我正在尝试在 cisco GC/KS 和 3 vMX 路由器 (14.1R1.10) 和另一个作为成员的 cisco 路由器之间设置组 VPN。我已经设法让 Group VPN 在两个 cisco 路由器之间工作，但是我在配置 vMX 路由器时遇到了困难，也许这里有人可以提供帮助。

GM-1 的配置（作为组成员的瞻博网络 vMX 路由器）：

rokk@GM-1# show | display set 
set version 14.1R1.10
set system host-name GM-1
set system root-authentication encrypted-password "$1$vNnFWAM2$KurYUSasAGoxR1rmE.48w0"
set system login user rokk uid 2000
set system login user rokk class super-user
set system login user rokk authentication encrypted-password "$1$boEud/xr$pkEPaLOAREI2jZwzMSZp7/"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set chassis fpc 0 pic 0 tunnel-services
set chassis fpc 0 pic 0 inline-services bandwidth 1g
set chassis fpc 0 pic 0 adaptive-services service-package layer-3
set services service-set SER-SET interface-service service-interface si-0/0/0
set services service-set SER-SET ipsec-group-vpn ABC
set security group-vpn member ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security group-vpn member ike proposal IKE-PROPOSAL dh-group group2
set security group-vpn member ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc
set security group-vpn member ike policy IKE-POLICY mode main
set security group-vpn member ike policy IKE-POLICY proposals IKE-PROPOSAL
set security group-vpn member ike policy IKE-POLICY pre-shared-key ascii-text "$9$-cws4HkPQ39YgPQ"
set security group-vpn member ike gateway IKE-GW ike-policy IKE-POLICY
set security group-vpn member ike gateway IKE-GW server-address 4.4.4.2
set security group-vpn member ike gateway IKE-GW local-address 1.1.1.2
set security group-vpn member ipsec vpn ABC ike-gateway IKE-GW
set security group-vpn member ipsec vpn ABC group 1412
set security group-vpn member ipsec vpn ABC match-direction output
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24
set interfaces si-0/0/0 unit 0 family inet
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

GC/KS 配置：

GC_KS-1#show running-config 
Building configuration...

Current configuration : 2093 bytes
!
! Last configuration change at 18:42:37 EET Wed Jan 2 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GC_KS-1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone EET 2 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!


!
!
!
!         
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
! 
!         
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 1.1.1.2        
crypto isakmp key cisco address 2.2.2.2        
crypto isakmp key cisco address 3.3.3.2        
crypto isakmp key cisco address 6.6.6.2        
!
!
crypto ipsec transform-set TR-SET esp-3des 
 mode tunnel
!
crypto ipsec profile PROFILE
 set transform-set TR-SET 
!
!
crypto gdoi group ABC
 identity number 1412
 server local
  sa ipsec 1
   profile PROFILE
   match address ipv4 199
   replay counter window-size 64
   no tag
  address ipv4 4.4.4.2
!
!
!
!
!
!
interface Ethernet0/0
 ip address 4.4.4.2 255.255.255.0
!
interface Ethernet0/1
 ip address 192.168.4.1 255.255.255.0
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 no ip address
 shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 4.4.4.1
!
!
!
access-list 199 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
!
end

GM-6 配置：

GM-6#show running-config 
Building configuration...

Current configuration : 1730 bytes
!
! Last configuration change at 19:25:28 EET Wed Jan 2 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GM-6
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone EET 2 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!


!
!
!
!         
no ip domain lookup
ip domain name cisco.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!         
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 4.4.4.2        
!
!
!
!
crypto gdoi group ABC
 identity number 1412
 server address ipv4 4.4.4.2
!
!
crypto map MAP 10 gdoi 
 set group ABC
!
!
!         
!
!
interface Ethernet0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 ip address 192.168.6.1 255.255.255.0
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 ip address 6.6.6.2 255.255.255.0
 crypto map MAP
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 no ip address
 shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 6.6.6.1
!
!
!
!
control-plane
!
!         
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
!
end

GM-6 和 GC-KS 之间的连接已建立：

GM-6#show crypto session detail

Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: Ethernet0/3
Session status: UP-ACTIVE
Peer: 0.0.0.0 port 848 fvrf: (none) ivrf: (none)
Phase1_id: 4.4.4.2
Desc: (none)
Session ID: 0
IKEv1 SA: local 6.6.6.2/848 remote 4.4.4.2/848 Active
Capabilities:(none) connid:1001 lifetime:23:22:03
IPSEC FLOW: permit ip 192.168.0.0/255.255.0.0 192.168.0.0/255.255.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/1964
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/1964****

问题出在编辑服务服务集下的 vMX 配置上，当我尝试 si 接口时，它给了我以下错误：

rokk@GM-1# show | compare
[edit]
+  services {
+      service-set SER-SET {
+          interface-service {
+              service-interface si-0/0/0;
+          }
+          ipsec-group-vpn ABC;
+      }
+  }
[edit interfaces]
+   si-0/0/0 {
+       unit 0 {
+           family inet;
+       }
+   }

[edit]
rokk@GM-1# commit check      
[edit services]
  'service-set SER-SET'
    nat-rules or nat-rule-sets or softwire-rules or softwire-rule-sets or ip-reassembly-rule or ip-reassembly-rule-sets must be configured when si is the service-interface
error: configuration check-out failed

那么，有没有人尝试过在 vMX 路由器上配置 Group VPN？如果是的话，你能给我举个例子吗？或者你能告诉我我还必须做什么吗？因为我看到我可以将路由器配置为 security group-vpn member 下的成员。

见附件拓扑。