Eap
This scenario shows how to configure and connect two subnets with each other through a VPN tunnel using different eap methods
Test MD5 Method
Description
Simple VPN site-to-site configuration with md5 authentication for DUT0 (client) and pre shared secret for DUT1 (server)
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces eth0 address 80.0.0.2/24 set interfaces dum0 address 10.2.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret 1234 set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 type md5 set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 secret 1234567 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec logging log-types any log-level 1
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces dummy dum0 address 10.1.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec auth-profile AUTH-SA local id dut0 set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type md5 set vpn ipsec auth-profile AUTH-SA local auth eap dut0 secret 1234567 set vpn ipsec auth-profile AUTH-SA remote auth pre-shared-secret 1234 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec logging log-types any log-level 1
Step 3: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.296 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.296/0.296/0.296/0.000 ms
Step 4: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.321 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.321/0.321/0.321/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, d338016b413af483_i* 52dac8c310edc3fb_r local 'dut0' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 26215s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3311s, expires in 3959s in ca0219ca, 0 bytes, 0 packets out c04dd660, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.389 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.389/0.389/0.389/0.000 ms
Step 7: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.406 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.406/0.406/0.406/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, d338016b413af483_i* 52dac8c310edc3fb_r local 'dut0' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 26215s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3311s, expires in 3959s in ca0219ca, 168 bytes, 2 packets, 0s ago out c04dd660, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test TLS Method
Description
Simple VPN site-to-site configuration with tls authentication in both sides
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces eth0 address 80.0.0.2/24 set interfaces dum0 address 10.2.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec auth-profile AUTH-SA local auth eap dut1 type tls set vpn ipsec auth-profile AUTH-SA local cert-file running://server.crt set vpn ipsec auth-profile AUTH-SA local key file running://server.priv.pem set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 type tls set vpn ipsec auth-profile AUTH-SA remote ca-cert-file running://ca.crt set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec logging log-types any log-level 1
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces dummy dum0 address 10.1.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type tls set vpn ipsec auth-profile AUTH-SA local cert-file running://client.crt set vpn ipsec auth-profile AUTH-SA local key file running://client.priv.pem set vpn ipsec auth-profile AUTH-SA remote auth eap dut1 type tls set vpn ipsec auth-profile AUTH-SA remote ca-cert-file running://ca.crt set vpn ipsec auth-profile AUTH-SA remote id "CN=Server" set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec logging log-types any log-level 1
Step 3: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=1.07 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.072/1.072/1.072/0.000 ms
Step 4: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.282 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.282/0.282/0.282/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 2f33525dd2605640_i* cb961144efb3b1ef_r local 'CN=Client' @ 80.0.0.1[500] remote 'CN=Server' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 19868s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3298s, expires in 3960s in c9bbfd77, 0 bytes, 0 packets out cd01f39f, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=3.74 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.743/3.743/3.743/0.000 ms
Step 7: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.313 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.313/0.313/0.313/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 2f33525dd2605640_i* cb961144efb3b1ef_r local 'CN=Client' @ 80.0.0.1[500] remote 'CN=Server' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 19867s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3297s, expires in 3959s in c9bbfd77, 168 bytes, 2 packets, 0s ago out cd01f39f, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test MSCHAPV2 Method
Description
Simple VPN site-to-site configuration with mschapv2 authentication for DUT0 (client) and X.509 certificate for DUT1 (server)
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces eth0 address 80.0.0.2/24 set interfaces dum0 address 10.2.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec auth-profile AUTH-SA local cert-file running://server.crt set vpn ipsec auth-profile AUTH-SA local key file running://server.priv.pem set vpn ipsec auth-profile AUTH-SA remote auth eap %any type mschapv2 set vpn ipsec auth-profile AUTH-SA remote auth eap %any secret 12345 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec logging log-types any log-level 1
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces dummy dum0 address 10.1.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type mschapv2 set vpn ipsec auth-profile AUTH-SA local auth eap dut0 secret 12345 set vpn ipsec auth-profile AUTH-SA remote ca-cert-file running://ca.crt set vpn ipsec auth-profile AUTH-SA remote id "CN=Server" set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec logging log-types any log-level 1
Step 3: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=4.14 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.140/4.140/4.140/0.000 ms
Step 4: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=7.23 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 7.229/7.229/7.229/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, aa879a22e1a5a7ac_i* 19aae26e296c159c_r local '80.0.0.1' @ 80.0.0.1[500] remote 'CN=Server' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 21791s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3372s, expires in 3959s in ce4d7d74, 0 bytes, 0 packets out ccf618fc, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=15.4 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 15.356/15.356/15.356/0.000 ms
Step 7: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.623 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.623/0.623/0.623/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, aa879a22e1a5a7ac_i* 19aae26e296c159c_r local '80.0.0.1' @ 80.0.0.1[500] remote 'CN=Server' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 2s ago, rekeying in 21790s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 3371s, expires in 3958s in ce4d7d74, 168 bytes, 2 packets, 0s ago out ccf618fc, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test TTLS Method
Description
Simple VPN site-to-site configuration with ttls authentication in both sides, but DUT0 (client) using a secret password and DUT1 (server) a X.509 certificate
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces eth0 address 80.0.0.2/24 set interfaces dum0 address 10.2.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec auth-profile AUTH-SA local cert-file running://server.crt set vpn ipsec auth-profile AUTH-SA local key file running://server.priv.pem set vpn ipsec auth-profile AUTH-SA local auth eap dut1 type ttls set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 type ttls set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 secret 12345 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec logging log-types any log-level 1
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces dummy dum0 address 10.1.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec auth-profile AUTH-SA local id dut0 set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type ttls set vpn ipsec auth-profile AUTH-SA local auth eap dut0 secret 12345 set vpn ipsec auth-profile AUTH-SA remote auth eap dut1 type ttls set vpn ipsec auth-profile AUTH-SA remote ca-cert-file running://ca.crt set vpn ipsec auth-profile AUTH-SA remote id "CN=Server" set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec logging log-types any log-level 1
Step 3: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.308 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.308/0.308/0.308/0.000 ms
Step 4: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.362 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.362/0.362/0.362/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, e7b0e7cab97f2f5e_i* d42475b5224b2092_r local 'dut0' @ 80.0.0.1[500] remote 'CN=Server' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 19169s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3330s, expires in 3959s in c53d3835, 0 bytes, 0 packets out c1291ea7, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.339 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.339/0.339/0.339/0.000 ms
Step 7: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.365 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.365/0.365/0.365/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, e7b0e7cab97f2f5e_i* d42475b5224b2092_r local 'dut0' @ 80.0.0.1[500] remote 'CN=Server' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 19169s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3330s, expires in 3959s in c53d3835, 168 bytes, 2 packets, 0s ago out c1291ea7, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24