Xfrm Offload

This scenario shows how to configure IPSec policies and offload encryption/decryption processes.

Test XFRM Offload With VTI 

Description

In this scenario, the tunnel is established by using a site-to-site peer through VTI interfaces.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 60.0.0.10/24
set interfaces ethernet eth1 address 192.168.10.1/24
set system offload timeout 30
set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER vti local-prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER vti remote-prefix 0.0.0.0/0
set interfaces vti vti0 ipsec PEER
set protocols static route 0.0.0.0/0 interface vti0
set interfaces vti vti0 address 10.0.0.1/32
set vpn ipsec site-to-site peer PEER connection-type on-demand
set vpn ipsec site-to-site peer PEER local-address 60.0.0.10
set vpn ipsec site-to-site peer PEER remote-address 60.0.0.20

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 60.0.0.20/24
set interfaces ethernet eth1 address 192.168.20.1/24
set system offload timeout 30
set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER vti local-prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER vti remote-prefix 0.0.0.0/0
set interfaces vti vti0 ipsec PEER
set protocols static route 0.0.0.0/0 interface vti0
set interfaces vti vti0 address 20.0.0.1/32
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec site-to-site peer PEER local-address 60.0.0.20
set vpn ipsec site-to-site peer PEER remote-address 60.0.0.10

Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:

INSTALLED

Step 4: Initiate a udp connection from DUT0 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT0$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 5: Initiate a udp connection from DUT0 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT0$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 6: Initiate a udp connection from DUT0 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT0$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 7: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:

unknown\s+50.*[OFFLOAD, packets=[^0]\d* bytes=[^0]\d* packets=[^0]\d* bytes=[^0]\d*]

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

in.*\s+[^0]\d+ packets
out.*\s+[^0]\d+ packets

Test XFRM Offload With DMVPN Tunnel Mode 

Description

In this scenario, the tunnel is established by using NHRP. Tunnel mode is used for IPSec policies.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 60.0.0.10/24
set interfaces ethernet eth1 address 192.168.10.1/24
set system offload timeout 30
set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set interfaces tunnel tun1 encapsulation gre
set vpn ipsec dmvpn-profile NHRP auth-profile AUTH-SA
set vpn ipsec dmvpn-profile NHRP esp-group CHILD-SA
set vpn ipsec dmvpn-profile NHRP ike-group IKE-SA
set interfaces tunnel tun1 nhrp ipsec NHRP
set interfaces tunnel tun1 address 10.0.0.1/32
set interfaces tunnel tun1 local-interface eth0
set interfaces tunnel tun1 local-address 60.0.0.10
set protocols static route 192.168.20.0/24 next-hop 20.0.0.1

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 60.0.0.20/24
set interfaces ethernet eth1 address 192.168.20.1/24
set system offload timeout 30
set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set interfaces tunnel tun1 encapsulation gre
set vpn ipsec dmvpn-profile NHRP auth-profile AUTH-SA
set vpn ipsec dmvpn-profile NHRP esp-group CHILD-SA
set vpn ipsec dmvpn-profile NHRP ike-group IKE-SA
set interfaces tunnel tun1 nhrp ipsec NHRP
set interfaces tunnel tun1 address 20.0.0.1/32
set interfaces tunnel tun1 local-interface eth0
set interfaces tunnel tun1 local-address 60.0.0.20
set interfaces tunnel tun1 nhrp nhs 10.0.0.1 nbma 60.0.0.10
set protocols static route 192.168.10.0/24 next-hop 10.0.0.1

Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:

INSTALLED

Step 4: Initiate a udp connection from DUT0 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT0$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 5: Initiate a udp connection from DUT0 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT0$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 6: Initiate a udp connection from DUT0 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT0$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 7: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:

unknown\s+50.*[OFFLOAD, packets=[^0]\d* bytes=[^0]\d* packets=[^0]\d* bytes=[^0]\d*]

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

in.*\s+[^0]\d+ packets
out.*\s+[^0]\d+ packets

Step 9: Set the following configuration in DUT2:

set interfaces ethernet eth0 address 192.168.10.2/24
set protocols static route 0.0.0.0/0 next-hop 192.168.10.1

Step 10: Ping IP address 192.168.20.1 from DUT2:

admin@DUT2$ ping 192.168.20.1 count 1 size 56 timeout 1

Step 11: Run command system conntrack clear at DUT0 and expect this output:

Step 12: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 13: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 14: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 15: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:

unknown\s+50.*[OFFLOAD, packets=[^0]\d* bytes=[^0]\d* packets=[^0]\d* bytes=[^0]\d*]
udp\s+17.*[OFFLOAD, packets=[^0]\d* bytes=[^0]\d* packets=[^0]\d* bytes=[^0]\d*]

Test XFRM Offload With DMVPN Transport Mode 

Description

In this scenario, the tunnel is established by using NHRP. Transport mode is used for IPSec policies.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 60.0.0.10/24
set interfaces ethernet eth1 address 192.168.10.1/24
set system offload timeout 30
set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set interfaces tunnel tun1 encapsulation gre
set vpn ipsec dmvpn-profile NHRP auth-profile AUTH-SA
set vpn ipsec dmvpn-profile NHRP esp-group CHILD-SA
set vpn ipsec dmvpn-profile NHRP ike-group IKE-SA
set interfaces tunnel tun1 nhrp ipsec NHRP
set interfaces tunnel tun1 address 10.0.0.1/32
set interfaces tunnel tun1 local-interface eth0
set interfaces tunnel tun1 local-address 60.0.0.10
set protocols static route 192.168.20.0/24 next-hop 20.0.0.1
set vpn ipsec esp-group CHILD-SA mode transport

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 60.0.0.20/24
set interfaces ethernet eth1 address 192.168.20.1/24
set system offload timeout 30
set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set interfaces tunnel tun1 encapsulation gre
set vpn ipsec dmvpn-profile NHRP auth-profile AUTH-SA
set vpn ipsec dmvpn-profile NHRP esp-group CHILD-SA
set vpn ipsec dmvpn-profile NHRP ike-group IKE-SA
set interfaces tunnel tun1 nhrp ipsec NHRP
set interfaces tunnel tun1 address 20.0.0.1/32
set interfaces tunnel tun1 local-interface eth0
set interfaces tunnel tun1 local-address 60.0.0.20
set interfaces tunnel tun1 nhrp nhs 10.0.0.1 nbma 60.0.0.10
set protocols static route 192.168.10.0/24 next-hop 10.0.0.1
set vpn ipsec esp-group CHILD-SA mode transport

Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:

INSTALLED

Step 4: Initiate a udp connection from DUT0 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT0$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 5: Initiate a udp connection from DUT0 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT0$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 6: Initiate a udp connection from DUT0 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT0$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 7: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:

unknown\s+50.*[OFFLOAD, packets=[^0]\d* bytes=[^0]\d* packets=[^0]\d* bytes=[^0]\d*]

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

in.*\s+[^0]\d+ packets
out.*\s+[^0]\d+ packets

Step 9: Set the following configuration in DUT2:

set interfaces ethernet eth0 address 192.168.10.2/24
set protocols static route 0.0.0.0/0 next-hop 192.168.10.1

Step 10: Ping IP address 192.168.20.1 from DUT2:

admin@DUT2$ ping 192.168.20.1 count 1 size 56 timeout 1

Step 11: Run command system conntrack clear at DUT0 and expect this output:

Step 12: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 13: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 14: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 15: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:

unknown\s+50.*[OFFLOAD, packets=[^0]\d* bytes=[^0]\d* packets=[^0]\d* bytes=[^0]\d*]
udp\s+17.*[OFFLOAD, packets=[^0]\d* bytes=[^0]\d* packets=[^0]\d* bytes=[^0]\d*]

Test XFRM Offload With Site To Site 

Description

In this scenario, the tunnel is established by using a site-to-site peer.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 60.0.0.10/24
set interfaces ethernet eth1 address 192.168.10.1/24
set system offload timeout 30
set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER connection-type on-demand
set vpn ipsec site-to-site peer PEER local-address 60.0.0.10
set vpn ipsec site-to-site peer PEER remote-address 60.0.0.20
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.10.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.20.0/24
set protocols static route 0.0.0.0/0 next-hop 60.0.0.20

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 60.0.0.20/24
set interfaces ethernet eth1 address 192.168.20.1/24
set system offload timeout 30
set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec site-to-site peer PEER local-address 60.0.0.20
set vpn ipsec site-to-site peer PEER remote-address 60.0.0.10
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.20.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.10.0/24
set protocols static route 0.0.0.0/0 next-hop 60.0.0.10

Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:

INSTALLED

Step 4: Set the following configuration in DUT2:

set interfaces ethernet eth0 address 192.168.10.2/24
set protocols static route 0.0.0.0/0 next-hop 192.168.10.1

Step 5: Ping IP address 192.168.20.1 from DUT2:

admin@DUT2$ ping 192.168.20.1 count 1 size 56 timeout 1

Step 6: Run command system conntrack clear at DUT0 and expect this output:

Step 7: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 8: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 9: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 10: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:

unknown\s+50.*[OFFLOAD, packets=[^0]\d* bytes=[^0]\d* packets=[^0]\d* bytes=[^0]\d*]
udp\s+17.*[OFFLOAD, packets=[^0]\d* bytes=[^0]\d* packets=[^0]\d* bytes=[^0]\d*]

Test XFRM Offload With Bridge and Site To Site 

Description

In this scenario, the tunnel is established by using a site-to-site peer, and the LAN interface is included in a bridge.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 60.0.0.10/24
set interfaces ethernet eth1 address 192.168.10.1/24
set system offload timeout 30
del interfaces ethernet eth1
set interfaces bridge br0 address 192.168.10.1/24
set interfaces ethernet eth1 bridge-group bridge br0
set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER connection-type on-demand
set vpn ipsec site-to-site peer PEER local-address 60.0.0.10
set vpn ipsec site-to-site peer PEER remote-address 60.0.0.20
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.10.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.20.0/24
set protocols static route 0.0.0.0/0 next-hop 60.0.0.20

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 60.0.0.20/24
set interfaces ethernet eth1 address 192.168.20.1/24
set system offload timeout 30
set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec site-to-site peer PEER local-address 60.0.0.20
set vpn ipsec site-to-site peer PEER remote-address 60.0.0.10
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.20.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.10.0/24
set protocols static route 0.0.0.0/0 next-hop 60.0.0.10

Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:

INSTALLED

Step 4: Set the following configuration in DUT2:

set interfaces ethernet eth0 address 192.168.10.2/24
set protocols static route 0.0.0.0/0 next-hop 192.168.10.1

Step 5: Ping IP address 192.168.20.1 from DUT2:

admin@DUT2$ ping 192.168.20.1 count 1 size 56 timeout 1

Step 6: Run command system conntrack clear at DUT0 and expect this output:

Step 7: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 8: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 9: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 10: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:

unknown\s+50.*[OFFLOAD, packets=[^0]\d* bytes=[^0]\d* packets=[^0]\d* bytes=[^0]\d*]
udp\s+17.*[OFFLOAD, packets=[^0]\d* bytes=[^0]\d* packets=[^0]\d* bytes=[^0]\d*]

Test XFRM Offload With Bridge VLAN and Site To Site 

Description

In this scenario, the tunnel is established by using a site-to-site peer, and the LAN interface is included in a bridge with a VLAN.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 60.0.0.10/24
set interfaces ethernet eth1 address 192.168.10.1/24
set system offload timeout 30
del interfaces ethernet eth1
set interfaces bridge br0 vif 100 address 192.168.10.1/24
set interfaces bridge br0 vlan 100 pvid
set interfaces ethernet eth1 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group vlan 100 pvid
set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER connection-type on-demand
set vpn ipsec site-to-site peer PEER local-address 60.0.0.10
set vpn ipsec site-to-site peer PEER remote-address 60.0.0.20
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.10.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.20.0/24
set protocols static route 0.0.0.0/0 next-hop 60.0.0.20

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 60.0.0.20/24
set interfaces ethernet eth1 address 192.168.20.1/24
set system offload timeout 30
set vpn ipsec auth-profile AUTH-SA local auth pre-shared-secret test
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec site-to-site peer PEER local-address 60.0.0.20
set vpn ipsec site-to-site peer PEER remote-address 60.0.0.10
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.20.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.10.0/24
set protocols static route 0.0.0.0/0 next-hop 60.0.0.10

Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:

INSTALLED

Step 4: Set the following configuration in DUT2:

set interfaces ethernet eth0 vif 100 address 192.168.10.2/24
set protocols static route 0.0.0.0/0 next-hop 192.168.10.1

Step 5: Ping IP address 192.168.20.1 from DUT2:

admin@DUT2$ ping 192.168.20.1 count 1 size 56 timeout 1

Step 6: Run command system conntrack clear at DUT0 and expect this output:

Step 7: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 8: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 9: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints

admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1
admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060

Step 10: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:

unknown\s+50.*[OFFLOAD, packets=[^0]\d* bytes=[^0]\d* packets=[^0]\d* bytes=[^0]\d*]
udp\s+17.*[OFFLOAD, packets=[^0]\d* bytes=[^0]\d* packets=[^0]\d* bytes=[^0]\d*]

Xfrm Offload

Test XFRM Offload With VTI

Description

Scenario

Test XFRM Offload With DMVPN Tunnel Mode

Description

Scenario

Test XFRM Offload With DMVPN Transport Mode

Description

Scenario

Test XFRM Offload With Site To Site

Description

Scenario

Test XFRM Offload With Bridge and Site To Site

Description

Scenario

Test XFRM Offload With Bridge VLAN and Site To Site

Description

Scenario

Test XFRM Offload With VTI 

Test XFRM Offload With DMVPN Tunnel Mode 

Test XFRM Offload With DMVPN Transport Mode 

Test XFRM Offload With Site To Site 

Test XFRM Offload With Bridge and Site To Site 

Test XFRM Offload With Bridge VLAN and Site To Site 