Thanks Emille, Ummm, I may be misunderstanding you , but I don't think I have change from SRX flow-mode default. But I do have ldp neighbor up and mpls forwarding is occurring via mpls l3vpn vrf . ....and I do believe the ike phase 1 and phase 2 is working over this mpls l3vpn within the srx.... but I just don't seem to be able to ping from one side of the st0 tunnel interface to the other.
See... root@demo-srx300> show security flow status Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: drop MPLS forwarding mode: drop ISO forwarding mode: drop Enhanced route scaling mode: Disabled Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based GTP-U distribution: Disabled Flow ipsec performance acceleration: off Flow packet ordering Ordering mode: Hardware root@demo-srx300> show route table mpls.0 mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0 *[MPLS/0] 04:51:07, metric 1 Receive 1 *[MPLS/0] 04:51:07, metric 1 Receive 2 *[MPLS/0] 04:51:07, metric 1 Receive 13 *[MPLS/0] 04:51:07, metric 1 Receive 16 *[VPN/0] 04:51:07 to table one.inet.0, Pop 345552 *[LDP/9] 04:43:04, metric 3, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16507 345568 *[LDP/9] 04:43:04, metric 4, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16508 345584 *[LDP/9] 04:43:04, metric 2, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16512 345600 *[LDP/9] 04:43:04, metric 3, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16513 345616 *[LDP/9] 04:43:04, metric 3, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16516 345632 *[LDP/9] 04:43:04, metric 4, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16517 345648 *[LDP/9] 04:43:04, metric 3, tag 0 > to 10.101.14.197 via ge-0/0/0.0, Swap 16518 root@demo-srx300> show route table mpls.0 terse mpls.0: 524 destinations, 524 routes (524 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both A V Destination P Prf Metric 1 Metric 2 Next hop AS path * ? 0 M 0 1 Receive * ? 1 M 0 1 Receive * ? 2 M 0 1 Receive * ? 13 M 0 1 Receive * ? 16 V 0 Table * ? 345552 L 9 3 >10.101.14.197 * ? 345568 L 9 4 >10.101.14.197 * ? 345584 L 9 2 >10.101.14.197 * ? 345600 L 9 3 >10.101.14.197 * ? 345616 L 9 3 >10.101.14.197 * ? 345632 L 9 4 >10.101.14.197 * ? 345648 L 9 3 >10.101.14.197 * ? 345664 L 9 7 >10.101.14.197 * ? 345680 L 9 6 >10.101.14.197 * ? 345696 L 9 7 >10.101.14.197 * ? 345712 L 9 7 >10.101.14.197 * ? 345728 L 9 6 >10.101.14.197 * ? 345744 L 9 7 >10.101.14.197 root@demo-srx300> show route table mpls.0 terse | count Count: 528 lines root@demo-srx300> show ldp neighbor Address Interface Label space ID Hold time 10.101.14.197 ge-0/0/0.0 10.101.0.254:0 10 root@demo-srx300> -----Original Message----- From: Emille Blanc [mailto:emi...@abccommunications.com] Sent: Thursday, July 11, 2019 3:04 PM To: Aaron Gould; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] srx ipsec tunnel over mpls l3vpn Based on what you described, it sounds like you already got your MPLS/LDP running in a packet-mode routing-instance, as otherwise MPLS is dropped on an SRX in flow mode. No obvious ideas with the output provided otherwise. Do the flows in your IPSEC instance get created? -----Original Message----- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Aaron Gould Sent: Thursday, July 11, 2019 12:27 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] srx ipsec tunnel over mpls l3vpn Anyone ever done it ? To be clear, I have mpls/ldp/ospf/bgp enabled the SRX such that I have an l3vpn functional into the SRX. I have a lo0.99 interface as the external interface used for ike/ipsec. Seems that I'm pretty close to getting this done, as i have ike phase 1 up and ike phase 2 up, but only seeing encrypted packets as I try to ping between the st0.0 interface and the ms-0/0/0.1 inside interface on the other side (mx104 with ms-mic-16g) Let me know what I'm missing. I'm seeing drops in these to show outputs. which seems to coincide with a 100-packet ping test... root@demo-srx300> show security flow statistics Current sessions: 9 Packets forwarded: 417926 Packets dropped: 15604 Fragment packets: 0 Pre fragments generated: 0 Post fragments generated: 0 root@demo-srx300> show security flow status Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: drop MPLS forwarding mode: drop ISO forwarding mode: drop Enhanced route scaling mode: Disabled Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based GTP-U distribution: Disabled Flow ipsec performance acceleration: off Flow packet ordering Ordering mode: Hardware root@demo-srx300> show security ipsec statistics ESP Statistics: Encrypted bytes: 252264 Decrypted bytes: 0 Encrypted packets: 1618 Decrypted packets: 0 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 root@demo-srx300> show security flow statistics | grep rop Packets dropped: 15650 root@demo-srx300> ping 10.102.199.66 routing-instance one rapid interval .1 count 100 PING 10.102.199.66 (10.102.199.66): 56 data bytes ............................................................................ ........................ --- 10.102.199.66 ping statistics --- 100 packets transmitted, 0 packets received, 100% packet loss root@demo-srx300> show security ipsec statistics ESP Statistics: Encrypted bytes: 267864 Decrypted bytes: 0 Encrypted packets: 1718 Decrypted packets: 0 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 root@demo-srx300> show security flow statistics | grep rop Packets dropped: 15755 -Aaron _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp