Wanted to check the traffic drop on transit path on IPSEC tunnel then port mirroring would be useful. It can be useful in both ESP and AH algorithm
1.For identifying If there is traffic drop suspected on IPSEC tunnel transit
2. For identifying If there is traffic drop suspected after encryption in the ingress point of the IPSEC tunnel
3. For identifying If there is traffic drop suspected after decryption in the egress point of the IPSEC tunnel.
Set up details:
traffic generator-1–leffe-re1–xe-0/3/0—xe-1/1/0—-kabab-xe-2/1/0—-xe-5/1/1-wolf— —AE0—- raph—traffic generator-2
|
|_____xe-5/0/0—-port-mirroring-analyzer-1
Configuration on Raph:
--------------------------- lab@raph1> show configuration services ipsec-vpn { rule RULE-peering-id-2000143322-1 { term 1 { from { ipsec-inside-interface sp-2/0/0.11; } then { remote-gateway 55.55.55.1; dynamic { ike-policy IKE-POL-peering-id-2000000465-1; ipsec-policy IPSEC-POL-G2-AES128-SHA1; } clear-dont-fragment-bit; initiate-dead-peer-detection; } } match-direction input; } ipsec { proposal IPSEC-PROP-AES128-SHA1 { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } policy IPSEC-POL-G2-AES128-SHA1 { perfect-forward-secrecy { keys group2; } proposals IPSEC-PROP-AES128-SHA1; } } ike { proposal IKE-PROP-AES128-SHA1-G2 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 28800; } policy IKE-POL-peering-id-2000000465-1 { mode main; proposals IKE-PROP-AES128-SHA1-G2; pre-shared-key ascii-text "$9$JjDqfTQnAu1Ap0Ihr8LxNdw4ZUDk.5FNdDk.mF3BIEyK82gJjHmaZmT"; ## SECRET-DATA } } } service-set SERVICE-TEST-1 { tcp-mss 1387; next-hop-service { inside-service-interface sp-2/0/0.11; outside-service-interface sp-2/0/0.12; } ipsec-vpn-options { local-gateway 55.55.55.2 routing-instance test-out; } ipsec-vpn-rules RULE-peering-id-2000143322-1; } lab@raph1> lab@raph1> show configuration interfaces sp-2/0/0 unit 11 family inet { filter { input port-mirror-filter; >>>>>>>>>>>>>>>>>>>>>>>>>>>>filter to cpature the traffic coming traffic generator-1 to traffic generator-2,which is come for decryption on sp-interface output port-mirror-filter_output; >>>>>>>>>>>>>>>>>>>>>>filter to cpature the traffic coming traffic generator-2 to traffic generator-1, which is coming for encryption towards sp-interface } address 55.55.56.2/30; } service-domain inside; lab@raph1> show configuration interfaces sp-2/0/0 unit 12 family inet; service-domain outside; lab@raph1>
PORT MIRRORING CONFIGURATION:
--------------------------------------------------- lab@raph1> show configuration firewall family inet { filter port-mirror-filter { term one { then { count port-mirror-counter; port-mirror; accept; } } } filter port-mirror-filter_output { term one { then { count port-mirror-counter_output; port-mirror; accept; } } } } lab@raph1> lab@raph1> show configuration forwarding-options port-mirroring { input { rate 1; } family inet { output { inactive:interface gr-0/1/0.0 { >>>>>we can use GR inerface also and send it to some other router next-hop 77.77.77.1; } interface xe-5/0/0.0 { next-hop 40.1.2.2; } } } } lab@raph1> lab@raph1> show configuration interfaces xe-5/0/0 unit 0 { family inet { address 40.1.2.1/30; } } lab@raph1> lab@raph1> show configuration interfaces gr-0/1/0 unit 0 { tunnel { source 40.1.2.1; destination 40.1.2.2; } family inet { address 77.77.77.2/24; } } lab@raph1> lab@leffe-re1> show services ipsec-vpn ipsec security-associations detail Service set: SERVICE-TEST-1, IKE Routing-instance: default Rule: RULE-peering-id-2000143322-1, Term: 1, Tunnel index: 2 Local gateway: 55.55.55.1, Remote gateway: 55.55.55.2 IPSec inside interface: sp-3/1/0.11, Tunnel MTU: 1500 Local identity: ipv4_subnet(any:0,0.0.0.0/0) Remote identity: ipv4_subnet(any:0,0.0.0.0/0) Direction: inbound, SPI: 90996136, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Soft lifetime: Expires in 2388 seconds Hard lifetime: Expires in 2478 seconds Anti-replay service: Enabled, Replay window size: 128 Direction: outbound, SPI: 1331723786, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Soft lifetime: Expires in 2388 seconds Hard lifetime: Expires in 2478 seconds Anti-replay service: Enabled, Replay window size: 128 lab@leffe-re1> lab@raph1> show services ipsec-vpn ipsec security-associations detail Service set: SERVICE-TEST-1, IKE Routing-instance: test-out Rule: RULE-peering-id-2000143322-1, Term: 1, Tunnel index: 1 Local gateway: 55.55.55.2, Remote gateway: 55.55.55.1 IPSec inside interface: sp-2/0/0.11, Tunnel MTU: 1500 Local identity: ipv4_subnet(any:0,0.0.0.0/0) Remote identity: ipv4_subnet(any:0,0.0.0.0/0) Direction: inbound, SPI: 1331723786, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc Soft lifetime: Expires in 2315 seconds Hard lifetime: Expires in 2450 seconds Anti-replay service: Enabled, Replay window size: 128 Direction: outbound, SPI: 90996136, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc Soft lifetime: Expires in 2315 seconds Hard lifetime: Expires in 2450 seconds Anti-replay service: Enabled, Replay window size: 128 lab@raph1> lab@raph1> show firewall Filter: port-mirror-filter Counters: Name Bytes Packets port-mirror-counter 4745037093494 3701277198 >>>>>>>>> we can see that counters increments and also port mirror analyzer can see the traffic Filter: port-mirror-filter_output Counters: Name Bytes Packets port-mirror-counter_output 5127381350544 3999517607 >>>>>>>>>>>>>> we can see that counters increments and also port mirror analyzer can see the traffic Filter: __default_bpdu_filter__ lab@raph1>