Xfrm Offload
This scenario shows how to configure IPSec policies and offload encryption/decryption processes.
Test XFRM Offload With VTI
Description
In this scenario, the tunnel is established by using a site-to-site peer through VTI interfaces.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 60.0.0.10/24 set interfaces ethernet eth1 address 192.168.10.1/24 set system offload timeout 30 set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER vti local-prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER vti remote-prefix 0.0.0.0/0 set interfaces vti vti0 ipsec PEER set protocols static route 0.0.0.0/0 interface vti0 set interfaces vti vti0 address 10.0.0.1/32 set vpn ipsec site-to-site peer PEER connection-type on-demand set vpn ipsec site-to-site peer PEER local-address 60.0.0.10 set vpn ipsec site-to-site peer PEER remote-address 60.0.0.20
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 60.0.0.20/24 set interfaces ethernet eth1 address 192.168.20.1/24 set system offload timeout 30 set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER vti local-prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER vti remote-prefix 0.0.0.0/0 set interfaces vti vti0 ipsec PEER set protocols static route 0.0.0.0/0 interface vti0 set interfaces vti vti0 address 20.0.0.1/32 set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER local-address 60.0.0.20 set vpn ipsec site-to-site peer PEER remote-address 60.0.0.10
Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:
ESTABLISHEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 77d81f48fb296811_i 6e4ecbc5f12215f7_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 28147s peer-PEER-tunnel-VTI: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3336s, expires in 3959s in c813d7fd (0x90000000), 0 bytes, 0 packets out caf0ad34 (0x90000000), 0 bytes, 0 packets local 0.0.0.0/0 remote 0.0.0.0/0
Step 4: Initiate a bandwidth test from DUT0 to DUT1
admin@DUT1$ monitor test performance server port 5001 local-address 192.168.20.1 admin@DUT0$ monitor test performance client 192.168.20.1 duration 3 port 5001 local-address 192.168.10.1Expect this output in
DUT0:Connecting to host 192.168.20.1, port 5001 [ 5] local 192.168.10.1 port 46625 connected to 192.168.20.1 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 26.3 MBytes 221 Mbits/sec 6 918 KBytes [ 5] 1.00-2.00 sec 23.8 MBytes 199 Mbits/sec 0 1.52 MBytes [ 5] 2.00-3.01 sec 22.5 MBytes 187 Mbits/sec 0 1.82 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-3.01 sec 72.5 MBytes 202 Mbits/sec 6 sender [ 5] 0.00-3.01 sec 70.5 MBytes 196 Mbits/sec receiver iperf Done.
Step 5: Run command system conntrack show at DUT0 and check if output contains the following tokens:
OFFLOADShow output
udp 17 24 src=127.0.0.1 dst=127.0.0.1 sport=50693 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=50693 packets=0 bytes=0 mark=0 use=1 udp 17 26 src=60.0.0.20 dst=60.0.0.10 sport=500 dport=500 packets=2 bytes=537 src=60.0.0.10 dst=60.0.0.20 sport=500 dport=500 packets=2 bytes=513 mark=0 use=1 unknown 50 src=60.0.0.10 dst=60.0.0.20 packets=54433 bytes=81612516 src=60.0.0.20 dst=60.0.0.10 packets=6921 bytes=743660 [OFFLOAD, packets=54431 bytes=81612292 packets=6919 bytes=743436] mark=0 use=2 udp 17 24 src=127.0.0.1 dst=127.0.0.1 sport=57699 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=57699 packets=0 bytes=0 mark=0 use=1 tcp 6 19 TIME_WAIT src=192.168.10.1 dst=192.168.20.1 sport=39081 dport=5001 packets=18 bytes=1387 src=192.168.20.1 dst=192.168.10.1 sport=5001 dport=39081 packets=16 bytes=1148 [ASSURED] mark=0 use=1 udp 17 24 src=127.0.0.1 dst=127.0.0.1 sport=54966 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=54966 packets=0 bytes=0 mark=0 use=1 udp 17 24 src=127.0.0.1 dst=127.0.0.1 sport=51793 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=51793 packets=0 bytes=0 mark=0 use=1 tcp 6 9 CLOSE src=192.168.10.1 dst=192.168.20.1 sport=46625 dport=5001 packets=2174 bytes=75990865 src=192.168.20.1 dst=192.168.10.1 sport=5001 dport=46625 packets=6905 bytes=354940 [ASSURED] mark=0 use=1 conntrack v1.4.5 (conntrack-tools): 8 flow entries have been shown.
Step 6: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
\s+[^0]\d+ packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 77d81f48fb296811_i 6e4ecbc5f12215f7_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 4s ago, rekeying in 28144s peer-PEER-tunnel-VTI: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3333s, expires in 3956s in c813d7fd (0x90000000), 356088 bytes, 6921 packets, 0s ago out caf0ad34 (0x90000000), 78673084 bytes, 54433 packets, 0s ago local 0.0.0.0/0 remote 0.0.0.0/0
Test XFRM Offload With DMVPN Tunnel Mode
Description
In this scenario, the tunnel is established by using NHRP. Tunnel mode is used for IPSec policies.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 60.0.0.10/24 set interfaces ethernet eth1 address 192.168.10.1/24 set system offload timeout 30 set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set interfaces tunnel tun1 encapsulation gre set vpn ipsec dmvpn-profile NHRP auth-profile AUTH-SA set vpn ipsec dmvpn-profile NHRP esp-group CHILD-SA set vpn ipsec dmvpn-profile NHRP ike-group IKE-SA set interfaces tunnel tun1 nhrp ipsec NHRP set interfaces tunnel tun1 address 10.0.0.1/32 set interfaces tunnel tun1 local-interface eth0 set interfaces tunnel tun1 local-address 60.0.0.10 set protocols static route 192.168.20.0/24 next-hop 20.0.0.1
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 60.0.0.20/24 set interfaces ethernet eth1 address 192.168.20.1/24 set system offload timeout 30 set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set interfaces tunnel tun1 encapsulation gre set vpn ipsec dmvpn-profile NHRP auth-profile AUTH-SA set vpn ipsec dmvpn-profile NHRP esp-group CHILD-SA set vpn ipsec dmvpn-profile NHRP ike-group IKE-SA set interfaces tunnel tun1 nhrp ipsec NHRP set interfaces tunnel tun1 address 20.0.0.1/32 set interfaces tunnel tun1 local-interface eth0 set interfaces tunnel tun1 local-address 60.0.0.20 set interfaces tunnel tun1 nhrp nhs 10.0.0.1 nbma 60.0.0.10 set protocols static route 192.168.10.0/24 next-hop 10.0.0.1
Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:
ESTABLISHEDShow output
vpnprof-dmvpn-NHRP: #1, ESTABLISHED, IKEv2, ab26756faca1fe71_i 185fae17743fb55e_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 2s ago, rekeying in 17937s NHRP: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 3301s, expires in 3958s in c4b7ea6a, 116 bytes, 1 packets, 1s ago out cd380ac9, 136 bytes, 1 packets, 1s ago local 60.0.0.10/32[gre] remote 60.0.0.20/32[gre]
Step 4: Initiate a bandwidth test from DUT0 to DUT1
admin@DUT1$ monitor test performance server port 5001 local-address 192.168.20.1 admin@DUT0$ monitor test performance client 192.168.20.1 duration 3 port 5001 local-address 192.168.10.1Expect this output in
DUT0:Connecting to host 192.168.20.1, port 5001 [ 5] local 192.168.10.1 port 37141 connected to 192.168.20.1 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 15.7 MBytes 131 Mbits/sec 38 84.3 KBytes [ 5] 1.00-2.00 sec 18.0 MBytes 151 Mbits/sec 17 128 KBytes [ 5] 2.00-3.00 sec 19.2 MBytes 161 Mbits/sec 13 139 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-3.00 sec 52.9 MBytes 148 Mbits/sec 68 sender [ 5] 0.00-3.00 sec 52.6 MBytes 147 Mbits/sec receiver iperf Done.
Step 5: Run command system conntrack show at DUT0 and check if output contains the following tokens:
OFFLOADShow output
udp 17 25 src=60.0.0.20 dst=60.0.0.10 sport=500 dport=500 packets=2 bytes=537 src=60.0.0.10 dst=60.0.0.20 sport=500 dport=500 packets=2 bytes=513 mark=0 use=1 gre 47 179 src=60.0.0.20 dst=60.0.0.10 srckey=0x0 dstkey=0x0 packets=20761 bytes=1748655 src=60.0.0.10 dst=60.0.0.20 srckey=0x0 dstkey=0x0 packets=3801 bytes=55678084 [ASSURED] mark=0 use=1 udp 17 26 src=127.0.0.1 dst=127.0.0.1 sport=55389 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=55389 packets=0 bytes=0 mark=0 use=1 tcp 6 9 CLOSE src=192.168.10.1 dst=192.168.20.1 sport=37141 dport=5001 packets=3782 bytes=55585361 src=192.168.20.1 dst=192.168.10.1 sport=5001 dport=37141 packets=20744 bytes=1249152 [ASSURED] mark=0 use=1 tcp 6 19 TIME_WAIT src=192.168.10.1 dst=192.168.20.1 sport=35769 dport=5001 packets=18 bytes=1387 src=192.168.20.1 dst=192.168.10.1 sport=5001 dport=35769 packets=16 bytes=1147 [ASSURED] mark=0 use=1 udp 17 26 src=127.0.0.1 dst=127.0.0.1 sport=48474 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=48474 packets=0 bytes=0 mark=0 use=1 unknown 50 src=60.0.0.20 dst=60.0.0.10 packets=20761 bytes=2911264 src=60.0.0.10 dst=60.0.0.20 packets=40452 bytes=60648008 [OFFLOAD, packets=20759 bytes=2910952 packets=40450 bytes=60647676] mark=0 use=2 conntrack v1.4.5 (conntrack-tools): 7 flow entries have been shown.
Step 6: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
\s+[^0]\d+ packetsShow output
vpnprof-dmvpn-NHRP: #1, ESTABLISHED, IKEv2, ab26756faca1fe71_i 185fae17743fb55e_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 17934s NHRP: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3298s, expires in 3955s in c4b7ea6a, 1748655 bytes, 20761 packets, 0s ago out cd380ac9, 58463560 bytes, 40452 packets, 0s ago local 60.0.0.10/32[gre] remote 60.0.0.20/32[gre]
Test XFRM Offload With DMVPN Transport Mode
Description
In this scenario, the tunnel is established by using NHRP. Transport mode is used for IPSec policies.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 60.0.0.10/24 set interfaces ethernet eth1 address 192.168.10.1/24 set system offload timeout 30 set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set interfaces tunnel tun1 encapsulation gre set vpn ipsec dmvpn-profile NHRP auth-profile AUTH-SA set vpn ipsec dmvpn-profile NHRP esp-group CHILD-SA set vpn ipsec dmvpn-profile NHRP ike-group IKE-SA set interfaces tunnel tun1 nhrp ipsec NHRP set interfaces tunnel tun1 address 10.0.0.1/32 set interfaces tunnel tun1 local-interface eth0 set interfaces tunnel tun1 local-address 60.0.0.10 set protocols static route 192.168.20.0/24 next-hop 20.0.0.1 set vpn ipsec esp-group CHILD-SA mode transport
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 60.0.0.20/24 set interfaces ethernet eth1 address 192.168.20.1/24 set system offload timeout 30 set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set interfaces tunnel tun1 encapsulation gre set vpn ipsec dmvpn-profile NHRP auth-profile AUTH-SA set vpn ipsec dmvpn-profile NHRP esp-group CHILD-SA set vpn ipsec dmvpn-profile NHRP ike-group IKE-SA set interfaces tunnel tun1 nhrp ipsec NHRP set interfaces tunnel tun1 address 20.0.0.1/32 set interfaces tunnel tun1 local-interface eth0 set interfaces tunnel tun1 local-address 60.0.0.20 set interfaces tunnel tun1 nhrp nhs 10.0.0.1 nbma 60.0.0.10 set protocols static route 192.168.10.0/24 next-hop 10.0.0.1 set vpn ipsec esp-group CHILD-SA mode transport
Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:
ESTABLISHEDShow output
vpnprof-dmvpn-NHRP: #1, ESTABLISHED, IKEv2, 392952d82bb07063_i 6d5ace53acadf7db_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 24405s NHRP: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3426s, expires in 3959s in cf6cfbab, 96 bytes, 1 packets, 1s ago out cb2b193f, 116 bytes, 1 packets, 1s ago local 60.0.0.10/32[gre] remote 60.0.0.20/32[gre]
Step 4: Initiate a bandwidth test from DUT0 to DUT1
admin@DUT1$ monitor test performance server port 5001 local-address 192.168.20.1 admin@DUT0$ monitor test performance client 192.168.20.1 duration 3 port 5001 local-address 192.168.10.1Expect this output in
DUT0:Connecting to host 192.168.20.1, port 5001 [ 5] local 192.168.10.1 port 41601 connected to 192.168.20.1 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 14.5 MBytes 121 Mbits/sec 60 111 KBytes [ 5] 1.00-2.01 sec 13.4 MBytes 112 Mbits/sec 17 63.8 KBytes [ 5] 2.01-3.00 sec 12.6 MBytes 107 Mbits/sec 15 78.7 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-3.00 sec 40.5 MBytes 113 Mbits/sec 92 sender [ 5] 0.00-3.01 sec 40.3 MBytes 112 Mbits/sec receiver iperf Done.
Step 5: Run command system conntrack show at DUT0 and check if output contains the following tokens:
OFFLOADShow output
tcp 6 19 TIME_WAIT src=192.168.10.1 dst=192.168.20.1 sport=37577 dport=5001 packets=18 bytes=1385 src=192.168.20.1 dst=192.168.10.1 sport=5001 dport=37577 packets=16 bytes=1150 [ASSURED] mark=0 use=1 udp 17 20 src=127.0.0.1 dst=127.0.0.1 sport=39660 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=39660 packets=0 bytes=0 mark=0 use=1 udp 17 24 src=60.0.0.20 dst=60.0.0.10 sport=500 dport=500 packets=2 bytes=545 src=60.0.0.10 dst=60.0.0.20 sport=500 dport=500 packets=2 bytes=521 mark=0 use=1 udp 17 20 src=127.0.0.1 dst=127.0.0.1 sport=52383 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=52383 packets=0 bytes=0 mark=0 use=1 udp 17 29 src=127.0.0.1 dst=127.0.0.1 sport=46205 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=46205 packets=0 bytes=0 mark=0 use=1 gre 47 179 src=60.0.0.20 dst=60.0.0.10 srckey=0x0 dstkey=0x0 packets=16465 bytes=1402974 src=60.0.0.10 dst=60.0.0.20 srckey=0x0 dstkey=0x0 packets=3781 bytes=42717352 [ASSURED] mark=0 use=1 udp 17 20 src=127.0.0.1 dst=127.0.0.1 sport=53824 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=53824 packets=0 bytes=0 mark=0 use=1 udp 17 29 src=127.0.0.1 dst=127.0.0.1 sport=57777 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=57777 packets=0 bytes=0 mark=0 use=1 tcp 6 9 CLOSE src=192.168.10.1 dst=192.168.20.1 sport=41601 dport=5001 packets=3762 bytes=42625111 src=192.168.20.1 dst=192.168.10.1 sport=5001 dport=41601 packets=16448 bytes=1006572 [ASSURED] mark=0 use=1 unknown 50 src=60.0.0.20 dst=60.0.0.10 packets=16465 bytes=1995708 src=60.0.0.10 dst=60.0.0.20 packets=30551 bytes=45790660 [OFFLOAD, packets=16463 bytes=1995436 packets=30549 bytes=45790368] mark=0 use=2 udp 17 20 src=127.0.0.1 dst=127.0.0.1 sport=51657 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=51657 packets=0 bytes=0 mark=0 use=1 conntrack v1.4.5 (conntrack-tools): 11 flow entries have been shown.
Step 6: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
\s+[^0]\d+ packetsShow output
vpnprof-dmvpn-NHRP: #1, ESTABLISHED, IKEv2, 392952d82bb07063_i 6d5ace53acadf7db_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 24401s NHRP: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3422s, expires in 3955s in cf6cfbab, 1073674 bytes, 16465 packets, 0s ago out cb2b193f, 44140852 bytes, 30551 packets, 0s ago local 60.0.0.10/32[gre] remote 60.0.0.20/32[gre]