Vrf Wan

This scenario shows how to configure service traffic-proxy to intercept and proxy SSL traffic. The WAN interface in DUT0 is bound to a VRF.

../../../../_images/proxy.svg

Test Traffic-Proxy Interception With WAN VRF

Description

This example demonstrates how to configure the device to intercept and proxy SSL traffic. For this purpose, the service traffic-proxy is bound to the port 3128 and the VRF LAN.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 vif 100 address 192.168.1.1/24
set interfaces ethernet eth0 vif 100 tcp-mss 1400
set interfaces ethernet eth0 vif 100 traffic policy in TPROXY
set interfaces ethernet eth1 vif 200 address 10.0.0.1/24
set interfaces ethernet eth1 vif 200 tcp-mss 1400
set interfaces ethernet eth1 vif 200 vrf WAN
set protocols static route 10.0.0.0/24 next-hop-vrf WAN
set protocols vrf WAN static route 192.168.1.0/24 interface eth0.100
set service traffic-proxy TRAFFIC_PROXY local-vrf WAN
set service traffic-proxy TRAFFIC_PROXY mode ssl
set service traffic-proxy TRAFFIC_PROXY port 3128
set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt'
set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf WAN
set traffic policy TPROXY rule 5 action proxy tcp 3128
set traffic policy TPROXY rule 5 selector TCP_TRAFFIC
set traffic selector TCP_TRAFFIC rule 1 destination port 80,443,8080,4430
set traffic selector TCP_TRAFFIC rule 1 protocol tcp

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 vif 100 address 192.168.1.2/24
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2:

set interfaces ethernet eth0 vif 200 address 10.0.0.2/24
set protocols static route 0.0.0.0/0 next-hop 10.0.0.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Ping IP address 10.0.0.2 from DUT1:

admin@DUT1$ ping 10.0.0.2 count 1 size 56 timeout 1
Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=0.979 ms

--- 10.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.979/0.979/0.979/0.000 ms

Step 5: Ping IP address 192.168.1.2 from DUT2:

admin@DUT2$ ping 192.168.1.2 count 1 size 56 timeout 1
Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=0.454 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.454/0.454/0.454/0.000 ms

Step 6: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints

admin@DUT2$ monitor test connection server 443 ssl cert running://test.crt key running://test.key
admin@DUT1$ monitor test connection client 10.0.0.2 443 ssl source-port 1234

Step 7: Run command service traffic-proxy TRAFFIC_PROXY show stats at DUT0 and check if output does not match the following regular expressions:

intercepted\s+0\s+0
Show output
Statistics for instance "TRAFFIC_PROXY":

-----------------------------
name           packets  bytes
-----------------------------
queue - reply        0      0
queue - orig         0      0
intercepted         14   1277
error                0      0