Layer 3 VPN JUNOS
I have two Juniper M7i routers running 10.4R1.9 and I am trying to setup a VPN tunnel between the two. When I show services ipsec-vpn ipsec security associations no SA information is available. I've posted the configs below. Please give suggestions. Note: I was configuring over an old config, so disregard some of the needless commands.
dtoc> show configuration
## Last commit: 2011-11-21 22:34:12 UTC by dtoc
version 11.1R1.14;
system {
root-authentication {
encrypted-password "$1$E/wFo3sp$9/RGqhp/XgpvjdRTpWAkl1"; ## SECRET-DATA
}
login {
class superuser-local {
permissions all;
}
user dtoc {
uid 2011;
class superuser-local;
authentication {
encrypted-password "$1$8/WI4OXN$2JpyCXqnEI1w7nOBWUL/A."; ## SECRET-DATA
}
}
}
services {
ftp;
}
}
interfaces {
fe-0/0/0 {
description BLACKBONE;
unit 0 {
family inet {
service {
input {
service-set basic-vpn service-filter allow-bgp;
}
output {
service-set basic-vpn service-filter allow-bgp;
}
}
address 10.10.2.1/30;
}
}
}
sp-0/0/0 {
unit 0 {
family inet;
}
}
fe-0/0/1 {
description To_TACLANE;
speed 100m;
link-mode full-duplex;
unit 0 {
family inet {
address 10.10.1.1/30;
}
}
}
gr-1/2/0 {
unit 5 {
description Tunnel;
tunnel {
source 10.10.2.1;
destination 10.10.2.2;
}
family inet {
address 192.16.0.1/30;
}
}
}
}
routing-options {
static {
route 10.10.2.0/30 next-hop 10.10.2.2;
}
autonomous-system 65001;
}
protocols {
mpls {
no-cspf;
label-switched-path 10.0.0.1 {
to 10.0.0.1;
ldp-tunneling;
}
path 10.0.0.1 {
10.0.0.1 loose;
}
interface gr-1/2/0.1;
interface fe-0/0/0.0;
interface fe-0/0/1.0;
interface all;
}
bgp {
group to-ibgp {
type internal;
local-address 10.10.2.1;
family inet-vpn {
unicast;
}
neighbor 10.10.2.2;
}
}
ospf {
traffic-engineering;
reference-bandwidth 10g;
area 0.0.0.0 {
interface gr-1/2/0.1;
}
}
ldp {
interface fe-0/0/3.0;
interface gr-1/2/0.1;
interface all;
}
}
policy-options {
policy-statement DDTE-export {
term 1 {
from protocol [ ospf direct static bgp ];
then {
community add DDTE-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement DDTE-import {
term 1 {
from {
protocol bgp;
community DDTE-comm;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement JTDL-export {
term 1 {
from protocol [ direct static bgp ];
then {
community add JTDL-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement JTDL-import {
term 1 {
from {
protocol bgp;
community JTDL-comm;
}
then accept;
}
term 2 {
then reject;
}
}
community DDTE-comm members target:65001:2;
community JTDL-comm members target:65001:1;
}
firewall {
family inet {
service-filter allow-bgp {
term 1 {
from {
protocol tcp;
port bgp;
}
then skip;
}
term 3 {
from {
protocol [ tcp icmp gre esp ah udp igmp ];
}
then skip;
}
}
}
}
services {
ipsec-vpn {
rule secure-extranet {
term 1 {
from {
destination-address {
10.10.2.0/30;
}
}
then {
remote-gateway 10.10.2.2;
dynamic {
ike-policy IKE_POLICY;
}
}
}
match-direction output;
}
ipsec {
proposal IPSEC_PROPOSAL {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IPSEC_POLICY {
proposals IPSEC_PROPOSAL;
}
}
ike {
proposal IKE_PROPOSAL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IKE_POLICY {
proposals IKE_PROPOSAL;
pre-shared-key ascii-text "$9$xUM7-w4oGH.5Nd"; ## SECRET-DATA
}
}
}
service-set basic-vpn {
interface-service {
service-interface sp-0/0/0.0;
}
ipsec-vpn-options {
local-gateway 10.10.2.1;
}
ipsec-vpn-rules secure-extranet;
}
}
dtoc>
+++++++++++++++++++++++++++++++++++++++
dtoc@JITC_Juniper> show con
^
'con' is ambiguous.
Possible completions:
configuration Show current configuration
connections Show circuit cross-connect connections
dtoc@JITC_Juniper> show configuration
## Last commit: 2011-11-21 22:32:30 UTC by dtoc
version 10.4R1.9;
system {
host-name JITC_Juniper;
root-authentication {
encrypted-password "$1$6IP/TsBb$uvIiGtF9rnjQLUpz6SI390"; ## SECRET-DATA
}
login {
class tier3 {
permissions all;
}
user dtoc {
uid 2010;
class tier3;
authentication {
encrypted-password "$1$QuYb6yxt$VYGlB1eihyJWPdJyTJADe1"; ## SECRET-DATA
}
}
}
}
interfaces {
fe-0/0/0 {
description BLACKBONE;
unit 0 {
family inet {
service {
input {
service-set basic-vpn service-filter allow-bgp;
}
output {
service-set basic-vpn service-filter allow-bgp;
}
}
address 10.10.2.2/30;
}
}
}
sp-0/0/0 {
unit 0 {
family inet;
}
}
fe-0/0/1 {
description To_TACLANE;
unit 0 {
family inet {
address 10.10.3.1/30;
}
}
}
fe-0/0/3 {
description "to TACLANE";
unit 0 {
family inet {
address 192.168.0.1/30;
}
}
}
gr-1/2/0 {
unit 1 {
description "to Site B";
tunnel {
source 192.168.0.1;
destination 192.168.1.1;
}
family inet {
address 10.0.0.1/30;
}
family mpls;
}
}
}
routing-options {
static {
route 10.10.2.0/30 next-hop 10.10.2.1;
}
autonomous-system 65001;
}
protocols {
mpls {
no-cspf;
label-switched-path 10.0.0.2 {
to 10.0.0.2;
ldp-tunneling;
}
path 10.0.0.2 {
10.0.0.2 loose;
}
interface gr-1/2/0.1;
interface fe-0/0/0.0;
interface fe-0/0/1.0;
interface all;
}
bgp {
group to-ibgp {
type internal;
local-address 10.10.2.2;
family inet-vpn {
unicast;
}
neighbor 10.10.2.1;
}
}
ospf {
traffic-engineering;
reference-bandwidth 10g;
area 0.0.0.0 {
interface gr-1/2/0.1;
}
}
ldp {
interface fe-0/0/3.0;
interface gr-1/2/0.1;
interface all;
}
}
policy-options {
policy-statement DDTE-export {
term 1 {
from protocol [ ospf direct static bgp ];
then {
community add DDTE-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement DDTE-import {
term 1 {
from {
protocol bgp;
community DDTE-comm;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement JTDL-export {
term 1 {
from protocol [ direct static bgp ];
then {
community add JTDL-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement JTDL-import {
term 1 {
from {
protocol bgp;
community JTDL-comm;
}
then accept;
}
term 2 {
then reject;
}
}
community DDTE-comm members target:65001:2;
community JTDL-comm members target:65001:1;
}
firewall {
family inet {
service-filter allow-bgp {
term 1 {
from {
protocol tcp;
port bgp;
}
then skip;
}
term 3 {
from {
protocol [ icmp gre tcp esp ah udp igmp ];
}
then skip;
}
}
}
}
services {
ipsec-vpn {
rule secure-extranet {
term 1 {
from {
destination-address {
10.10.2.0/30;
}
}
then {
remote-gateway 10.10.2.1;
dynamic {
ike-policy IKE_POLICY;
}
}
}
match-direction output;
}
ipsec {
proposal IPSEC_PROPOSAL {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IPSEC_POLICY {
proposals IPSEC_PROPOSAL;
}
}
ike {
proposal IKE_PROPOSAL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IKE_POLICY {
proposals IKE_PROPOSAL;
pre-shared-key ascii-text "$9$X7gxNbg4Ziqf7-"; ## SECRET-DATA
}
}
}
service-set basic-vpn {
interface-service {
service-interface sp-0/0/0.0;
}
ipsec-vpn-options {
local-gateway 10.10.2.2;
}
ipsec-vpn-rules secure-extranet;
}
}
dtoc@JITC_Juniper>
dtoc> show configuration
## Last commit: 2011-11-21 22:34:12 UTC by dtoc
version 11.1R1.14;
system {
root-authentication {
encrypted-password "$1$E/wFo3sp$9/RGqhp/XgpvjdRTpWAkl1"; ## SECRET-DATA
}
login {
class superuser-local {
permissions all;
}
user dtoc {
uid 2011;
class superuser-local;
authentication {
encrypted-password "$1$8/WI4OXN$2JpyCXqnEI1w7nOBWUL/A."; ## SECRET-DATA
}
}
}
services {
ftp;
}
}
interfaces {
fe-0/0/0 {
description BLACKBONE;
unit 0 {
family inet {
service {
input {
service-set basic-vpn service-filter allow-bgp;
}
output {
service-set basic-vpn service-filter allow-bgp;
}
}
address 10.10.2.1/30;
}
}
}
sp-0/0/0 {
unit 0 {
family inet;
}
}
fe-0/0/1 {
description To_TACLANE;
speed 100m;
link-mode full-duplex;
unit 0 {
family inet {
address 10.10.1.1/30;
}
}
}
gr-1/2/0 {
unit 5 {
description Tunnel;
tunnel {
source 10.10.2.1;
destination 10.10.2.2;
}
family inet {
address 192.16.0.1/30;
}
}
}
}
routing-options {
static {
route 10.10.2.0/30 next-hop 10.10.2.2;
}
autonomous-system 65001;
}
protocols {
mpls {
no-cspf;
label-switched-path 10.0.0.1 {
to 10.0.0.1;
ldp-tunneling;
}
path 10.0.0.1 {
10.0.0.1 loose;
}
interface gr-1/2/0.1;
interface fe-0/0/0.0;
interface fe-0/0/1.0;
interface all;
}
bgp {
group to-ibgp {
type internal;
local-address 10.10.2.1;
family inet-vpn {
unicast;
}
neighbor 10.10.2.2;
}
}
ospf {
traffic-engineering;
reference-bandwidth 10g;
area 0.0.0.0 {
interface gr-1/2/0.1;
}
}
ldp {
interface fe-0/0/3.0;
interface gr-1/2/0.1;
interface all;
}
}
policy-options {
policy-statement DDTE-export {
term 1 {
from protocol [ ospf direct static bgp ];
then {
community add DDTE-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement DDTE-import {
term 1 {
from {
protocol bgp;
community DDTE-comm;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement JTDL-export {
term 1 {
from protocol [ direct static bgp ];
then {
community add JTDL-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement JTDL-import {
term 1 {
from {
protocol bgp;
community JTDL-comm;
}
then accept;
}
term 2 {
then reject;
}
}
community DDTE-comm members target:65001:2;
community JTDL-comm members target:65001:1;
}
firewall {
family inet {
service-filter allow-bgp {
term 1 {
from {
protocol tcp;
port bgp;
}
then skip;
}
term 3 {
from {
protocol [ tcp icmp gre esp ah udp igmp ];
}
then skip;
}
}
}
}
services {
ipsec-vpn {
rule secure-extranet {
term 1 {
from {
destination-address {
10.10.2.0/30;
}
}
then {
remote-gateway 10.10.2.2;
dynamic {
ike-policy IKE_POLICY;
}
}
}
match-direction output;
}
ipsec {
proposal IPSEC_PROPOSAL {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IPSEC_POLICY {
proposals IPSEC_PROPOSAL;
}
}
ike {
proposal IKE_PROPOSAL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IKE_POLICY {
proposals IKE_PROPOSAL;
pre-shared-key ascii-text "$9$xUM7-w4oGH.5Nd"; ## SECRET-DATA
}
}
}
service-set basic-vpn {
interface-service {
service-interface sp-0/0/0.0;
}
ipsec-vpn-options {
local-gateway 10.10.2.1;
}
ipsec-vpn-rules secure-extranet;
}
}
dtoc>
+++++++++++++++++++++++++++++++++++++++
dtoc@JITC_Juniper> show con
^
'con' is ambiguous.
Possible completions:
configuration Show current configuration
connections Show circuit cross-connect connections
dtoc@JITC_Juniper> show configuration
## Last commit: 2011-11-21 22:32:30 UTC by dtoc
version 10.4R1.9;
system {
host-name JITC_Juniper;
root-authentication {
encrypted-password "$1$6IP/TsBb$uvIiGtF9rnjQLUpz6SI390"; ## SECRET-DATA
}
login {
class tier3 {
permissions all;
}
user dtoc {
uid 2010;
class tier3;
authentication {
encrypted-password "$1$QuYb6yxt$VYGlB1eihyJWPdJyTJADe1"; ## SECRET-DATA
}
}
}
}
interfaces {
fe-0/0/0 {
description BLACKBONE;
unit 0 {
family inet {
service {
input {
service-set basic-vpn service-filter allow-bgp;
}
output {
service-set basic-vpn service-filter allow-bgp;
}
}
address 10.10.2.2/30;
}
}
}
sp-0/0/0 {
unit 0 {
family inet;
}
}
fe-0/0/1 {
description To_TACLANE;
unit 0 {
family inet {
address 10.10.3.1/30;
}
}
}
fe-0/0/3 {
description "to TACLANE";
unit 0 {
family inet {
address 192.168.0.1/30;
}
}
}
gr-1/2/0 {
unit 1 {
description "to Site B";
tunnel {
source 192.168.0.1;
destination 192.168.1.1;
}
family inet {
address 10.0.0.1/30;
}
family mpls;
}
}
}
routing-options {
static {
route 10.10.2.0/30 next-hop 10.10.2.1;
}
autonomous-system 65001;
}
protocols {
mpls {
no-cspf;
label-switched-path 10.0.0.2 {
to 10.0.0.2;
ldp-tunneling;
}
path 10.0.0.2 {
10.0.0.2 loose;
}
interface gr-1/2/0.1;
interface fe-0/0/0.0;
interface fe-0/0/1.0;
interface all;
}
bgp {
group to-ibgp {
type internal;
local-address 10.10.2.2;
family inet-vpn {
unicast;
}
neighbor 10.10.2.1;
}
}
ospf {
traffic-engineering;
reference-bandwidth 10g;
area 0.0.0.0 {
interface gr-1/2/0.1;
}
}
ldp {
interface fe-0/0/3.0;
interface gr-1/2/0.1;
interface all;
}
}
policy-options {
policy-statement DDTE-export {
term 1 {
from protocol [ ospf direct static bgp ];
then {
community add DDTE-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement DDTE-import {
term 1 {
from {
protocol bgp;
community DDTE-comm;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement JTDL-export {
term 1 {
from protocol [ direct static bgp ];
then {
community add JTDL-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement JTDL-import {
term 1 {
from {
protocol bgp;
community JTDL-comm;
}
then accept;
}
term 2 {
then reject;
}
}
community DDTE-comm members target:65001:2;
community JTDL-comm members target:65001:1;
}
firewall {
family inet {
service-filter allow-bgp {
term 1 {
from {
protocol tcp;
port bgp;
}
then skip;
}
term 3 {
from {
protocol [ icmp gre tcp esp ah udp igmp ];
}
then skip;
}
}
}
}
services {
ipsec-vpn {
rule secure-extranet {
term 1 {
from {
destination-address {
10.10.2.0/30;
}
}
then {
remote-gateway 10.10.2.1;
dynamic {
ike-policy IKE_POLICY;
}
}
}
match-direction output;
}
ipsec {
proposal IPSEC_PROPOSAL {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IPSEC_POLICY {
proposals IPSEC_PROPOSAL;
}
}
ike {
proposal IKE_PROPOSAL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IKE_POLICY {
proposals IKE_PROPOSAL;
pre-shared-key ascii-text "$9$X7gxNbg4Ziqf7-"; ## SECRET-DATA
}
}
}
service-set basic-vpn {
interface-service {
service-interface sp-0/0/0.0;
}
ipsec-vpn-options {
local-gateway 10.10.2.2;
}
ipsec-vpn-rules secure-extranet;
}
}
dtoc@JITC_Juniper>