Local-Vrf
This scenario shows how to configure a VPN initiator with multiple VRFs and Policy-Based Routing (PBR).
Test Site-To-Site With VRFs And Marks
Description
Three different VRFs are configured in the VPN initiator: WAN, AP and SEG. Local traffic is generated in the VRF SEG, marked and leaked to the application VRF, where traffic is routed WAN VRF. Incoming packets are also leaked to SEG VRF if connmark matches.
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces eth0 address 80.0.0.2/24 set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set interfaces dum0 address 10.3.0.1/24 set protocols static route 0.0.0.0/0 next-hop 80.0.0.1 set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA
Step 2: Set the following configuration in DUT0:
set interfaces eth0 address 80.0.0.1/24 set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER local-vrf WAN set vpn ipsec esp-group CHILD-SA vrf-mark-in SEG set vpn ipsec esp-group CHILD-SA vrf-mark-out AP set interfaces dum0 address 10.1.0.1/24 set vpn ipsec site-to-site peer PEER connection-type initiate set traffic policy PBR_SEG_AP rule 1 set vrf AP connmark-cache set traffic policy PBR_WAN_SEG rule 1 selector AP_SEL set traffic policy PBR_WAN_SEG rule 1 set vrf SEG set traffic selector AP_SEL rule 1 vrf-connmark AP set interfaces eth0 vrf WAN set interfaces dum0 vrf SEG set interfaces dum0 traffic policy local-out PBR_SEG_AP set interfaces eth0 traffic policy in PBR_WAN_SEG set system vrf AP set system vrf SEG set system vrf WAN set protocols vrf AP static route 0.0.0.0/0 next-hop-vrf WAN set protocols vrf SEG static route 0.0.0.0/0 interface dum0 set protocols vrf WAN static route 0.0.0.0/0 next-hop 80.0.0.2 set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA
Step 3: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.411 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.411/0.411/0.411/0.000 ms
Step 4: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 5264296215f855da_i* 9994cf6fe92841a2_r local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 23429s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3290s, expires in 3960s in c3fd074b (0x8000046d), 0 bytes, 0 packets out c9a95b92 (0x8000046b), 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 5: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 vrf SEG count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than SEG. PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 SEG: 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.345 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.345/0.345/0.345/0.000 ms
Step 6: Run command vpn ipsec show sa remote 80.0.0.2 at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 5264296215f855da_i* 9994cf6fe92841a2_r local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 23428s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3289s, expires in 3959s in c3fd074b (0x8000046d), 84 bytes, 1 packets, 0s ago out c9a95b92 (0x8000046b), 84 bytes, 1 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Attention
The command vpn show ipsec policy can be used to debug
the IPSec selectors that have been installed in OSDx devices.
Example for device DUT0:
Show output
src 10.1.0.0/24 dst 10.3.0.0/24 dir out priority 375423 mark 0x8000046b/0xffffffff tmpl src 80.0.0.1 dst 80.0.0.2 proto esp spi 0xc9a95b92 reqid 1 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir fwd priority 375423 mark 0x8000046d/0xffffffff tmpl src 80.0.0.2 dst 80.0.0.1 proto esp reqid 1 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir in priority 375423 mark 0x8000046d/0xffffffff tmpl src 80.0.0.2 dst 80.0.0.1 proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0