Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configuration Example - IPSEC packet capture on MS MPC

0

0

Article ID: KB37196 KB Last Updated: 13 Oct 2021Version: 1.0
Summary:

This article demonstrates how to capture traffic passing through IPSEC tunnel configured in MS-MPC PIC.

Solution:

Test diagram:

            60.1.252.1                          60.1.252.2
            router1(MX)                          router2(MX)
            IPSEC GW                            IPSEC GW
                 |                                 |
                 |oSA:ms-2/0/0.1252   iSA:ms-2/0/0.1001
                 |------>                --------> |
                 |.................................|
                .| .       IPSEC tunnel 1        . |.
                 |.................................|
                 |<------                <-------- |
                 |iSA:ms-2/0/0.1253   oSA:ms-2/0/0.1002
                 |                                 |
                 |                                 |
    BGP peer ==========================================>     BGP peer
         xe-0/0/1|                                 |    xe-1/2/0
    joker--------+                                 +------------joker
    (LR:to-router1)                                |    (LR:to-router2)
     VLAN10:     |                                 |     VLAN10
     192.168.0.2 |                                 | 172.16.0.1
     VLAN20:     |                                 |     VLAN20
     192.169.0.2 |                                 | 172.17.0.1
                 |                                 |
                 |                                 |
                 |oSA:ms-2/0/0.1254   iSA:ms-2/0/0.1003
                 |------->               --------> |
                 |.................................|
                .| .      IPSEC tunnel 2         . |.
                 |.................................|
                 |<-------               <-------- |
                 |iSA:ms-2/0/0.1255   oSA:ms-2/0/0.1004
                 |                                 |
           70.1.252.1                           70.1.252.2


There are two IPSEC tunnels configured between two MX960 routers: batman and robin. The traffic between the two BGP peers travel through both tunnels in ECMP method.
In this example, both MX routers have an MS-MPC card with 4 PICs in slot 2, which is where 'ms-2/0/0.x' tunnel interfaces are located.

    labroot@router1-re0> show chassis fpc pic-status 2
    Jun 14 16:02:11
    Slot 2   Online       MS-MPC
      PIC 0  Online       MS-MPC-PIC
      PIC 1  Online       MS-MPC-PIC
      PIC 2  Online       MS-MPC-PIC    <---
      PIC 3  Online       MS-MPC-PIC


How to capture the IPSEC and BGP KA packets in MS-MPC PIC on MX 'batman':

  1. From MX CLI, drop to JUNOS shell:

    labroot@router1-re0> start shell
  2. From Junos shell, login to MPC pic. Use login "root" to login, there will be no password asked:

        root@ms20%  telnet -Ji fpc2.pic0

        Trying 128.0.1.18...
        Connected to fpc2.pic0.
        Escape character is '^]'.

        login: root

        --- JUNOS 18.4R1-S7.1 built 2020-05-14 01:17:14 UTC

        root@ms20%
  3. Use the 'mspdump' command to capture IPSEC traffic:

        root@ms20% mspdump -ni ms0 -s 1500 "host 60.1.252.2 || host 172.16.0.1" > /var/re/packet_trace.txt &
        [1] 82789
        root@ms20% verbose output suppressed, use <detail> or <extensive> for full protocol decode
        Address resolution is OFF.
        Listening on ms0, capture size 1500 bytes


Host 60.1.252.2 is the remote gateway, host 172.16.0.1 is the remote BGP peer. With these 2 filters, the mspdump tool can capture traffic destined to remote BGP (BGP KA, BGP tear down/establishment messages,etc), and any traffic flowing between the IPSEC peers. This command runs the capture in the background, and writes the data into a file.

To view the packet capture progress, use the 'tail' command, then press 'ctrl-c' to stop the viewing:

    root@ms20% tail -f /var/re/packet_trace.txt
    14:29:19.318488  In SERVICES service id 75 flags 0x85 service set id 1253 iif 384 IP 60.1.252.2 > 60.1.252.1: ESP
    (spi=3738791032,seq=0x54)
    14:29:19.318524 Out SERVICES service id 64 flags 0x83 iif 335 IP 172.16.0.1.179 > 192.168.0.2.50217: P 3595632646
    :3595632665(19) ack 137769324 win 16384 <nop,nop,timestamp 272217603 272209406>: BGP, length: 19
    14:29:19.318553  In SERVICES service id 75 flags 0x85 service set id 1252 iif 385 IP 192.168.0.2.50217 > 172.16.0
    .1.179: P 1:20(19) ack 0 win 16384 <nop,nop,timestamp 272217603 272209406>: BGP, length: 19
    14:29:19.318581 Out SERVICES service id 64 flags 0x83 iif 336 IP 60.1.252.1 > 60.1.252.2: ESP(spi=3270061680,seq=
    0x53)
    14:29:19.418384  In SERVICES service id 75 flags 0x85 service set id 1252 iif 385 IP 192.168.0.2.50217 > 172.16.0
    .1.179: . ack 19 win 16384 <nop,nop,timestamp 272217703 272217603>
    14:29:19.418407 Out SERVICES service id 64 flags 0x83 iif 336 IP 60.1.252.1 > 60.1.252.2: ESP(spi=3270061680,seq=
    0x54)
    14:29:19.418551  In SERVICES service id 75 flags 0x85 service set id 1253 iif 384 IP 60.1.252.2 > 60.1.252.1: ESP
    (spi=3738791032,seq=0x55)
    14:29:19.418584 Out SERVICES service id 64 flags 0x83 iif 335 IP 172.16.0.1.179 > 192.168.0.2.50217: . ack 20 win
    16384 <nop,nop,timestamp 272217703 272217603>
    14:29:27.509528  In SERVICES service id 75 flags 0x85 service set id 1253 iif 384 IP 60.1.252.2 > 60.1.252.1: ESP
    (spi=3738791032,seq=0x56)
    14:29:27.509561 Out SERVICES service id 64 flags 0x83 iif 335 IP 172.16.0.1.179 > 192.168.0.2.50217: P 19:38(19)
    ack 20 win 16384 <nop,nop,timestamp 272225794 272217703>: BGP, length: 19
    14:29:27.509596  In SERVICES service id 75 flags 0x85 service set id 1252 iif 385 IP 192.168.0.2.50217 > 172.16.0
    .1.179: P 20:39(19) ack 19 win 16384 <nop,nop,timestamp 272225794 272217703>: BGP, length: 19
    14:29:27.509622 Out SERVICES service id 64 flags 0x83 iif 336 IP 60.1.252.1 > 60.1.252.2: ESP(spi=3270061680,seq=
    0x55)
    14:29:27.609403  In SERVICES service id 75 flags 0x85 service set id 1252 iif 385 IP 192.168.0.2.50217 > 172.16.0
    .1.179: . ack 38 win 16384 <nop,nop,timestamp 272225894 272225794>
    14:29:27.609424 Out SERVICES service id 64 flags 0x83 iif 336 IP 60.1.252.1 > 60.1.252.2: ESP(spi=3270061680,seq=
    0x56)
    14:29:27.609569  In SERVICES service id 75 flags 0x85 service set id 1253 iif 384 IP 60.1.252.2 > 60.1.252.1: ESP
    (spi=3738791032,seq=0x57)
    14:29:27.609592 Out SERVICES service id 64 flags 0x83 iif 335 IP 172.16.0.1.179 > 192.168.0.2.50217: . ack 39 win
    16384 <nop,nop,timestamp 272225894 272225794>
    14:29:37.415553  In SERVICES service id 75 flags 0x85 service set id 1253 iif 384 IP 60.1.252.2 > 60.1.252.1: ESP
    (spi=3738791032,seq=0x58)
    14:29:37.415586 Out SERVICES service id 64 flags 0x83 iif 335 IP 172.16.0.1.179 > 192.168.0.2.50217: P 38:57(19)
    ack 39 win 16384 <nop,nop,timestamp 272235700 272225894>: BGP, length: 19
    14:29:37.415622  In SERVICES service id 75 flags 0x85 service set id 1252 iif 385 IP 192.168.0.2.50217 > 172.16.0
    .1.179: P 39:58(19) ack 38 win 16384 <nop,nop,timestamp 272235700 272225894>: BGP, length: 19
    14:29:37.415647 Out SERVICES service id 64 flags 0x83 iif 336 IP 60.1.252.1 > 60.1.252.2: ESP(spi=3270061680,seq=
    0x57)
    14:29:37.515397  In SERVICES service id 75 flags 0x85 service set id 1252 iif 385 IP 192.168.0.2.50217 > 172.16.0
    .1.179: . ack 57 win 16384 <nop,nop,timestamp 272235800 272235700>
    14:29:37.515420 Out SERVICES service id 64 flags 0x83 iif 336 IP 60.1.252.1 > 60.1.252.2: ESP(spi=3270061680,seq=
    0x58)
    14:29:37.515564  In SERVICES service id 75 flags 0x85 service set id 1253 iif 384 IP 60.1.252.2 > 60.1.252.1: ESP
    (spi=3738791032,seq=0x59)
    14:29:37.515588 Out SERVICES service id 64 flags 0x83 iif 335 IP 172.16.0.1.179 > 192.168.0.2.50217: . ack 58 win
    16384 <nop,nop,timestamp 272235800 272235700>
    14:29:45.529540  In SERVICES service id 75 flags 0x85 service set id 1253 iif 384 IP 60.1.252.2 > 60.1.252.1: ESP
    (spi=3738791032,seq=0x5a)
    14:29:45.529574 Out SERVICES service id 64 flags 0x83 iif 335 IP 172.16.0.1.179 > 192.168.0.2.50217: P 57:76(19)
    ack 58 win 16384 <nop,nop,timestamp 272243814 272235800>: BGP, length: 19
    ^C

To stop the capture, first get the process ID of mspdump using the 'ps' command, then kill the process:

    root@ms20% ps
      PID  TT  STAT      TIME COMMAND
      223  d0  Ss+    0:00.05 /usr/libexec/getty std.9600 ttyd0
    76694  p0  Ss     0:00.07 login [pam] (login)
    76695  p0  S+     0:00.15 -csh (csh)
    82106  p1  Ss     0:00.07 login [pam] (login)
    82107  p1  S      0:00.14 -csh (csh)
    82789  p1  S      0:00.09 mspdump -ni ms0 -s 1500 host 60.1.252.2 || host 172.16.0.1 #<---
    82790  p1  R+     0:00.03 ps
    root@ms20%

    root@ms20% kill 82789

    396 packets accepted by filter
    0 packets rejected by filter
    0 packets dropped on queue-full
    root@ms20%
    [1]    Done                          mspdump -ni ms0 -s 1500 host 60.1.252.2 || host 172.16.0.1 >  ...
    root@ms20%
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search