Local-Vrf

This scenario shows how to configure a VPN initiator with multiple VRFs and Policy-Based Routing (PBR).

../../../../../../_images/local-vrf.svg

Test Site-To-Site With VRFs And Marks

Description

Three different VRFs are configured in the VPN initiator: WAN, AP and SEG. Local traffic is generated in the VRF SEG, marked and leaked to the application VRF, where traffic is routed WAN VRF. Incoming packets are also leaked to SEG VRF if connmark matches.

Scenario

Step 1: Set the following configuration in DUT1:

set interfaces dummy dum0 address 10.3.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set protocols static route 0.0.0.0/0 next-hop 80.0.0.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX18tWjLe4QRM5Izscfu3hHtuovKjhNBxZOY=
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24

Step 2: Set the following configuration in DUT0:

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces dummy dum0 traffic policy local-out PBR_SEG_AP
set interfaces dummy dum0 vrf SEG
set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces ethernet eth0 traffic policy in PBR_WAN_SEG
set interfaces ethernet eth0 vrf WAN
set protocols vrf AP static route 0.0.0.0/0 next-hop-vrf WAN
set protocols vrf SEG static route 0.0.0.0/0 interface dum0
set protocols vrf WAN static route 0.0.0.0/0 next-hop 80.0.0.2
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf AP
set system vrf SEG
set system vrf WAN
set traffic policy PBR_SEG_AP rule 1 set vrf AP connmark-cache
set traffic policy PBR_WAN_SEG rule 1 selector AP_SEL
set traffic policy PBR_WAN_SEG rule 1 set vrf SEG
set traffic selector AP_SEL rule 1 vrf-connmark AP
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX182Eyg4G0NUJeuBC4tWajh/ggqtIosV5pQ=
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec esp-group CHILD-SA vrf-mark-in SEG
set vpn ipsec esp-group CHILD-SA vrf-mark-out AP
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER local-vrf WAN
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0

Step 3: Ping IP address 80.0.0.1 from DUT1:

admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1
Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data.
64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.228 ms

--- 80.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.228/0.228/0.228/0.000 ms

Step 4: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED
Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, e1417fc9181a6131_i* 23bc604127c7908d_r
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 15268s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3302s, expires in 3960s
    in  cb0eb3e6 (0x800003f4),      0 bytes,     0 packets
    out cc5f5f1a (0x800003f2),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.3.0.0/24

Step 5: Ping IP address 10.3.0.1 from DUT0:

admin@DUT0$ ping 10.3.0.1 vrf SEG count 1 size 56 timeout 1
Show output
ping: Warning: source address might be selected on device other than: SEG
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 SEG: 56(84) bytes of data.
64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.285 ms

--- 10.3.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.285/0.285/0.285/0.000 ms

Step 6: Run command vpn ipsec show sa remote 80.0.0.2 at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets
Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, e1417fc9181a6131_i* 23bc604127c7908d_r
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 15267s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3301s, expires in 3959s
    in  cb0eb3e6 (0x800003f4),     84 bytes,     1 packets,     0s ago
    out cc5f5f1a (0x800003f2),     84 bytes,     1 packets,     0s ago
    local  10.1.0.0/24
    remote 10.3.0.0/24

Attention

The command vpn show ipsec policy can be used to debug the IPSec selectors that have been installed in OSDx devices. Example for device DUT0:

Show output
src 10.1.0.0/24 dst 10.3.0.0/24
        dir out priority 375423
        mark 0x800003f2/0xffffffff
        tmpl src 80.0.0.1 dst 80.0.0.2
                proto esp spi 0xcc5f5f1a reqid 1 mode tunnel
src 10.3.0.0/24 dst 10.1.0.0/24
        dir fwd priority 375423
        mark 0x800003f4/0xffffffff
        tmpl src 80.0.0.2 dst 80.0.0.1
                proto esp reqid 1 mode tunnel
src 10.3.0.0/24 dst 10.1.0.0/24
        dir in priority 375423
        mark 0x800003f4/0xffffffff
        tmpl src 80.0.0.2 dst 80.0.0.1
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0