Site-To-Site
These scenarios show how to configure VPN site-to-site connections.
Test One P2P Tunnel
Description
Simple VPN site-to-site configuration with a single tunnel in the main VRF.
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces eth0.10 address 10.0.0.2/24 set vpn ipsec site-to-site peer SITE remote-address 10.0.0.1 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE local-address 10.0.0.2 set vpn ipsec site-to-site peer SITE tunnel 1 local prefix 10.0.0.2/32 set vpn ipsec site-to-site peer SITE tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE auth-profile AUTH set vpn ipsec site-to-site peer SITE connection-type respond set vpn ipsec site-to-site peer SITE ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE tunnel 1 esp-group ESP-POLICY
Step 2: Set the following configuration in DUT0:
set interfaces eth0.10 address 10.0.0.1/24 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE1 local-address 10.0.0.1 set vpn ipsec site-to-site peer SITE1 remote-address 10.0.0.2 set vpn ipsec site-to-site peer SITE1 tunnel 1 local prefix 10.0.0.1/32 set vpn ipsec site-to-site peer SITE1 tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE1 auth-profile AUTH set vpn ipsec site-to-site peer SITE1 connection-type initiate set vpn ipsec site-to-site peer SITE1 ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE1 tunnel 1 esp-group ESP-POLICY
Step 3: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.302 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.302/0.302/0.302/0.000 ms
Step 4: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.368 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.368/0.368/0.368/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
ESTABLISHED, IKEv2 \d+ bytes,\s+\d+ packets local\s+(\d+\.){3}[13]\/32\s+remote\s+(\d+\.){3}2\/32Show output
vpn-peer-SITE1: #1, ESTABLISHED, IKEv2, c5965583c61b6b8e_i* d66fe2ed9cae2f7d_r local '10.0.0.1' @ 10.0.0.1[500] remote '10.0.0.2' @ 10.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 19496s peer-SITE1-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:NULL_AES_GMAC-128 installed 1s ago, rekeying in 3561s, expires in 3960s in c0811d82, 168 bytes, 2 packets, 0s ago out cf44c24b, 168 bytes, 2 packets, 0s ago local 10.0.0.1/32 remote 10.0.0.2/32
Test One P2P Tunnel with VRFs
Description
Single-VRF VPN site-to-site configuration-.
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces eth0.10 address 10.0.0.2/24 set vpn ipsec site-to-site peer SITE remote-address 10.0.0.1 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE local-address 10.0.0.2 set vpn ipsec site-to-site peer SITE tunnel 1 local prefix 10.0.0.2/32 set vpn ipsec site-to-site peer SITE tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE auth-profile AUTH set vpn ipsec site-to-site peer SITE connection-type respond set vpn ipsec site-to-site peer SITE ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE tunnel 1 esp-group ESP-POLICY
Step 2: Set the following configuration in DUT0:
set interfaces eth0.10 address 10.0.0.1/24 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE1 local-address 10.0.0.1 set vpn ipsec site-to-site peer SITE1 remote-address 10.0.0.2 set vpn ipsec site-to-site peer SITE1 tunnel 1 local prefix 10.0.0.1/32 set vpn ipsec site-to-site peer SITE1 tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE1 auth-profile AUTH set vpn ipsec site-to-site peer SITE1 connection-type initiate set vpn ipsec site-to-site peer SITE1 ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE1 tunnel 1 esp-group ESP-POLICY set system vrf A set interfaces eth0.10 vrf A set vpn ipsec site-to-site peer SITE1 local-vrf A set vpn ipsec site-to-site peer SITE1 tunnel 1 local-interface eth0.10
Step 3: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 vrf A count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than A. PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 A: 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.394 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.394/0.394/0.394/0.000 ms
Step 4: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.422 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.422/0.422/0.422/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
ESTABLISHED, IKEv2 \d+ bytes,\s+\d+ packets local\s+(\d+\.){3}[13]\/32\s+remote\s+(\d+\.){3}2\/32Show output
vpn-peer-SITE1: #1, ESTABLISHED, IKEv2, d5401079e0f9e2d3_i* 5d7257c885123ec4_r local '10.0.0.1' @ 10.0.0.1[500] remote '10.0.0.2' @ 10.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 0s ago, rekeying in 24724s peer-SITE1-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:NULL_AES_GMAC-128 installed 1s ago, rekeying in 3354s, expires in 3960s in c5ad5ded, 168 bytes, 2 packets, 0s ago out cbf33a21, 168 bytes, 2 packets, 0s ago local 10.0.0.1/32 remote 10.0.0.2/32
Test Two P2P Tunnels With VRFs
Description
Multiple VPN site-to-site connections using different VRFs (no overlapped IP addresses).
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces eth0.10 address 10.0.0.2/24 set vpn ipsec site-to-site peer SITE remote-address 10.0.0.1 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE local-address 10.0.0.2 set vpn ipsec site-to-site peer SITE tunnel 1 local prefix 10.0.0.2/32 set vpn ipsec site-to-site peer SITE tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE auth-profile AUTH set vpn ipsec site-to-site peer SITE connection-type respond set vpn ipsec site-to-site peer SITE ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE tunnel 1 esp-group ESP-POLICY
Step 2: Set the following configuration in DUT2:
set interfaces eth0.20 address 10.0.0.2/24 set vpn ipsec site-to-site peer SITE remote-address 10.0.0.3 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE local-address 10.0.0.2 set vpn ipsec site-to-site peer SITE tunnel 1 local prefix 10.0.0.2/32 set vpn ipsec site-to-site peer SITE tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE auth-profile AUTH set vpn ipsec site-to-site peer SITE connection-type respond set vpn ipsec site-to-site peer SITE ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE tunnel 1 esp-group ESP-POLICY
Step 3: Set the following configuration in DUT0:
set interfaces eth0.10 address 10.0.0.1/24 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE1 local-address 10.0.0.1 set vpn ipsec site-to-site peer SITE1 remote-address 10.0.0.2 set vpn ipsec site-to-site peer SITE1 tunnel 1 local prefix 10.0.0.1/32 set vpn ipsec site-to-site peer SITE1 tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE1 auth-profile AUTH set vpn ipsec site-to-site peer SITE1 connection-type initiate set vpn ipsec site-to-site peer SITE1 ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE1 tunnel 1 esp-group ESP-POLICY set system vrf A set interfaces eth0.10 vrf A set vpn ipsec site-to-site peer SITE1 local-vrf A set vpn ipsec site-to-site peer SITE1 tunnel 1 local-interface eth0.10 set system vrf B set interfaces eth1.20 address 10.0.0.3/24 set interfaces eth1.20 vrf B set vpn ipsec site-to-site peer SITE2 local-vrf B set vpn ipsec site-to-site peer SITE2 tunnel 1 local-interface eth1.20 set vpn ipsec site-to-site peer SITE2 local-address 10.0.0.3 set vpn ipsec site-to-site peer SITE2 remote-address 10.0.0.2 set vpn ipsec site-to-site peer SITE2 tunnel 1 local prefix 10.0.0.3/32 set vpn ipsec site-to-site peer SITE2 tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE2 auth-profile AUTH set vpn ipsec site-to-site peer SITE2 connection-type initiate set vpn ipsec site-to-site peer SITE2 ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE2 tunnel 1 esp-group ESP-POLICY
Step 4: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 vrf A count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than A. PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 A: 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.464 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.464/0.464/0.464/0.000 ms
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.310 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.310/0.310/0.310/0.000 ms
Step 6: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 vrf B count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than B. PING 10.0.0.2 (10.0.0.2) from 10.0.0.3 B: 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.459 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.459/0.459/0.459/0.000 ms
Step 7: Ping IP address 10.0.0.3 from DUT2:
admin@DUT2$ ping 10.0.0.3 count 1 size 56 timeout 1Show output
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.357 ms --- 10.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.357/0.357/0.357/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
ESTABLISHED, IKEv2 \d+ bytes,\s+\d+ packets local\s+(\d+\.){3}[13]\/32\s+remote\s+(\d+\.){3}2\/32Show output
vpn-peer-SITE1: #2, ESTABLISHED, IKEv2, 04afc949b5f57cce_i* 53cded30392b78d4_r local '10.0.0.1' @ 10.0.0.1[500] remote '10.0.0.2' @ 10.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 26434s peer-SITE1-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:NULL_AES_GMAC-128 installed 1s ago, rekeying in 3438s, expires in 3959s in cb11d8da, 168 bytes, 2 packets, 1s ago out c88cd8a3, 168 bytes, 2 packets, 1s ago local 10.0.0.1/32 remote 10.0.0.2/32 vpn-peer-SITE2: #1, ESTABLISHED, IKEv2, 143c68631a281c78_i* 337dd71a4efb74b1_r local '10.0.0.3' @ 10.0.0.3[500] remote '10.0.0.2' @ 10.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 16177s peer-SITE2-tunnel-1: #1, reqid 2, INSTALLED, TUNNEL, ESP:NULL_AES_GMAC-128 installed 1s ago, rekeying in 3348s, expires in 3959s in cf12a83a, 168 bytes, 2 packets, 0s ago out caabc2b5, 168 bytes, 2 packets, 0s ago local 10.0.0.3/32 remote 10.0.0.2/32
Test Two P2P Tunnels With VRFs And Overlapped IP Addresses
Description
Multiple VPN site-to-site connections using different VRFs (overlapped IP addresses).
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces eth0.10 address 10.0.0.2/24 set vpn ipsec site-to-site peer SITE remote-address 10.0.0.1 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE local-address 10.0.0.2 set vpn ipsec site-to-site peer SITE tunnel 1 local prefix 10.0.0.2/32 set vpn ipsec site-to-site peer SITE tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE auth-profile AUTH set vpn ipsec site-to-site peer SITE connection-type respond set vpn ipsec site-to-site peer SITE ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE tunnel 1 esp-group ESP-POLICY
Step 2: Set the following configuration in DUT2:
set interfaces eth0.20 address 10.0.0.2/24 set vpn ipsec site-to-site peer SITE remote-address 10.0.0.3 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE local-address 10.0.0.2 set vpn ipsec site-to-site peer SITE tunnel 1 local prefix 10.0.0.2/32 set vpn ipsec site-to-site peer SITE tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE auth-profile AUTH set vpn ipsec site-to-site peer SITE connection-type respond set vpn ipsec site-to-site peer SITE ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE tunnel 1 esp-group ESP-POLICY del vpn ipsec site-to-site peer SITE remote-address set vpn ipsec site-to-site peer SITE remote-address 10.0.0.1
Step 3: Set the following configuration in DUT0:
set interfaces eth0.10 address 10.0.0.1/24 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE1 local-address 10.0.0.1 set vpn ipsec site-to-site peer SITE1 remote-address 10.0.0.2 set vpn ipsec site-to-site peer SITE1 tunnel 1 local prefix 10.0.0.1/32 set vpn ipsec site-to-site peer SITE1 tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE1 auth-profile AUTH set vpn ipsec site-to-site peer SITE1 connection-type initiate set vpn ipsec site-to-site peer SITE1 ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE1 tunnel 1 esp-group ESP-POLICY set system vrf A set interfaces eth0.10 vrf A set vpn ipsec site-to-site peer SITE1 local-vrf A set vpn ipsec site-to-site peer SITE1 tunnel 1 local-interface eth0.10 set system vrf B set interfaces eth1.20 address 10.0.0.3/24 set interfaces eth1.20 vrf B set vpn ipsec site-to-site peer SITE2 local-vrf B set vpn ipsec site-to-site peer SITE2 tunnel 1 local-interface eth1.20 del interfaces eth1.20 address set interfaces eth1.20 address 10.0.0.1/24 set vpn ipsec site-to-site peer SITE2 local-address 10.0.0.1 set vpn ipsec site-to-site peer SITE2 remote-address 10.0.0.2 set vpn ipsec site-to-site peer SITE2 tunnel 1 local prefix 10.0.0.1/32 set vpn ipsec site-to-site peer SITE2 tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE2 auth-profile AUTH set vpn ipsec site-to-site peer SITE2 connection-type initiate set vpn ipsec site-to-site peer SITE2 ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE2 tunnel 1 esp-group ESP-POLICY
Step 4: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 vrf A count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than A. PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 A: 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.379 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.379/0.379/0.379/0.000 ms
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.278 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.278/0.278/0.278/0.000 ms
Step 6: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 vrf B count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than B. PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 B: 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.315 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.315/0.315/0.315/0.000 ms
Step 7: Ping IP address 10.0.0.1 from DUT2:
admin@DUT2$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.347 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.347/0.347/0.347/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
ESTABLISHED, IKEv2 \d+ bytes,\s+\d+ packets local\s+(\d+\.){3}[13]\/32\s+remote\s+(\d+\.){3}2\/32Show output
vpn-peer-SITE1: #2, ESTABLISHED, IKEv2, 31cdcf390b225ea3_i* 1ec01238d289a17c_r local '10.0.0.1' @ 10.0.0.1[500] remote '10.0.0.2' @ 10.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 19526s peer-SITE1-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:NULL_AES_GMAC-128 installed 1s ago, rekeying in 3443s, expires in 3959s in c30956a9, 168 bytes, 2 packets, 0s ago out c79e1279, 168 bytes, 2 packets, 0s ago local 10.0.0.1/32 remote 10.0.0.2/32 vpn-peer-SITE2: #1, ESTABLISHED, IKEv2, 1eeb32124d8db842_i* e2f8030ef2946e38_r local '10.0.0.1' @ 10.0.0.1[500] remote '10.0.0.2' @ 10.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 15377s peer-SITE2-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:NULL_AES_GMAC-128 installed 1s ago, rekeying in 3461s, expires in 3959s in c7e7c7b5, 168 bytes, 2 packets, 0s ago out c9f74ff0, 168 bytes, 2 packets, 0s ago local 10.0.0.1/32 remote 10.0.0.2/32