345568             L   9          4            >10.101.14.197
> >* ? 345584             L   9          2            >10.101.14.197
> >* ? 345600             L   9          3            >10.101.14.197
> >* ? 345616             L   9          3            >10.101.14.197
> >* ? 345632             L   9          4            >10.101.14.197
> >* ? 345648             L   9          3            >10.101.14.197
> >* ? 345664             L   9          7            >10.101.14.197
> >* ? 345680             L   9          6            >10.101.14.197
> >* ? 345696             L   9          7            >10.101.14.197
> >* ? 345712             L   9          7            >10.101.14.197
> >* ? 345728             L   9          6            >10.101.14.197
> >* ? 345744             L   9          7            >10.101.14.197
> >
> >root at demo-srx300> show route table mpls.0 terse | count
> >Count: 528 lines
> >
> >root at demo-srx300> show ldp neighbor
> >Address            Interface          Label space ID         Hold time
> >10.101.14.197      ge-0/0/0.0         10.101.0.254:0           10
> >
> >root at demo-srx300>
> >
> >
> >
> >-----Original Message-----
> >From: Emille Blanc [mailto:emille at abccommunications.com]
> >Sent: Thursday, July 11, 2019 3:04 PM
> >To: Aaron Gould; juniper-nsp at puck.nether.net
> >Subject: RE: [j-nsp] srx ipsec tunnel over mpls l3vpn
> >
> >Based on what you described, it sounds like you already got your MPLS/LDP
> >running in a packet-mode routing-instance, as otherwise MPLS is dropped on
> >an SRX in flow mode.
> >
> >No obvious ideas with the output provided otherwise.
> >Do the flows in your IPSEC instance get created?
> >
> >-----Original Message-----
> >From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf
> Of
> >Aaron Gould
> >Sent: Thursday, July 11, 2019 12:27 PM
> >To: juniper-nsp at puck.nether.net
> >Subject: [j-nsp] srx ipsec tunnel over mpls l3vpn
> >
> >Anyone ever done it ?  To be clear, I have mpls/ldp/ospf/bgp enabled the
> SRX
> >such that I have an l3vpn functional into the SRX.
> >
> >
> >
> >I have a lo0.99 interface as the external interface used for ike/ipsec.
> >Seems that I'm pretty close to getting this done, as i have ike phase 1 up
> >and ike phase 2 up, but only seeing encrypted packets as I try to ping
> >between the st0.0 interface and the ms-0/0/0.1 inside interface on the
> other
> >side (mx104 with ms-mic-16g)
> >
> >
> >
> >Let me know what I'm missing.
> >
> >
> >
> >I'm seeing drops in these to show outputs. which seems to coincide with a
> >100-packet ping test...
> >
> >
> >
> >
> >
> >root at demo-srx300> show security flow statistics
> >
> >    Current sessions: 9
> >
> >    Packets forwarded: 417926
> >
> >    Packets dropped: 15604
> >
> >    Fragment packets: 0
> >
> >    Pre fragments generated: 0
> >
> >    Post fragments generated: 0
> >
> >
> >
> >root at demo-srx300> show security flow status
> >
> >  Flow forwarding mode:
> >
> >    Inet forwarding mode: flow based
> >
> >    Inet6 forwarding mode: drop
> >
> >    MPLS forwarding mode: drop
> >
> >    ISO forwarding mode: drop
> >
> >    Enhanced route scaling mode: Disabled
> >
> >  Flow trace status
> >
> >    Flow tracing status: off
> >
> >  Flow session distribution
> >
> >    Distribution mode: RR-based
> >
> >    GTP-U distribution: Disabled
> >
> >  Flow ipsec performance acceleration: off
> >
> >  Flow packet ordering
> >
> >    Ordering mode: Hardware
> >
> >
> >
> >root at demo-srx300> show security ipsec statistics
> >
> >ESP Statistics:
> >
> >  Encrypted bytes:           252264
> >
> >  Decrypted bytes:                0
> >
> >  Encrypted packets:           1618
> >
> >  Decrypted packets:              0
> >
> >AH Statistics:
> >
> >  Input bytes:                    0
> >
> >  Output bytes:                   0
> >
> >  Input packets:                  0
> >
> >  Output packets:                 0
> >
> >Errors:
> >
> >  AH authentication failures: 0, Replay errors: 0
> >
> >  ESP authentication failures: 0, ESP decryption failures: 0
> >
> >  Bad headers: 0, Bad trailers: 0
> >
> >
> >
> >root at demo-srx300> show security flow statistics | grep rop
> >
> >    Packets dropped: 15650
> >
> >
> >
> >root at demo-srx300> ping 10.102.199.66 routing-instance one rapid interval
> .1
> >count 100
> >
> >PING 10.102.199.66 (10.102.199.66): 56 data bytes
> >
>
> >............................................................................
> >........................
> >
> >--- 10.102.199.66 ping statistics ---
> >
> >100 packets transmitted, 0 packets received, 100% packet loss
> >
> >
> >
> >root at demo-srx300> show security ipsec statistics
> >
> >ESP Statistics:
> >
> >  Encrypted bytes:           267864
> >
> >  Decrypted bytes:                0
> >
> >  Encrypted packets:           1718
> >
> >  Decrypted packets:              0
> >
> >AH Statistics:
> >
> >  Input bytes:                    0
> >
> >  Output bytes:                   0
> >
> >  Input packets:                  0
> >
> >  Output packets:                 0
> >
> >Errors:
> >
> >  AH authentication failures: 0, Replay errors: 0
> >
> >  ESP authentication failures: 0, ESP decryption failures: 0
> >
> >  Bad headers: 0, Bad trailers: 0
> >
> >
> >
> >root at demo-srx300> show security flow statistics | grep rop
> >
> >    Packets dropped: 15755
> >
> >
> >
> >-Aaron
> >
> >
> >
> >_______________________________________________
> >juniper-nsp mailing list juniper-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> >
> >_______________________________________________
> >juniper-nsp mailing list juniper-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


-- 

Regards,

Craig Askings

io Networks

ion consulting Pty Ltd.



mobile: 0404 019365

phone: 1300 1 2 4 8 16


No Holidays scheduled

More information about the juniper-nsp mailing list