Re: [j-nsp] srx ipsec tunnel over mpls l3vpn
Craig, how did you do the LT config to "cycle" traffic back through ? you have a link/kb on how-to ? Actually I'm wondering if there's a more elegant way then LT's (no offense since we all love accomplishing things and making stuff work, but it seems that LT's and furthermore, physical cables lopped from port to port on the front of the device, are usually ways to do things that we can't figure out in software) :| Hugo, The other end is an MX104 with services card for ipsec capability (MS-MIC-16G) I haven't yet put any customer edge interfaces behind the SRX or MX, but I will do that this morning I simply wanted to put a subnet on the secure tunnel interfaces and ping from st0.0 to ms-0/0/0.1 first, but I can do the further edge config also. -Aaron -Original Message- From: Hugo Slabbert [mailto:h...@slabnet.com] Sent: Friday, July 12, 2019 1:26 AM To: Aaron Gould Cc: 'Emille Blanc'; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] srx ipsec tunnel over mpls l3vpn Is the other end of this also an SRX configured in a similar way, or something else? This seems to contradict basically any Juniper docs on SRX around MPLS traffic re: flow/packet mode. Specifically given that it's showing "drop" for MPLS traffic, I would be confused about how it's passing MPLS-encap'd traffic. Can you pass other non-IPSEC IPv4 traffic from the SRX (or behind it) across the l3vpn to validate bidirectional traffic passing? -- Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com pgp key: B178313E | also on Signal On Thu 2019-Jul-11 15:34:26 -0500, Aaron Gould wrote: > >Thanks Emille, Ummm, I may be misunderstanding you , but I don't think >I have change from SRX flow-mode default. But I do have ldp neighbor >up and mpls forwarding is occurring via mpls l3vpn vrf . and I do >believe the ike phase 1 and phase 2 is working over this mpls l3vpn within the srx >but I just don't seem to be able to ping from one side of the st0 >tunnel interface to the other. > >See... > >root@demo-srx300> show security flow status > Flow forwarding mode: >Inet forwarding mode: flow based >Inet6 forwarding mode: drop >MPLS forwarding mode: drop >ISO forwarding mode: drop >Enhanced route scaling mode: Disabled > Flow trace status >Flow tracing status: off > Flow session distribution >Distribution mode: RR-based >GTP-U distribution: Disabled > Flow ipsec performance acceleration: off > Flow packet ordering >Ordering mode: Hardware > > >root@demo-srx300> show route table mpls.0 > >mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden) >+ = Active Route, - = Last Active, * = Both > >0 *[MPLS/0] 04:51:07, metric 1 > Receive >1 *[MPLS/0] 04:51:07, metric 1 > Receive >2 *[MPLS/0] 04:51:07, metric 1 > Receive >13 *[MPLS/0] 04:51:07, metric 1 > Receive >16 *[VPN/0] 04:51:07 > to table one.inet.0, Pop >345552 *[LDP/9] 04:43:04, metric 3, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16507 >345568 *[LDP/9] 04:43:04, metric 4, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16508 >345584 *[LDP/9] 04:43:04, metric 2, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16512 >345600 *[LDP/9] 04:43:04, metric 3, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16513 >345616 *[LDP/9] 04:43:04, metric 3, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16516 >345632 *[LDP/9] 04:43:04, metric 4, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16517 >345648 *[LDP/9] 04:43:04, metric 3, tag 0 >> to 10.101.14.197 via ge-0/0/0.0, Swap 16518 > >root@demo-srx300> show route table mpls.0 terse > >mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden) >+ = Active Route, - = Last Active, * = Both > >A V DestinationP Prf Metric 1 Metric 2 Next hopAS path >* ? 0 M 0 1 Receive >* ? 1 M 0 1 Receive >* ? 2 M 0 1 Receive >* ? 13 M 0 1 Receive >* ? 16 V 0Table >* ? 345552 L 9 3>10.101.14.197 >* ? 345568 L 9 4>10.101.14.197 >* ? 345584 L 9 2>10.101.14.197 >* ? 345600 L 9 3>10.101.14.197 >* ? 345616 L 9 3>10.101.14.197 >* ? 345632 L 9 4>10.101.14.197 >* ? 345648 L 9 3>10.101.14.197 >* ? 345664 L 9
Re: [j-nsp] srx ipsec tunnel over mpls l3vpn
I've used a combo of a VR routing instance in flow mode to terminate the ipsec traffic and lt interface pair to cycle the traffic back into the mpls side of things. On Fri, 12 Jul 2019 at 16:26, Hugo Slabbert wrote: > Is the other end of this also an SRX configured in a similar way, or > something else? This seems to contradict basically any Juniper docs on > SRX > around MPLS traffic re: flow/packet mode. Specifically given that it's > showing "drop" for MPLS traffic, I would be confused about how it's > passing > MPLS-encap'd traffic. > > Can you pass other non-IPSEC IPv4 traffic from the SRX (or behind it) > across the l3vpn to validate bidirectional traffic passing? > > -- > Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com > pgp key: B178313E | also on Signal > > On Thu 2019-Jul-11 15:34:26 -0500, Aaron Gould wrote: > > > > >Thanks Emille, Ummm, I may be misunderstanding you , but I don't think I > >have change from SRX flow-mode default. But I do have ldp neighbor up and > >mpls forwarding is occurring via mpls l3vpn vrf . and I do believe > the > >ike phase 1 and phase 2 is working over this mpls l3vpn within the srx > >but I just don't seem to be able to ping from one side of the st0 tunnel > >interface to the other. > > > >See... > > > >root@demo-srx300> show security flow status > > Flow forwarding mode: > >Inet forwarding mode: flow based > >Inet6 forwarding mode: drop > >MPLS forwarding mode: drop > >ISO forwarding mode: drop > >Enhanced route scaling mode: Disabled > > Flow trace status > >Flow tracing status: off > > Flow session distribution > >Distribution mode: RR-based > >GTP-U distribution: Disabled > > Flow ipsec performance acceleration: off > > Flow packet ordering > >Ordering mode: Hardware > > > > > >root@demo-srx300> show route table mpls.0 > > > >mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden) > >+ = Active Route, - = Last Active, * = Both > > > >0 *[MPLS/0] 04:51:07, metric 1 > > Receive > >1 *[MPLS/0] 04:51:07, metric 1 > > Receive > >2 *[MPLS/0] 04:51:07, metric 1 > > Receive > >13 *[MPLS/0] 04:51:07, metric 1 > > Receive > >16 *[VPN/0] 04:51:07 > > to table one.inet.0, Pop > >345552 *[LDP/9] 04:43:04, metric 3, tag 0 > >> to 10.101.14.197 via ge-0/0/0.0, Swap 16507 > >345568 *[LDP/9] 04:43:04, metric 4, tag 0 > >> to 10.101.14.197 via ge-0/0/0.0, Swap 16508 > >345584 *[LDP/9] 04:43:04, metric 2, tag 0 > >> to 10.101.14.197 via ge-0/0/0.0, Swap 16512 > >345600 *[LDP/9] 04:43:04, metric 3, tag 0 > >> to 10.101.14.197 via ge-0/0/0.0, Swap 16513 > >345616 *[LDP/9] 04:43:04, metric 3, tag 0 > >> to 10.101.14.197 via ge-0/0/0.0, Swap 16516 > >345632 *[LDP/9] 04:43:04, metric 4, tag 0 > >> to 10.101.14.197 via ge-0/0/0.0, Swap 16517 > >345648 *[LDP/9] 04:43:04, metric 3, tag 0 > >> to 10.101.14.197 via ge-0/0/0.0, Swap 16518 > > > >root@demo-srx300> show route table mpls.0 terse > > > >mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden) > >+ = Active Route, - = Last Active, * = Both > > > >A V DestinationP Prf Metric 1 Metric 2 Next hopAS > path > >* ? 0 M 0 1 Receive > >* ? 1 M 0 1 Receive > >* ? 2 M 0 1 Receive > >* ? 13 M 0 1 Receive > >* ? 16 V 0Table > >* ? 345552 L 9 3>10.101.14.197 > >* ? 345568 L 9 4>10.101.14.197 > >* ? 345584 L 9 2>10.101.14.197 > >* ? 345600 L 9 3>10.101.14.197 > >* ? 345616 L 9 3>10.101.14.197 > >* ? 345632 L 9 4>10.101.14.197 > >* ? 345648 L 9 3>10.101.14.197 > >* ? 345664 L 9 7>10.101.14.197 > >* ? 345680 L 9 6>10.101.14.197 > >* ? 345696 L 9 7>10.101.14.197 > >* ? 345712 L 9 7>10.101.14.197 > >* ? 345728 L 9 6>10.101.14.197 > >* ? 345744 L 9 7>10.101.14.197 > > > >root@demo-srx300> show route table mpls.0 terse | count > >Count: 528 lines > > > >root@demo-srx300> show ldp neighbor > >AddressInterface Label space ID Hold time > >10.101.14.197
Re: [j-nsp] srx ipsec tunnel over mpls l3vpn
Is the other end of this also an SRX configured in a similar way, or something else? This seems to contradict basically any Juniper docs on SRX around MPLS traffic re: flow/packet mode. Specifically given that it's showing "drop" for MPLS traffic, I would be confused about how it's passing MPLS-encap'd traffic. Can you pass other non-IPSEC IPv4 traffic from the SRX (or behind it) across the l3vpn to validate bidirectional traffic passing? -- Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com pgp key: B178313E | also on Signal On Thu 2019-Jul-11 15:34:26 -0500, Aaron Gould wrote: Thanks Emille, Ummm, I may be misunderstanding you , but I don't think I have change from SRX flow-mode default. But I do have ldp neighbor up and mpls forwarding is occurring via mpls l3vpn vrf . and I do believe the ike phase 1 and phase 2 is working over this mpls l3vpn within the srx but I just don't seem to be able to ping from one side of the st0 tunnel interface to the other. See... root@demo-srx300> show security flow status Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: drop MPLS forwarding mode: drop ISO forwarding mode: drop Enhanced route scaling mode: Disabled Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based GTP-U distribution: Disabled Flow ipsec performance acceleration: off Flow packet ordering Ordering mode: Hardware root@demo-srx300> show route table mpls.0 mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0 *[MPLS/0] 04:51:07, metric 1 Receive 1 *[MPLS/0] 04:51:07, metric 1 Receive 2 *[MPLS/0] 04:51:07, metric 1 Receive 13 *[MPLS/0] 04:51:07, metric 1 Receive 16 *[VPN/0] 04:51:07 to table one.inet.0, Pop 345552 *[LDP/9] 04:43:04, metric 3, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16507 345568 *[LDP/9] 04:43:04, metric 4, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16508 345584 *[LDP/9] 04:43:04, metric 2, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16512 345600 *[LDP/9] 04:43:04, metric 3, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16513 345616 *[LDP/9] 04:43:04, metric 3, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16516 345632 *[LDP/9] 04:43:04, metric 4, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16517 345648 *[LDP/9] 04:43:04, metric 3, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16518 root@demo-srx300> show route table mpls.0 terse mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both A V DestinationP Prf Metric 1 Metric 2 Next hopAS path * ? 0 M 0 1 Receive * ? 1 M 0 1 Receive * ? 2 M 0 1 Receive * ? 13 M 0 1 Receive * ? 16 V 0Table * ? 345552 L 9 3>10.101.14.197 * ? 345568 L 9 4>10.101.14.197 * ? 345584 L 9 2>10.101.14.197 * ? 345600 L 9 3>10.101.14.197 * ? 345616 L 9 3>10.101.14.197 * ? 345632 L 9 4>10.101.14.197 * ? 345648 L 9 3>10.101.14.197 * ? 345664 L 9 7>10.101.14.197 * ? 345680 L 9 6>10.101.14.197 * ? 345696 L 9 7>10.101.14.197 * ? 345712 L 9 7>10.101.14.197 * ? 345728 L 9 6>10.101.14.197 * ? 345744 L 9 7>10.101.14.197 root@demo-srx300> show route table mpls.0 terse | count Count: 528 lines root@demo-srx300> show ldp neighbor AddressInterface Label space ID Hold time 10.101.14.197 ge-0/0/0.0 10.101.0.254:0 10 root@demo-srx300> -Original Message- From: Emille Blanc [mailto:emi...@abccommunications.com] Sent: Thursday, July 11, 2019 3:04 PM To: Aaron Gould; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] srx ipsec tunnel over mpls l3vpn Based on what you described, it sounds like you already got your MPLS/LDP running in a packet-mode routing-instance, as otherwise MPLS is dropped on an SRX in flow mode. No obvious ideas with the output provided otherwise. Do the flows in