Site-To-Site
This scenario shows how to configure and connect two subnets with each other through a VPN tunnel set up between the two gateways. One end-point receives the local IP through DHCP.
Test Site-To-Site Responder With Dynamic IP
Description
Simple VPN site-to-site configuration to
connect two subnets. DUT0 acts as a
responder so it only sets the tunnel up when
an incoming connection is received. Instead
of listening on a pre-configured IP address,
the local end-point IP is received through
DHCP.
Scenario
Step 1: Set the following configuration in DUT2:
set interfaces eth0.100 address 90.0.0.1/24 set interfaces eth1.200 address 80.0.0.1/24 set service dhcp-server shared-network dhcpserver subnet 90.0.0.0/24 start 90.0.0.2 stop 90.0.0.2
Step 2: Set the following configuration in DUT0:
set interfaces eth0.100 address dhcp set interfaces dum0 address 10.1.0.1/24 set vpn ipsec site-to-site peer PEER dhcp-interface eth0.100 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 80.0.0.0/24 next-hop 90.0.0.1 set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER connection-type respond
Step 3: Run command interfaces ethernet eth0 vif 100 show at DUT0 and check if output contains the following tokens:
90.0.0.2Show output
--------------------------------------------------------------------- Name IP Address Admin Oper Vrf Description --------------------------------------------------------------------- eth0.100 90.0.0.2/24 up up fe80::dcad:beff:feef:6c10/64
Step 4: Set the following configuration in DUT1:
set interfaces eth0.200 address 80.0.0.2/24 set interfaces dum0 address 10.3.0.1/24 set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 90.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 90.0.0.0/24 next-hop 80.0.0.1 set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER connection-type initiate
Step 5: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=63 time=0.587 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.587/0.587/0.587/0.000 ms
Step 6: Run command vpn ipsec show sa at DUT1 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 7ab7c02555ba043c_i* 0088c59b65b5daec_r local '80.0.0.2' @ 80.0.0.2[500] remote '90.0.0.2' @ 90.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 15527s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3331s, expires in 3960s in c9e7483b, 0 bytes, 0 packets out ce16600e, 0 bytes, 0 packets local 10.3.0.0/24 remote 10.1.0.0/24
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 7ab7c02555ba043c_i 0088c59b65b5daec_r* local '90.0.0.2' @ 90.0.0.2[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 24212s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3269s, expires in 3960s in ce16600e, 0 bytes, 0 packets out c9e7483b, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 8: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.633 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.633/0.633/0.633/0.000 ms
Step 9: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.901 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.901/0.901/0.901/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 7ab7c02555ba043c_i 0088c59b65b5daec_r* local '90.0.0.2' @ 90.0.0.2[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 24211s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3268s, expires in 3959s in ce16600e, 168 bytes, 2 packets, 0s ago out c9e7483b, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Step 11: Run command vpn ipsec show sa at DUT1 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 7ab7c02555ba043c_i* 0088c59b65b5daec_r local '80.0.0.2' @ 80.0.0.2[500] remote '90.0.0.2' @ 90.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 15526s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3330s, expires in 3959s in c9e7483b, 168 bytes, 2 packets, 0s ago out ce16600e, 168 bytes, 2 packets, 0s ago local 10.3.0.0/24 remote 10.1.0.0/24
Attention
The command vpn show ipsec policy can be used to debug
the IPSec selectors that have been installed in OSDx devices.
Example for device DUT0:
Show output
src 10.1.0.0/24 dst 10.3.0.0/24 dev dum0 dir out priority 375421 tmpl src 90.0.0.2 dst 80.0.0.2 proto esp spi 0xc9e7483b reqid 1 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir fwd priority 375423 tmpl src 80.0.0.2 dst 90.0.0.2 proto esp reqid 1 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir in priority 375423 tmpl src 80.0.0.2 dst 90.0.0.2 proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0
Test Site-To-Site Initiator With Dynamic IP
Description
Simple VPN site-to-site configuration to
connect two subnets. DUT0 acts as a initiator,
so it automatically attempts to start the tunnel
as soon as a local IP address is assigned
through DHCP.
Scenario
Step 1: Set the following configuration in DUT2:
set interfaces eth0.100 address 90.0.0.1/24 set interfaces eth1.200 address 80.0.0.1/24 set service dhcp-server shared-network dhcpserver subnet 90.0.0.0/24 start 90.0.0.2 stop 90.0.0.2
Step 2: Set the following configuration in DUT1:
set interfaces eth0.200 address 80.0.0.2/24 set interfaces dum0 address 10.3.0.1/24 set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 90.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 90.0.0.0/24 next-hop 80.0.0.1 set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER connection-type respond
Step 3: Set the following configuration in DUT0:
set interfaces eth0.100 address dhcp set interfaces dum0 address 10.1.0.1/24 set vpn ipsec site-to-site peer PEER dhcp-interface eth0.100 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 80.0.0.0/24 next-hop 90.0.0.1 set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER connection-type initiate
Step 4: Run command interfaces ethernet eth0 vif 100 show at DUT0 and check if output contains the following tokens:
90.0.0.2Show output
--------------------------------------------------------------------- Name IP Address Admin Oper Vrf Description --------------------------------------------------------------------- eth0.100 90.0.0.2/24 up up fe80::dcad:beff:feef:6c10/64
Step 5: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=63 time=0.625 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.625/0.625/0.625/0.000 ms
Step 6: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 10a2abcc93017cd1_i* 1b0551780aad292a_r local '90.0.0.2' @ 90.0.0.2[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 2s ago, rekeying in 18141s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 3462s, expires in 3958s in c5cf1bfd, 0 bytes, 0 packets out ce481de3, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 7: Run command vpn ipsec show sa at DUT1 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 10a2abcc93017cd1_i 1b0551780aad292a_r* local '80.0.0.2' @ 80.0.0.2[500] remote '90.0.0.2' @ 90.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 2s ago, rekeying in 25954s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 3305s, expires in 3958s in ce481de3, 0 bytes, 0 packets out c5cf1bfd, 0 bytes, 0 packets local 10.3.0.0/24 remote 10.1.0.0/24
Step 8: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.732 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.732/0.732/0.732/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.601 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.601/0.601/0.601/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 10a2abcc93017cd1_i* 1b0551780aad292a_r local '90.0.0.2' @ 90.0.0.2[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 3s ago, rekeying in 18140s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 3s ago, rekeying in 3461s, expires in 3957s in c5cf1bfd, 168 bytes, 2 packets, 0s ago out ce481de3, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Step 11: Run command vpn ipsec show sa at DUT1 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 10a2abcc93017cd1_i 1b0551780aad292a_r* local '80.0.0.2' @ 80.0.0.2[500] remote '90.0.0.2' @ 90.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 2s ago, rekeying in 25954s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 3305s, expires in 3958s in ce481de3, 168 bytes, 2 packets, 0s ago out c5cf1bfd, 168 bytes, 2 packets, 0s ago local 10.3.0.0/24 remote 10.1.0.0/24
Attention
The command vpn show ipsec policy can be used to debug
the IPSec selectors that have been installed in OSDx devices.
Example for device DUT0:
Show output
src 10.1.0.0/24 dst 10.3.0.0/24 dev dum0 dir out priority 375421 tmpl src 90.0.0.2 dst 80.0.0.2 proto esp spi 0xce481de3 reqid 1 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir fwd priority 375423 tmpl src 80.0.0.2 dst 90.0.0.2 proto esp reqid 1 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir in priority 375423 tmpl src 80.0.0.2 dst 90.0.0.2 proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0