Backup-Tunnel

This scenario shows how to configure two VPN IPsec tunnels in a OSDx device. One of them acts as the main tunnel and the other one as a backup tunnel. As soon as the device detects the main tunnel is not reachable, it starts sending traffic trough the backup one.

Test Site-To-Site With Backup Tunnel

Description

VPN site-to-site configuration to create a backup tunnel that is activated when the main one is not reachable.

Scenario

Attention

This scenario uses the packet mark to select the VPN tunnel. The packet mark is assigned using a traffic policy that depends on an advisor status.

Show output

set system alarm MAIN_OFF
set system advisor MAIN_NOT_REACHABLE test MAIN_OFF
set service nsm operation BACKUP_PROBE alarm MAIN_OFF activate loss 80
set service nsm operation BACKUP_PROBE destination-address 80.0.0.2
set service nsm operation BACKUP_PROBE interval 3
set service nsm operation BACKUP_PROBE type icmp
set traffic policy PBR rule 1 set mark 4321
set traffic policy PBR rule 1 advisor MAIN_NOT_REACHABLE
set traffic policy PBR rule 2 set mark 1234
set interfaces dum0 traffic policy local-out PBR

Step 1: Set the following configuration in DUT1:

set interfaces dummy dum0 address 10.3.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set protocols static route 0.0.0.0/0 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX186kPJfu8AdJK/ZbIz04cBwvzWNPhl8soY=
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24

Step 2: Set the following configuration in DUT2:

set interfaces dummy dum0 address 10.3.0.1/24
set interfaces ethernet eth0 address 80.0.0.3/24
set protocols static route 0.0.0.0/0 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+9f/NoRFG/pOCR8o8a6Jd6zSCQOezv3Cw=
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24

Step 3: Set the following configuration in DUT0:

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces dummy dum0 traffic policy local-out PBR
set interfaces ethernet eth0 address 80.0.0.1/24
set protocols static route 0.0.0.0/0 interface dum0
set service nsm operation BACKUP_PROBE alarm MAIN_OFF activate loss 80
set service nsm operation BACKUP_PROBE destination-address 80.0.0.2
set service nsm operation BACKUP_PROBE interval 3
set service nsm operation BACKUP_PROBE type icmp
set system advisor MAIN_NOT_REACHABLE test MAIN_OFF
set system alarm MAIN_OFF
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy PBR rule 1 advisor MAIN_NOT_REACHABLE
set traffic policy PBR rule 1 set mark 4321
set traffic policy PBR rule 2 set mark 1234
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX190dlmt6uh/X0yjesrJ37dSI+ACRtao1OI=
set vpn ipsec esp-group CHILD-BACKUP mark-in 4321
set vpn ipsec esp-group CHILD-BACKUP mark-out 4321
set vpn ipsec esp-group CHILD-BACKUP proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-BACKUP proposal 1 pfs dh-group19
set vpn ipsec esp-group CHILD-MAIN mark-in 1234
set vpn ipsec esp-group CHILD-MAIN mark-out 1234
set vpn ipsec esp-group CHILD-MAIN proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-MAIN proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer BACKUP auth-profile AUTH-SA
set vpn ipsec site-to-site peer BACKUP connection-type initiate
set vpn ipsec site-to-site peer BACKUP default-esp-group CHILD-BACKUP
set vpn ipsec site-to-site peer BACKUP ike-group IKE-SA
set vpn ipsec site-to-site peer BACKUP remote-address 80.0.0.3
set vpn ipsec site-to-site peer BACKUP tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer BACKUP tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer BACKUP tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer MAIN auth-profile AUTH-SA
set vpn ipsec site-to-site peer MAIN connection-type initiate
set vpn ipsec site-to-site peer MAIN default-esp-group CHILD-MAIN
set vpn ipsec site-to-site peer MAIN ike-group IKE-SA
set vpn ipsec site-to-site peer MAIN remote-address 80.0.0.2
set vpn ipsec site-to-site peer MAIN tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer MAIN tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer MAIN tunnel 1 remote prefix 0.0.0.0/0

Step 4: Ping IP address 80.0.0.2 from DUT0:

admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1

Show output

PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.256 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.256/0.256/0.256/0.000 ms

Step 5: Ping IP address 80.0.0.3 from DUT0:

admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1

Show output

PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data.
64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.330 ms

--- 80.0.0.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.330/0.330/0.330/0.000 ms

Step 6: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:

80.0.0.2
80.0.0.3

Show output

vpn-peer-MAIN: #2, ESTABLISHED, IKEv2, 30f45e3bdfde3e3d_i* 59b2127097c1093e_r
  local  '80.0.0.1' @ 80.0.0.1[4500]
  remote '80.0.0.2' @ 80.0.0.2[4500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 16271s
  peer-MAIN-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3312s, expires in 3960s
    in  cd87f760 (0x000004d2),      0 bytes,     0 packets
    out c715890c (0x000004d2),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.3.0.0/24
vpn-peer-BACKUP: #1, ESTABLISHED, IKEv2, ecd908feee483249_i* 7ee51216ba5baa7b_r
  local  '80.0.0.1' @ 80.0.0.1[4500]
  remote '80.0.0.3' @ 80.0.0.3[4500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 23801s
  peer-BACKUP-tunnel-1: #1, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3282s, expires in 3960s
    in  c2411d9e (0x000010e1),      0 bytes,     0 packets
    out c6e91422 (0x000010e1),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.3.0.0/24

Step 7: Ping IP address 10.3.0.1 from DUT0:

admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1

Show output

PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.281 ms

--- 10.3.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.281/0.281/0.281/0.000 ms

Step 8: Run command vpn ipsec show sa remote 80.0.0.2 at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-MAIN: #2, ESTABLISHED, IKEv2, 30f45e3bdfde3e3d_i* 59b2127097c1093e_r
  local  '80.0.0.1' @ 80.0.0.1[4500]
  remote '80.0.0.2' @ 80.0.0.2[4500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 16271s
  peer-MAIN-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3312s, expires in 3960s
    in  cd87f760 (0x000004d2),     84 bytes,     1 packets,     0s ago
    out c715890c (0x000004d2),     84 bytes,     1 packets,     0s ago
    local  10.1.0.0/24
    remote 10.3.0.0/24

Step 9: Run command vpn ipsec show sa remote 80.0.0.3 at DUT0 and check if output does not match the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-BACKUP: #1, ESTABLISHED, IKEv2, ecd908feee483249_i* 7ee51216ba5baa7b_r
  local  '80.0.0.1' @ 80.0.0.1[4500]
  remote '80.0.0.3' @ 80.0.0.3[4500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 23801s
  peer-BACKUP-tunnel-1: #1, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3282s, expires in 3960s
    in  c2411d9e (0x000010e1),      0 bytes,     0 packets
    out c6e91422 (0x000010e1),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.3.0.0/24

Step 10: Modify the following configuration lines in DUT1:

set interfaces ethernet eth0 disable

Step 11: Ping IP address 10.3.0.1 from DUT0:

admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1

Show output

PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.286 ms

--- 10.3.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.286/0.286/0.286/0.000 ms

Step 12: Run command vpn ipsec show sa remote 80.0.0.3 at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-BACKUP: #1, ESTABLISHED, IKEv2, ecd908feee483249_i* 7ee51216ba5baa7b_r
  local  '80.0.0.1' @ 80.0.0.1[4500]
  remote '80.0.0.3' @ 80.0.0.3[4500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 7s ago, rekeying in 23794s
  peer-BACKUP-tunnel-1: #1, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256
    installed 8s ago, rekeying in 3275s, expires in 3953s
    in  c2411d9e (0x000010e1),     84 bytes,     1 packets,     0s ago
    out c6e91422 (0x000010e1),     84 bytes,     1 packets,     0s ago
    local  10.1.0.0/24
    remote 10.3.0.0/24

---