Same-Remote
This scenario shows how to configure a VPN responder that can receive incoming connections from the same virtual IP address.
Test Site-To-Site With Same Remote Address
Description
VPN site-to-site configuration to connect two subnets to an end-point using the same virtual IP address.
Scenario
Attention
In order to make this scenario work, the device needs a way to respond and reinject traffic through the appropriate VPN tunnel. This can be achieved by copying the packet mark into the conntrack mark and restoring it later. Therefore, the following configuration lines are needed:
Show output
set vpn ipsec esp-group CHILD-SA mark-in unique set vpn ipsec esp-group CHILD-SA mark-out unique set traffic policy IN_MARK_TO_FLOW rule 1 copy mark connmark set traffic policy OUT_FLOW_TO_MARK rule 1 copy connmark mark set interfaces eth0 traffic policy in IN_MARK_TO_FLOW set interfaces dum0 traffic policy local-out OUT_FLOW_TO_MARK
Step 1: Set the following configuration in DUT0:
set interfaces eth0 address 80.0.0.1/24 set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set interfaces dum0 address 10.1.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec esp-group CHILD-SA mark-in unique set vpn ipsec esp-group CHILD-SA mark-out unique set traffic policy IN_MARK_TO_FLOW rule 1 copy mark connmark set traffic policy OUT_FLOW_TO_MARK rule 1 copy connmark mark set interfaces eth0 traffic policy in IN_MARK_TO_FLOW set interfaces dum0 traffic policy local-out OUT_FLOW_TO_MARK
Step 2: Set the following configuration in DUT1:
set interfaces eth0 address 80.0.0.2/24 set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set interfaces dum0 address 10.3.0.1/24 set protocols static route 0.0.0.0/0 next-hop 80.0.0.1 set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA
Step 3: Set the following configuration in DUT2:
set interfaces eth0 address 80.0.0.3/24 set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set interfaces dum0 address 10.3.0.1/24 set protocols static route 0.0.0.0/0 next-hop 80.0.0.1 set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA
Step 4: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=2.46 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.455/2.455/2.455/0.000 ms
Step 5: Ping IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.400 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.400/0.400/0.400/0.000 ms
Step 6: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:
80.0.0.2 80.0.0.3Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, f3303b75a19bc179_i 147bedd977f9f9fc_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 23228s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3349s, expires in 3959s in c800bef7 (0x00000002), 0 bytes, 0 packets out ca5d4bde (0x00000002), 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 184c56810ddb7fa5_i 6fb626dbde11162a_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 4s ago, rekeying in 18737s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3447s, expires in 3956s in c6fd01b6 (0x00000001), 0 bytes, 0 packets out c26e2654 (0x00000001), 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 7: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.439 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.439/0.439/0.439/0.000 ms
Step 8: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.482 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.482/0.482/0.482/0.000 ms
Step 9: Run command vpn ipsec show sa remote 80.0.0.2 at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 184c56810ddb7fa5_i 6fb626dbde11162a_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 4s ago, rekeying in 18737s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3447s, expires in 3956s in c6fd01b6 (0x00000001), 84 bytes, 1 packets, 0s ago out c26e2654 (0x00000001), 84 bytes, 1 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Run command vpn ipsec show sa remote 80.0.0.3 at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, f3303b75a19bc179_i 147bedd977f9f9fc_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 23228s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3349s, expires in 3959s in c800bef7 (0x00000002), 84 bytes, 1 packets, 0s ago out ca5d4bde (0x00000002), 84 bytes, 1 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Attention
The command vpn show ipsec policy can be used to debug
the IPSec selectors that have been installed in OSDx devices.
Example for device DUT0:
Show output
src 10.1.0.0/24 dst 10.3.0.0/24 dev dum0 dir out priority 375421 mark 0x2/0xffffffff tmpl src 80.0.0.1 dst 80.0.0.3 proto esp spi 0xca5d4bde reqid 2 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir fwd priority 375423 mark 0x2/0xffffffff tmpl src 80.0.0.3 dst 80.0.0.1 proto esp reqid 2 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir in priority 375423 mark 0x2/0xffffffff tmpl src 80.0.0.3 dst 80.0.0.1 proto esp reqid 2 mode tunnel src 10.1.0.0/24 dst 10.3.0.0/24 dev dum0 dir out priority 375421 mark 0x1/0xffffffff tmpl src 80.0.0.1 dst 80.0.0.2 proto esp spi 0xc26e2654 reqid 1 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir fwd priority 375423 mark 0x1/0xffffffff tmpl src 80.0.0.2 dst 80.0.0.1 proto esp reqid 1 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir in priority 375423 mark 0x1/0xffffffff tmpl src 80.0.0.2 dst 80.0.0.1 proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0