Shunting on MC-IPSec

Post Reply
User avatar
thekotaksampah
Member
Posts: 100
Joined: 06 Jan 2014 20:04

Shunting on MC-IPSec

Post by thekotaksampah »

Hi everyone,

I try running MC-IPSec with MS-ISA and I have problem, when Link down, vrrp change the standby link to master, but the chassis still in standby mode. I Put shunting in public service in standby and master like below.

SR-A config (Master MC-IPSec)

Code: Select all

----------------------------------------------
#--------------------------------------------------
echo "IP Configuration"
#--------------------------------------------------
        interface "system"
            address 192.168.200.1/32
            bfd 100 receive 100 multiplier 3
            no shutdown
        exit
        interface "to-SITE-B"
            address 192.168.240.5/30 - Ini yang saya gunakan sebagi shunt interface
            port 2/1/1:4004
            no shutdown
        exit
        interface "to-SITE-C"
            address 192.168.240.9/30
            port 2/1/2:4004
            no shutdown
        exit
        autonomous-system 64455
#--------------------------------------------------

[code]*B:SITE-ALU-A# configure service ies 3003 
*B:SITE-ALU-A>config>service>ies# info 
----------------------------------------------
            description "Public Side VPRN-IES-V1"
            interface "public" create
                address 192.168.220.49/30
                tos-marking-state untrusted
                sap tunnel-1.public:3003 create
                exit
                static-tunnel-redundant-next-hop 192.168.240.6
            exit
            interface "to-SWITCH-A-B-C" create
                address 192.168.220.34/29
                ip-mtu 1500
                vrrp 10
                    backup 192.168.220.33
                    priority 150
                    policy 1
                    ping-reply
                exit
                sap 2/1/2:252 create
                exit
            exit
            service-name "Public Side VPRN-IES-V1"
            no shutdown
----------------------------------------------
*B:SITE-ALU-A>config>service>ies#

SR-B Config (Standby MC-IPSec)

A:SITE-ALU-B>config>router# info
----------------------------------------------
#--------------------------------------------------
echo "IP Configuration"
#--------------------------------------------------
interface "system"
address 192.168.200.2/32
bfd 100 receive 100 multiplier 3
no shutdown
exit
interface "to-SITE-A"
address 192.168.240.6/30
port 2/1/1:4004
no shutdown
exit
interface "to-SITE-C"
address 192.168.240.14/30
port 2/1/2:4004
no shutdown
exit
autonomous-system 64455
#--------------------------------------------------
*A:SITE-ALU-B# configure service ies 3003
*A:SITE-ALU-B>config>service>ies# info
----------------------------------------------
description "Public Side VPRN-IES-V1"
interface "public" create
address 192.168.220.49/30
tos-marking-state untrusted
sap tunnel-2.public:3003 create
exit
static-tunnel-redundant-next-hop 192.168.240.5
exit
interface "to-SWITCH-A-B-C" create
address 192.168.220.35/29
ip-mtu 1500
vrrp 10
backup 192.168.220.33
priority 90
policy 1
ping-reply
exit
sap 2/1/2:252 create
exit
exit
service-name "Public Side VPRN-IES-V1"
no shutdown
----------------------------------------------
*A:SITE-ALU-B>config>service>ies#[/code]


am I wrong with this public service configuration? Let me know, if some one ever trial this.


Thanks
Technical Blog: ngoprek.achyarnurandi.id
Top
aarora1810

Re: Shunting on MC-IPSec

Post by aarora1810 »

Hi,

I stuck up in the same situation i.e. SR-1 is acting as mc-ipsec master & vrrp back, while peer router is acting as standby mc-ipsec & vrrp master. Thus, isakmp is down at peer router and not able to process any incoming traffic. Request you to let me know, if you was able to resolve that issue.

Any kind of help would be really appreciated!

Regards,
Aman Arora
Top
User avatar
thekotaksampah
Member
Posts: 100
Joined: 06 Jan 2014 20:04

Re: Shunting on MC-IPSec

Post by thekotaksampah »

I've done with MC-IPSec with GW... let me know your SR-1 configuration.. and your hardware capability. It's very nice if I can help you :D
You may define static route to your client or default gw with shunt interface is next-hop.. or you have to change manually your mastership mc-ipsec follow your vrrp master.

But imho, vrrp mastership status should be follow mc-ipsec masterships status. have you put your mc-ipsec aware routing policy on your vrrp?
Technical Blog: ngoprek.achyarnurandi.id
Top
aarora1810

Re: Shunting on MC-IPSec

Post by aarora1810 »

Hi,

Thank you for the response.

SR1
/ |
SR3------- |
\ |
SR2

Yes, vrrp policy for mc-ipsec is in place at both the routers. Here, as per my knowledge vrrp policy will force to SWO the VRRP mastership to peer which is acting as MC-IPsec master.

But, here as my interface at R1 towards R3 is down. Thus it force the VRRP to SWO at R2. But still R1 is acting as MCIPSec master and thus R2 is dropping the traffic.

Please find my configs as below:

R1
---

*A:SR7-170>config>router# info
----------------------------------------------
#--------------------------------------------------
echo "IP Configuration"
#--------------------------------------------------
interface "system"
address 10.10.10.170/32
bfd 100 receive 100 multiplier 8
no shutdown
exit
#--------------------------------------------------
echo "Static Route Configuration"
#--------------------------------------------------
static-route 10.10.10.0/24 next-hop 172.16.1.100
static-route 10.10.10.135/32 next-hop 10.171.112.210
static-route 106.106.106.106/32 next-hop 172.16.1.100
----------------------------------------------

*A:SR7-170>config>router# /configure service ies 11
*A:SR7-170>config>service>ies# info
----------------------------------------------
interface "to-136" create <<<<<<<<<<<<< towards remote side
address 172.16.1.2/24
vrrp 1
backup 172.16.1.1
priority 110
policy 10
ping-reply
traceroute-reply
standby-forwarding
message-interval milliseconds 200
exit
sap 1/1/2 create
exit
exit
interface "int-IPsec-Public-1" create
address 10.10.20.254/24
tos-marking-state untrusted
sap tunnel-1.public:1 create
exit
static-tunnel-redundant-next-hop 10.171.112.210
exit
interface "lag-1" create <<<<<<<<<<<<< pointing towards SR2.
address 10.171.112.209/29
sap lag-1:10 create
exit
exit
no shutdown
----------------------------------------------
*A:SR7-170>config>service>ies#

*A:SR7-170>config>service>vprn# info
----------------------------------------------
ipsec
security-policy 101 create
entry 1 create
local-ip 10.171.112.192/32
remote-ip 10.171.113.192/32
exit
exit
exit
route-distinguisher 65000:1
interface "test" create
address 10.171.112.192/32
loopback
exit
interface "int-IPsec-private-1" tunnel create
sap tunnel-1.private:1 create
ipsec-tunnel "tunnel-1" create
security-policy 101
local-gateway-address 10.10.20.1 peer 10.10.10.1 delivery-service 11
dynamic-keying
ike-policy 10
pre-shared-key "ALU"
transform 10
exit
no shutdown
exit
exit
static-tunnel-redundant-next-hop 10.171.113.122
exit
interface "Lag2.2000" create
description "/To_D-eBGW3(UL_2)"
address 10.171.113.121/29
bfd 100 receive 100 multiplier 3
sap lag-2:2000 create
exit
exit
static-route 10.171.113.192/32 ipsec-tunnel "tunnel-1"
no shutdown
----------------------------------------------
*A:SR7-170>config>service>vprn#


++++++++++++++++++++++++++

SR2
----

#--------------------------------------------------
echo "IP Configuration"
#--------------------------------------------------
interface "system"
address 10.10.10.135/32
bfd 100 receive 100 multiplier 8
no shutdown
exit
#--------------------------------------------------
echo "Static Route Configuration"
#--------------------------------------------------
static-route 10.10.10.0/24 next-hop 172.16.1.100
static-route 10.10.10.170/32 next-hop 10.171.112.209
static-route 106.106.106.106/32 next-hop 172.16.1.100
----------------------------------------------

*A:SR12-135>config>service>ies# info
----------------------------------------------
interface "to-136" create
address 172.16.1.3/24
vrrp 1
backup 172.16.1.1
policy 10
ping-reply
traceroute-reply
standby-forwarding
message-interval milliseconds 200
exit
sap 5/1/6 create
exit
exit
interface "int-IPsec-Public-1" create
address 10.10.20.254/24
tos-marking-state untrusted
sap tunnel-1.public:1 create
exit
static-tunnel-redundant-next-hop 10.171.112.209
exit
interface "lag-1" create
address 10.171.112.210/29
sap lag-1:10 create
exit
exit
no shutdown
----------------------------------------------

*A:SR12-135>config>service>vprn# info
----------------------------------------------
ipsec
security-policy 101 create
entry 1 create
local-ip 10.171.112.192/32
remote-ip 10.171.113.192/32
exit
exit
exit
route-distinguisher 65000:1
interface "loopback" create
shutdown
address 10.171.112.192/32
loopback
exit
interface "int-IPsec-private-1" tunnel create
sap tunnel-1.private:1 create
ipsec-tunnel "tunnel-1" create
security-policy 101
local-gateway-address 10.10.20.1 peer 10.10.10.1 delivery-service 11
dynamic-keying
ike-policy 10
pre-shared-key "ALU"
transform 10
exit
no shutdown
exit
exit
static-tunnel-redundant-next-hop 10.171.113.121
exit
interface "Lag2.2000" create
description "/To_D-eBGW3(UL_2)"
address 10.171.113.122/29
bfd 100 receive 100 multiplier 3
sap lag-2:2000 create
exit
exit
static-route 10.171.112.192/32 next-hop 10.171.113.121
static-route 10.171.113.192/32 ipsec-tunnel "tunnel-1"
no shutdown
----------------------------------------------
*A:SR12-135>config>service>vprn#



Regards,
Aman Arora
Top
Venus140700

Re: Shunting on MC-IPSec

Post by Venus140700 »

thekotaksampah wrote:Hi everyone,

I try running MC-IPSec with MS-ISA and I have problem, when Link down, vrrp change the standby link to master, but the chassis still in standby mode. I Put shunting in public service in standby and master like below.

SR-A config (Master MC-IPSec)

Code: Select all

----------------------------------------------
#--------------------------------------------------
echo "IP Configuration"
#--------------------------------------------------
        interface "system"
            address 192.168.200.1/32
            bfd 100 receive 100 multiplier 3
            no shutdown
        exit
        interface "to-SITE-B"
            address 192.168.240.5/30 - Ini yang saya gunakan sebagi shunt interface
            port 2/1/1:4004
            no shutdown
        exit
        interface "to-SITE-C"
            address 192.168.240.9/30
            port 2/1/2:4004
            no shutdown
        exit
        autonomous-system 64455
#--------------------------------------------------

[code]*B:SITE-ALU-A# configure service ies 3003 
*B:SITE-ALU-A>config>service>ies# info 
----------------------------------------------
            description "Public Side VPRN-IES-V1"
            interface "public" create
                address 192.168.220.49/30
                tos-marking-state untrusted
                sap tunnel-1.public:3003 create
                exit
                static-tunnel-redundant-next-hop 192.168.240.6
            exit
            interface "to-SWITCH-A-B-C" create
                address 192.168.220.34/29
                ip-mtu 1500
                vrrp 10
                    backup 192.168.220.33
                    priority 150
                    policy 1
                    ping-reply
                exit
                sap 2/1/2:252 create
                exit
            exit
            service-name "Public Side VPRN-IES-V1"
            no shutdown
----------------------------------------------
*B:SITE-ALU-A>config>service>ies#

SR-B Config (Standby MC-IPSec)

A:SITE-ALU-B>config>router# info
----------------------------------------------
#--------------------------------------------------
echo "IP Configuration"
#--------------------------------------------------
interface "system"
address 192.168.200.2/32
bfd 100 receive 100 multiplier 3
no shutdown
exit
interface "to-SITE-A"
address 192.168.240.6/30
port 2/1/1:4004
no shutdown
exit
interface "to-SITE-C"
address 192.168.240.14/30
port 2/1/2:4004
no shutdown
exit
autonomous-system 64455
#--------------------------------------------------
*A:SITE-ALU-B# configure service ies 3003
*A:SITE-ALU-B>config>service>ies# info
----------------------------------------------
description "Public Side VPRN-IES-V1"
interface "public" create
address 192.168.220.49/30
tos-marking-state untrusted
sap tunnel-2.public:3003 create
exit
static-tunnel-redundant-next-hop 192.168.240.5
exit
interface "to-SWITCH-A-B-C" create
address 192.168.220.35/29
ip-mtu 1500
vrrp 10
backup 192.168.220.33
priority 90
policy 1
ping-reply
exit
sap 2/1/2:252 create
exit
exit
service-name "Public Side VPRN-IES-V1"
no shutdown
----------------------------------------------
*A:SITE-ALU-B>config>service>ies#[/code]


am I wrong with this public service configuration? Let me know, if some one ever trial this.


Thanks
Top
Post Reply

Return to “7750 SR”