Wanted to check the traffic drop on transit path on IPSEC tunnel then port mirroring would be useful. It can be useful in both ESP and AH algorithm
1.For identifying If there is traffic drop suspected on IPSEC tunnel transit
2. For identifying If there is traffic drop suspected after encryption in the ingress point of the IPSEC tunnel
3. For identifying If there is traffic drop suspected after decryption in the egress point of the IPSEC tunnel.
Set up details:
traffic generator-1–leffe-re1–xe-0/3/0—xe-1/1/0—-kabab-xe-2/1/0—-xe-5/1/1-wolf— —AE0—- raph—traffic generator-2
|
|_____xe-5/0/0—-port-mirroring-analyzer-1
Configuration on Raph:
---------------------------
lab@raph1> show configuration services
ipsec-vpn {
rule RULE-peering-id-2000143322-1 {
term 1 {
from {
ipsec-inside-interface sp-2/0/0.11;
}
then {
remote-gateway 55.55.55.1;
dynamic {
ike-policy IKE-POL-peering-id-2000000465-1;
ipsec-policy IPSEC-POL-G2-AES128-SHA1;
}
clear-dont-fragment-bit;
initiate-dead-peer-detection;
}
}
match-direction input;
}
ipsec {
proposal IPSEC-PROP-AES128-SHA1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IPSEC-POL-G2-AES128-SHA1 {
perfect-forward-secrecy {
keys group2;
}
proposals IPSEC-PROP-AES128-SHA1;
}
}
ike {
proposal IKE-PROP-AES128-SHA1-G2 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy IKE-POL-peering-id-2000000465-1 {
mode main;
proposals IKE-PROP-AES128-SHA1-G2;
pre-shared-key ascii-text "$9$JjDqfTQnAu1Ap0Ihr8LxNdw4ZUDk.5FNdDk.mF3BIEyK82gJjHmaZmT"; ## SECRET-DATA
}
}
}
service-set SERVICE-TEST-1 {
tcp-mss 1387;
next-hop-service {
inside-service-interface sp-2/0/0.11;
outside-service-interface sp-2/0/0.12;
}
ipsec-vpn-options {
local-gateway 55.55.55.2 routing-instance test-out;
}
ipsec-vpn-rules RULE-peering-id-2000143322-1;
}
lab@raph1>
lab@raph1> show configuration interfaces sp-2/0/0 unit 11
family inet {
filter {
input port-mirror-filter; >>>>>>>>>>>>>>>>>>>>>>>>>>>>filter to cpature the traffic coming traffic generator-1 to traffic generator-2,which is come for decryption on sp-interface
output port-mirror-filter_output; >>>>>>>>>>>>>>>>>>>>>>filter to cpature the traffic coming traffic generator-2 to traffic generator-1, which is coming for encryption towards sp-interface
}
address 55.55.56.2/30;
}
service-domain inside;
lab@raph1> show configuration interfaces sp-2/0/0 unit 12
family inet;
service-domain outside;
lab@raph1>
PORT MIRRORING CONFIGURATION:
---------------------------------------------------
lab@raph1> show configuration firewall
family inet {
filter port-mirror-filter {
term one {
then {
count port-mirror-counter;
port-mirror;
accept;
}
}
}
filter port-mirror-filter_output {
term one {
then {
count port-mirror-counter_output;
port-mirror;
accept;
}
}
}
}
lab@raph1>
lab@raph1> show configuration forwarding-options
port-mirroring {
input {
rate 1;
}
family inet {
output {
inactive:interface gr-0/1/0.0 { >>>>>we can use GR inerface also and send it to some other router
next-hop 77.77.77.1;
}
interface xe-5/0/0.0 {
next-hop 40.1.2.2;
}
}
}
}
lab@raph1>
lab@raph1> show configuration interfaces xe-5/0/0
unit 0 {
family inet {
address 40.1.2.1/30;
}
}
lab@raph1>
lab@raph1> show configuration interfaces gr-0/1/0
unit 0 {
tunnel {
source 40.1.2.1;
destination 40.1.2.2;
}
family inet {
address 77.77.77.2/24;
}
}
lab@raph1>
lab@leffe-re1> show services ipsec-vpn ipsec security-associations detail
Service set: SERVICE-TEST-1, IKE Routing-instance: default
Rule: RULE-peering-id-2000143322-1, Term: 1, Tunnel index: 2
Local gateway: 55.55.55.1, Remote gateway: 55.55.55.2
IPSec inside interface: sp-3/1/0.11, Tunnel MTU: 1500
Local identity: ipv4_subnet(any:0,0.0.0.0/0)
Remote identity: ipv4_subnet(any:0,0.0.0.0/0)
Direction: inbound, SPI: 90996136, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Soft lifetime: Expires in 2388 seconds
Hard lifetime: Expires in 2478 seconds
Anti-replay service: Enabled, Replay window size: 128
Direction: outbound, SPI: 1331723786, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Soft lifetime: Expires in 2388 seconds
Hard lifetime: Expires in 2478 seconds
Anti-replay service: Enabled, Replay window size: 128
lab@leffe-re1>
lab@raph1> show services ipsec-vpn ipsec security-associations detail
Service set: SERVICE-TEST-1, IKE Routing-instance: test-out
Rule: RULE-peering-id-2000143322-1, Term: 1, Tunnel index: 1
Local gateway: 55.55.55.2, Remote gateway: 55.55.55.1
IPSec inside interface: sp-2/0/0.11, Tunnel MTU: 1500
Local identity: ipv4_subnet(any:0,0.0.0.0/0)
Remote identity: ipv4_subnet(any:0,0.0.0.0/0)
Direction: inbound, SPI: 1331723786, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc
Soft lifetime: Expires in 2315 seconds
Hard lifetime: Expires in 2450 seconds
Anti-replay service: Enabled, Replay window size: 128
Direction: outbound, SPI: 90996136, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc
Soft lifetime: Expires in 2315 seconds
Hard lifetime: Expires in 2450 seconds
Anti-replay service: Enabled, Replay window size: 128
lab@raph1>
lab@raph1> show firewall
Filter: port-mirror-filter
Counters:
Name Bytes Packets
port-mirror-counter 4745037093494 3701277198 >>>>>>>>> we can see that counters increments and also port mirror analyzer can see the traffic
Filter: port-mirror-filter_output
Counters:
Name Bytes Packets
port-mirror-counter_output 5127381350544 3999517607 >>>>>>>>>>>>>> we can see that counters increments and also port mirror analyzer can see the traffic
Filter: __default_bpdu_filter__
lab@raph1>