vMX作为成员与cisco路由器作为组控制器之间的组虚拟专用网

Question

我正试图在思科GC/KS和3 vMX路由器(14.1R1.10)和另一个思科路由器作为成员之间建立一个Group。我已经设法使Group在两个思科路由器之间工作，但是我有一些不同的配置vMX路由器--也许这里的人能帮上忙。

GM-1的配置(juniper vMX路由器作为组成员)：

rokk@GM-1# show | display set 
set version 14.1R1.10
set system host-name GM-1
set system root-authentication encrypted-password "$1$vNnFWAM2$KurYUSasAGoxR1rmE.48w0"
set system login user rokk uid 2000
set system login user rokk class super-user
set system login user rokk authentication encrypted-password "$1$boEud/xr$pkEPaLOAREI2jZwzMSZp7/"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set chassis fpc 0 pic 0 tunnel-services
set chassis fpc 0 pic 0 inline-services bandwidth 1g
set chassis fpc 0 pic 0 adaptive-services service-package layer-3
set services service-set SER-SET interface-service service-interface si-0/0/0
set services service-set SER-SET ipsec-group-vpn ABC
set security group-vpn member ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security group-vpn member ike proposal IKE-PROPOSAL dh-group group2
set security group-vpn member ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc
set security group-vpn member ike policy IKE-POLICY mode main
set security group-vpn member ike policy IKE-POLICY proposals IKE-PROPOSAL
set security group-vpn member ike policy IKE-POLICY pre-shared-key ascii-text "$9$-cws4HkPQ39YgPQ"
set security group-vpn member ike gateway IKE-GW ike-policy IKE-POLICY
set security group-vpn member ike gateway IKE-GW server-address 4.4.4.2
set security group-vpn member ike gateway IKE-GW local-address 1.1.1.2
set security group-vpn member ipsec vpn ABC ike-gateway IKE-GW
set security group-vpn member ipsec vpn ABC group 1412
set security group-vpn member ipsec vpn ABC match-direction output
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24
set interfaces si-0/0/0 unit 0 family inet
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

GC/KS的配置：

GC_KS-1#show running-config 
Building configuration...

Current configuration : 2093 bytes
!
! Last configuration change at 18:42:37 EET Wed Jan 2 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GC_KS-1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone EET 2 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!


!
!
!
!         
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
! 
!         
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 1.1.1.2        
crypto isakmp key cisco address 2.2.2.2        
crypto isakmp key cisco address 3.3.3.2        
crypto isakmp key cisco address 6.6.6.2        
!
!
crypto ipsec transform-set TR-SET esp-3des 
 mode tunnel
!
crypto ipsec profile PROFILE
 set transform-set TR-SET 
!
!
crypto gdoi group ABC
 identity number 1412
 server local
  sa ipsec 1
   profile PROFILE
   match address ipv4 199
   replay counter window-size 64
   no tag
  address ipv4 4.4.4.2
!
!
!
!
!
!
interface Ethernet0/0
 ip address 4.4.4.2 255.255.255.0
!
interface Ethernet0/1
 ip address 192.168.4.1 255.255.255.0
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 no ip address
 shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 4.4.4.1
!
!
!
access-list 199 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
!
end

GM-6的配置：

GM-6#show running-config 
Building configuration...

Current configuration : 1730 bytes
!
! Last configuration change at 19:25:28 EET Wed Jan 2 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GM-6
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone EET 2 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!


!
!
!
!         
no ip domain lookup
ip domain name cisco.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!         
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 4.4.4.2        
!
!
!
!
crypto gdoi group ABC
 identity number 1412
 server address ipv4 4.4.4.2
!
!
crypto map MAP 10 gdoi 
 set group ABC
!
!
!         
!
!
interface Ethernet0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 ip address 192.168.6.1 255.255.255.0
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 ip address 6.6.6.2 255.255.255.0
 crypto map MAP
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 no ip address
 shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 6.6.6.1
!
!
!
!
control-plane
!
!         
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
!
end

GM-6和GC之间的联系已经结束：

GM-6#show crypto session detail

Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: Ethernet0/3
Session status: UP-ACTIVE
Peer: 0.0.0.0 port 848 fvrf: (none) ivrf: (none)
Phase1_id: 4.4.4.2
Desc: (none)
Session ID: 0
IKEv1 SA: local 6.6.6.2/848 remote 4.4.4.2/848 Active
Capabilities:(none) connid:1001 lifetime:23:22:03
IPSEC FLOW: permit ip 192.168.0.0/255.255.0.0 192.168.0.0/255.255.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/1964
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/1964****

问题在于编辑服务服务集下的vMX配置，当我尝试si接口时，它会给出以下错误：

rokk@GM-1# show | compare
[edit]
+  services {
+      service-set SER-SET {
+          interface-service {
+              service-interface si-0/0/0;
+          }
+          ipsec-group-vpn ABC;
+      }
+  }
[edit interfaces]
+   si-0/0/0 {
+       unit 0 {
+           family inet;
+       }
+   }

[edit]
rokk@GM-1# commit check      
[edit services]
  'service-set SER-SET'
    nat-rules or nat-rule-sets or softwire-rules or softwire-rule-sets or ip-reassembly-rule or ip-reassembly-rule-sets must be configured when si is the service-interface
error: configuration check-out failed

那么，有没有人尝试在vMX路由器上配置Group？如果是，你能给我举个例子吗？或者你能告诉我我还必须做些什么吗？因为我看到可以将路由器配置为安全组-vpn成员下的成员。

见附拓扑。

Answer 1

免责声明:我的少年时代已经过去了，我只在SRX上工作过。

但这让我印象深刻：

set security group-vpn member ike gateway IKE-GW local-address 1.1.1.2

这将隐含地将ge-0/0/0定义为"IPSec talking接口“，通过配置在ge-0/0/0上的IPv4地址，如下所示：

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24

相反，si-0/0/0似乎没有IP配置：

set interfaces si-0/0/0 unit 0 family inet

现在，如果您打算将si-0/0/0作为您的IPSec端点，您可以在.

set services service-set SER-SET interface-service service-interface si-0/0/0

..。除非该si-0/0/0与IP地址1.1.1.2/24之间存在某种关系(另一种情况是: si-0/0/0和ge-0/0/0)，否则这是无法工作的。我认为这就是错误信息试图传达的内容：

nat-rules or nat-rule-sets or softwire-rules or softwire-rule-sets or ip-reassembly-rule or ip-reassembly-rule-sets must be configured when si is the service-interface

我认为这是通往解决办法的途径：

• si-0/0/0必须以某种方式“链接”到ge-0/0/0，例如通过NAT或softwire配置，正如错误消息所暗示的那样；si-0/0/0可能仍然需要一个自己的IP地址才能工作。
• 将IPSec端点移动到ge-0/0/0，通过set services service-set SER-SET interface-service service-interface ge-0/0/0，我认为。