Eap

This scenario shows how to configure and connect two subnets with each other through a VPN tunnel using different eap methods

../../../../_images/eap.svg

Test MD5 Method

Description

Simple VPN site-to-site configuration with md5 authentication for DUT0 (client) and pre shared secret for DUT1 (server)

Scenario

Step 1: Set the following configuration in DUT1:

set interfaces eth0 address 80.0.0.2/24
set interfaces dum0 address 10.2.0.1/24
set protocols static route 0.0.0.0/0 interface dum0
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret 1234
set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 type md5
set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 secret 1234567
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec logging log-types any log-level 1

Step 2: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces dummy dum0 address 10.1.0.1/24
set protocols static route 0.0.0.0/0 interface dum0
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec auth-profile AUTH-SA local id dut0
set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type md5
set vpn ipsec auth-profile AUTH-SA local auth eap dut0 secret 1234567
set vpn ipsec auth-profile AUTH-SA remote auth pre-shared-secret 1234
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec logging log-types any log-level 1

Step 3: Ping IP address 80.0.0.1 from DUT1:

admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1
Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data.
64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.275 ms

--- 80.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.275/0.275/0.275/0.000 ms

Step 4: Ping IP address 80.0.0.2 from DUT0:

admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1
Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.288 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.288/0.288/0.288/0.000 ms

Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED
Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 7da799ec4a2b0d12_i* 909d0b4b1f4a6df9_r
  local  'dut0' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 21252s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3289s, expires in 3959s
    in  c0ad814e,      0 bytes,     0 packets
    out c3827840,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 6: Ping IP address 10.2.0.1 from DUT0:

admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1
Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.328 ms

--- 10.2.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.328/0.328/0.328/0.000 ms

Step 7: Ping IP address 10.1.0.1 from DUT1:

admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1
Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.404 ms

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.404/0.404/0.404/0.000 ms

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets
Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 7da799ec4a2b0d12_i* 909d0b4b1f4a6df9_r
  local  'dut0' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 21252s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3289s, expires in 3959s
    in  c0ad814e,    168 bytes,     2 packets,     0s ago
    out c3827840,    168 bytes,     2 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Test TLS Method

Description

Simple VPN site-to-site configuration with tls authentication in both sides

Scenario

Step 1: Set the following configuration in DUT1:

set interfaces eth0 address 80.0.0.2/24
set interfaces dum0 address 10.2.0.1/24
set protocols static route 0.0.0.0/0 interface dum0
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec auth-profile AUTH-SA local auth eap dut1 type tls
set vpn ipsec auth-profile AUTH-SA local cert-file running://server.crt
set vpn ipsec auth-profile AUTH-SA local key file running://server.priv.pem
set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 type tls
set vpn ipsec auth-profile AUTH-SA remote ca-cert-file running://ca.crt
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec logging log-types any log-level 1

Step 2: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces dummy dum0 address 10.1.0.1/24
set protocols static route 0.0.0.0/0 interface dum0
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type tls
set vpn ipsec auth-profile AUTH-SA local cert-file running://client.crt
set vpn ipsec auth-profile AUTH-SA local key file running://client.priv.pem
set vpn ipsec auth-profile AUTH-SA remote auth eap dut1 type tls
set vpn ipsec auth-profile AUTH-SA remote ca-cert-file running://ca.crt
set vpn ipsec auth-profile AUTH-SA remote id "CN=Server"
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec logging log-types any log-level 1

Step 3: Ping IP address 80.0.0.1 from DUT1:

admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1
Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data.
64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.316 ms

--- 80.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.316/0.316/0.316/0.000 ms

Step 4: Ping IP address 80.0.0.2 from DUT0:

admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1
Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.319 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.319/0.319/0.319/0.000 ms

Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED
Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, adcb2198d7f8cef3_i* 432702e75a474bfd_r
  local  'CN=Client' @ 80.0.0.1[500]
  remote 'CN=Server' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 26720s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3246s, expires in 3960s
    in  c51dd1e7,      0 bytes,     0 packets
    out cc764477,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 6: Ping IP address 10.2.0.1 from DUT0:

admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1
Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.413 ms

--- 10.2.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.413/0.413/0.413/0.000 ms

Step 7: Ping IP address 10.1.0.1 from DUT1:

admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1
Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.392 ms

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.392/0.392/0.392/0.000 ms

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets
Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, adcb2198d7f8cef3_i* 432702e75a474bfd_r
  local  'CN=Client' @ 80.0.0.1[500]
  remote 'CN=Server' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 26719s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3245s, expires in 3959s
    in  c51dd1e7,    168 bytes,     2 packets,     0s ago
    out cc764477,    168 bytes,     2 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Test MSCHAPV2 Method

Description

Simple VPN site-to-site configuration with mschapv2 authentication for DUT0 (client) and X.509 certificate for DUT1 (server)

Scenario

Step 1: Set the following configuration in DUT1:

set interfaces eth0 address 80.0.0.2/24
set interfaces dum0 address 10.2.0.1/24
set protocols static route 0.0.0.0/0 interface dum0
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec auth-profile AUTH-SA local cert-file running://server.crt
set vpn ipsec auth-profile AUTH-SA local key file running://server.priv.pem
set vpn ipsec auth-profile AUTH-SA remote auth eap %any type mschapv2
set vpn ipsec auth-profile AUTH-SA remote auth eap %any secret 12345
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec logging log-types any log-level 1

Step 2: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces dummy dum0 address 10.1.0.1/24
set protocols static route 0.0.0.0/0 interface dum0
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type mschapv2
set vpn ipsec auth-profile AUTH-SA local auth eap dut0 secret 12345
set vpn ipsec auth-profile AUTH-SA remote ca-cert-file running://ca.crt
set vpn ipsec auth-profile AUTH-SA remote id "CN=Server"
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec logging log-types any log-level 1

Step 3: Ping IP address 80.0.0.1 from DUT1:

admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1
Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data.
64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.311 ms

--- 80.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.311/0.311/0.311/0.000 ms

Step 4: Ping IP address 80.0.0.2 from DUT0:

admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1
Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.319 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.319/0.319/0.319/0.000 ms

Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED
Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 350f6a3f42218137_i* a57e7e1b63020b95_r
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote 'CN=Server' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 21659s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3515s, expires in 3959s
    in  cac4540f,      0 bytes,     0 packets
    out c65a78f1,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 6: Ping IP address 10.2.0.1 from DUT0:

admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1
Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.456 ms

--- 10.2.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.456/0.456/0.456/0.000 ms

Step 7: Ping IP address 10.1.0.1 from DUT1:

admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1
Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.383 ms

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.383/0.383/0.383/0.000 ms

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets
Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 350f6a3f42218137_i* a57e7e1b63020b95_r
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote 'CN=Server' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 21659s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3515s, expires in 3959s
    in  cac4540f,    168 bytes,     2 packets,     0s ago
    out c65a78f1,    168 bytes,     2 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Test TTLS Method

Description

Simple VPN site-to-site configuration with ttls authentication in both sides, but DUT0 (client) using a secret password and DUT1 (server) a X.509 certificate

Scenario

Step 1: Set the following configuration in DUT1:

set interfaces eth0 address 80.0.0.2/24
set interfaces dum0 address 10.2.0.1/24
set protocols static route 0.0.0.0/0 interface dum0
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec auth-profile AUTH-SA local cert-file running://server.crt
set vpn ipsec auth-profile AUTH-SA local key file running://server.priv.pem
set vpn ipsec auth-profile AUTH-SA local auth eap dut1 type ttls
set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 type ttls
set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 secret 12345
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec logging log-types any log-level 1

Step 2: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces dummy dum0 address 10.1.0.1/24
set protocols static route 0.0.0.0/0 interface dum0
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec auth-profile AUTH-SA local id dut0
set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type ttls
set vpn ipsec auth-profile AUTH-SA local auth eap dut0 secret 12345
set vpn ipsec auth-profile AUTH-SA remote auth eap dut1 type ttls
set vpn ipsec auth-profile AUTH-SA remote ca-cert-file running://ca.crt
set vpn ipsec auth-profile AUTH-SA remote id "CN=Server"
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec logging log-types any log-level 1

Step 3: Ping IP address 80.0.0.1 from DUT1:

admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1
Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data.
64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.308 ms

--- 80.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.308/0.308/0.308/0.000 ms

Step 4: Ping IP address 80.0.0.2 from DUT0:

admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1
Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.434 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.434/0.434/0.434/0.000 ms

Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED
Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b6eba16ff0223979_i* d5fac6313700020f_r
  local  'dut0' @ 80.0.0.1[500]
  remote 'CN=Server' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 25969s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3386s, expires in 3959s
    in  c32b3c2d,      0 bytes,     0 packets
    out cc8653fb,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 6: Ping IP address 10.2.0.1 from DUT0:

admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1
Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.350 ms

--- 10.2.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.350/0.350/0.350/0.000 ms

Step 7: Ping IP address 10.1.0.1 from DUT1:

admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1
Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.379 ms

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.379/0.379/0.379/0.000 ms

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets
Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b6eba16ff0223979_i* d5fac6313700020f_r
  local  'dut0' @ 80.0.0.1[500]
  remote 'CN=Server' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 25969s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3386s, expires in 3959s
    in  c32b3c2d,    168 bytes,     2 packets,     0s ago
    out cc8653fb,    168 bytes,     2 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24