Check Vti To Global Ipsec
This scenario shows how to configure and route traffic via one VTI (Virtual Tunnel Interface) device. The other end-point does not use VTI devices, but a global IPSec policy.
Test VTI To Global IPSec
Description
A tunnel is configured between DUT0 and DUT1. On
the one hand, in DUT0, a vti interface is configured
to encapsulate traffic. On the other hand, in DUT1, an
IPSec policy with global selectors is configured.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 60.0.0.10/24 set interfaces ethernet eth1 address 192.168.10.1/24 set interfaces vti vti0 ipsec PEER set interfaces vti vti0 local-address 60.0.0.10 set protocols static route 0.0.0.0/0 interface vti0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX18bqNPzk2Bi0x/k4mJAS37q85e6sD9hK5Q= set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type on-demand set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 60.0.0.10 set vpn ipsec site-to-site peer PEER remote-address 60.0.0.20 set vpn ipsec site-to-site peer PEER vti local prefix 192.168.10.0/24 set vpn ipsec site-to-site peer PEER vti remote prefix 192.168.20.0/24
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 60.0.0.20/24 set interfaces ethernet eth1 address 192.168.20.1/24 set protocols static route 0.0.0.0/0 interface eth0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/gN6PHnSi7Wjhqejja13cmZftrAb1RVpo= set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 60.0.0.20 set vpn ipsec site-to-site peer PEER remote-address 60.0.0.10 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group CHILD-SA set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.20.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.10.0/24
Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:
ESTABLISHEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b249310189d44b5f_i 506eb1d09e309f95_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 16047s peer-PEER-tunnel-VTI: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3530s, expires in 3960s in cdf342ad (0x90000000), 0 bytes, 0 packets out cc21f7c1 (0x90000000), 0 bytes, 0 packets local 192.168.10.0/24 remote 192.168.20.0/24
Step 4: Run command vpn ipsec show sa at DUT1 and check if output contains the following tokens:
ESTABLISHEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b249310189d44b5f_i* 506eb1d09e309f95_r local '60.0.0.20' @ 60.0.0.20[500] remote '60.0.0.10' @ 60.0.0.10[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 28724s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3316s, expires in 3959s in cc21f7c1, 0 bytes, 0 packets out cdf342ad, 0 bytes, 0 packets local 192.168.20.0/24 remote 192.168.10.0/24
Step 5: Ping IP address 192.168.10.1 from DUT1:
admin@DUT1$ ping 192.168.10.1 local-address 192.168.20.1 count 1 size 56 timeout 1Show output
PING 192.168.10.1 (192.168.10.1) from 192.168.20.1 : 56(84) bytes of data. 64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=0.291 ms --- 192.168.10.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.291/0.291/0.291/0.000 ms
Step 6: Ping IP address 192.168.20.1 from DUT0:
admin@DUT0$ ping 192.168.20.1 local-address 192.168.10.1 count 1 size 56 timeout 1Show output
PING 192.168.20.1 (192.168.20.1) from 192.168.10.1 : 56(84) bytes of data. 64 bytes from 192.168.20.1: icmp_seq=1 ttl=64 time=0.332 ms --- 192.168.20.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.332/0.332/0.332/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
,\s+[^0] packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b249310189d44b5f_i 506eb1d09e309f95_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 16046s peer-PEER-tunnel-VTI: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3529s, expires in 3959s in cdf342ad (0x90000000), 168 bytes, 2 packets, 1s ago out cc21f7c1 (0x90000000), 168 bytes, 2 packets, 1s ago local 192.168.10.0/24 remote 192.168.20.0/24