Xfrm Offload
This scenario shows how to configure IPSec policies and offload encryption/decryption processes.
Test XFRM Offload With VTI
Description
In this scenario, the tunnel is established by using a site-to-site peer through VTI interfaces.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 60.0.0.10/24 set interfaces ethernet eth1 address 192.168.10.1/24 set interfaces vti vti0 address 10.0.0.1/32 set interfaces vti vti0 ipsec PEER set interfaces vti vti0 local-address 60.0.0.10 set protocols static route 0.0.0.0/0 interface vti0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system offload timeout 30 set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX19kS7vtNcXJn1F6UJnLlFYCTHimfmBsGig= set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type on-demand set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 60.0.0.10 set vpn ipsec site-to-site peer PEER remote-address 60.0.0.20 set vpn ipsec site-to-site peer PEER vti local prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER vti remote prefix 192.168.20.0/24
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 60.0.0.20/24 set interfaces ethernet eth1 address 192.168.20.1/24 set interfaces vti vti0 address 20.0.0.1/32 set interfaces vti vti0 ipsec PEER set interfaces vti vti0 local-address 60.0.0.20 set protocols static route 0.0.0.0/0 interface vti0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system offload timeout 30 set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+vLKM9PFAQF8WrqhdsZFc2vww2tPZ+d60= set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 60.0.0.20 set vpn ipsec site-to-site peer PEER remote-address 60.0.0.10 set vpn ipsec site-to-site peer PEER vti local prefix 192.168.20.0/24 set vpn ipsec site-to-site peer PEER vti remote prefix 0.0.0.0/0
Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:
INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, ef9d050150a6800d_i 4a8f51fa12ca9f39_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 26662s peer-PEER-tunnel-VTI: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3448s, expires in 3959s in ca989197 (0x90000000), 0 bytes, 0 packets out cc215619 (0x90000000), 0 bytes, 0 packets local 0.0.0.0/0 remote 192.168.20.0/24
Step 4: Run command system conntrack clear at DUT0.
Step 5: Initiate a udp connection from DUT0 to DUT1 and try to send some messages between both endpoints
admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1 admin@DUT0$ monitor test connection client 192.168.20.1 5050 udp source-port 6060
Step 6: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
unknown\s+50.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*]Show output
udp 17 29 src=10.0.0.1 dst=192.168.20.1 sport=6060 dport=5050 packets=5 bytes=240 src=192.168.20.1 dst=10.0.0.1 sport=5050 dport=6060 packets=5 bytes=240 mark=0 use=1 unknown 50 src=60.0.0.10 dst=60.0.0.20 packets=5 bytes=520 src=60.0.0.20 dst=60.0.0.10 packets=5 bytes=520 [OFFLOAD, packets=3 bytes=312 packets=3 bytes=312] mark=0 use=2 udp 17 29 src=127.0.0.1 dst=127.0.0.1 sport=59283 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=59283 packets=0 bytes=0 mark=0 use=1 udp 17 29 src=127.0.0.1 dst=127.0.0.1 sport=50543 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=50543 packets=0 bytes=0 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
in.*\s+[^0]\d+ packets out.*\s+[^0]\d+ packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, ef9d050150a6800d_i 4a8f51fa12ca9f39_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 4s ago, rekeying in 26659s peer-PEER-tunnel-VTI: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3445s, expires in 3956s in ca989197 (0x90000000), 240 bytes, 5 packets, 0s ago out cc215619 (0x90000000), 240 bytes, 5 packets, 0s ago local 0.0.0.0/0 remote 192.168.20.0/24
Step 8: Set the following configuration in DUT2:
set interfaces ethernet eth0 address 192.168.10.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.10.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 9: Ping IP address 192.168.20.1 from DUT2:
admin@DUT2$ ping 192.168.20.1 count 1 size 56 timeout 1Show output
PING 192.168.20.1 (192.168.20.1) 56(84) bytes of data. 64 bytes from 192.168.20.1: icmp_seq=1 ttl=63 time=39.8 ms --- 192.168.20.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 39.831/39.831/39.831/0.000 ms
Step 10: Run command system conntrack clear at DUT0.
Step 11: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints
admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1 admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060
Step 12: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
unknown\s+50.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*] udp\s+17.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*]Show output
udp 17 29 src=127.0.0.1 dst=127.0.0.1 sport=59511 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=59511 packets=0 bytes=0 mark=0 use=1 udp 17 src=192.168.10.2 dst=192.168.20.1 sport=6060 dport=5050 packets=5 bytes=240 src=192.168.20.1 dst=192.168.10.2 sport=5050 dport=6060 packets=5 bytes=240 [OFFLOAD, packets=3 bytes=144 packets=4 bytes=192] mark=0 use=2 unknown 50 src=60.0.0.10 dst=60.0.0.20 packets=5 bytes=520 src=60.0.0.20 dst=60.0.0.10 packets=5 bytes=520 [OFFLOAD, packets=3 bytes=312 packets=3 bytes=312] mark=0 use=2 udp 17 29 src=127.0.0.1 dst=127.0.0.1 sport=46855 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=46855 packets=0 bytes=0 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.
Step 13: Run command system conntrack clear at DUT0.
Step 14: Initiate a udp connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 5050 udp local-address 192.168.10.2 admin@DUT1$ monitor test connection client 192.168.10.2 5050 udp source-port 6060 local-address 192.168.20.1
Step 15: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints
admin@DUT1$ monitor test connection server 6060 udp local-address 192.168.20.1 admin@DUT2$ monitor test connection client 192.168.20.1 6060 udp source-port 5050
Step 16: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
unknown\s+50.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*] udp\s+17.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*]Show output
unknown 50 src=60.0.0.20 dst=60.0.0.10 packets=10 bytes=1040 src=60.0.0.10 dst=60.0.0.20 packets=10 bytes=1040 [OFFLOAD, packets=7 bytes=728 packets=8 bytes=832] mark=0 use=2 udp 17 src=192.168.20.1 dst=192.168.10.2 sport=6060 dport=5050 packets=10 bytes=480 src=192.168.10.2 dst=192.168.20.1 sport=5050 dport=6060 packets=10 bytes=480 [OFFLOAD, packets=8 bytes=384 packets=9 bytes=432] mark=0 use=2 conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Test XFRM Offload With DMVPN Transport Mode
Description
In this scenario, the tunnel is established by using NHRP. Transport mode is used for IPSec policies.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 60.0.0.10/24 set interfaces ethernet eth1 address 192.168.10.1/24 set interfaces tunnel tun1 address 10.0.0.1/32 set interfaces tunnel tun1 encapsulation gre set interfaces tunnel tun1 local-address 60.0.0.10 set interfaces tunnel tun1 local-interface eth0 set interfaces tunnel tun1 nhrp ipsec NHRP set protocols static route 192.168.20.0/24 next-hop 20.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system offload timeout 30 set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/Jpg99k7SU7YiWD5RvrxITsxsAO5xUoTs= set vpn ipsec dmvpn-profile NHRP auth-profile AUTH-SA set vpn ipsec dmvpn-profile NHRP esp-group CHILD-SA set vpn ipsec dmvpn-profile NHRP ike-group IKE-SA set vpn ipsec esp-group CHILD-SA mode transport set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 60.0.0.20/24 set interfaces ethernet eth1 address 192.168.20.1/24 set interfaces tunnel tun1 address 20.0.0.1/32 set interfaces tunnel tun1 encapsulation gre set interfaces tunnel tun1 local-address 60.0.0.20 set interfaces tunnel tun1 local-interface eth0 set interfaces tunnel tun1 nhrp ipsec NHRP set interfaces tunnel tun1 nhrp nhs 10.0.0.1 nbma 60.0.0.10 set protocols static route 192.168.10.0/24 next-hop 10.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system offload timeout 30 set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX19jXrfOrhbC5CDHIWUWEiBzzKliIOqjyuE= set vpn ipsec dmvpn-profile NHRP auth-profile AUTH-SA set vpn ipsec dmvpn-profile NHRP esp-group CHILD-SA set vpn ipsec dmvpn-profile NHRP ike-group IKE-SA set vpn ipsec esp-group CHILD-SA mode transport set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:
INSTALLEDShow output
NHRP: #1, ESTABLISHED, IKEv2, 19e657842bcf7c16_i 1ca77ba6fa2b9f20_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 28460s NHRP: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3329s, expires in 3959s in c000bcf2, 96 bytes, 1 packets, 0s ago out cdba962d, 116 bytes, 1 packets, 0s ago local 60.0.0.10/32[gre] remote 60.0.0.20/32[gre]
Step 4: Run command system conntrack clear at DUT0.
Step 5: Initiate a udp connection from DUT0 to DUT1 and try to send some messages between both endpoints
admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1 admin@DUT0$ monitor test connection client 192.168.20.1 5050 udp source-port 6060
Step 6: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
unknown\s+50.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*] gre\s+47.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*]Show output
udp 17 29 src=10.0.0.1 dst=192.168.20.1 sport=6060 dport=5050 packets=5 bytes=240 src=192.168.20.1 dst=10.0.0.1 sport=5050 dport=6060 packets=5 bytes=240 mark=0 use=1 gre 47 src=60.0.0.10 dst=60.0.0.20 packets=5 bytes=360 src=60.0.0.20 dst=60.0.0.10 packets=5 bytes=360 [ASSURED] [OFFLOAD, packets=3 bytes=216 packets=3 bytes=216] mark=0 use=2 unknown 50 src=60.0.0.10 dst=60.0.0.20 packets=5 bytes=540 src=60.0.0.20 dst=60.0.0.10 packets=5 bytes=540 [OFFLOAD, packets=3 bytes=324 packets=3 bytes=324] mark=0 use=2 conntrack v1.4.7 (conntrack-tools): 3 flow entries have been shown.
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
in.*\s+[^0]\d+ packets out.*\s+[^0]\d+ packetsShow output
NHRP: #1, ESTABLISHED, IKEv2, 19e657842bcf7c16_i 1ca77ba6fa2b9f20_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 3s ago, rekeying in 28458s NHRP: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 3s ago, rekeying in 3327s, expires in 3957s in c000bcf2, 356 bytes, 6 packets, 0s ago out cdba962d, 376 bytes, 6 packets, 0s ago local 60.0.0.10/32[gre] remote 60.0.0.20/32[gre]
Step 8: Set the following configuration in DUT2:
set interfaces ethernet eth0 address 192.168.10.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.10.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 9: Ping IP address 192.168.20.1 from DUT2:
admin@DUT2$ ping 192.168.20.1 count 1 size 56 timeout 1Show output
PING 192.168.20.1 (192.168.20.1) 56(84) bytes of data. 64 bytes from 192.168.20.1: icmp_seq=1 ttl=63 time=0.594 ms --- 192.168.20.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.594/0.594/0.594/0.000 ms
Step 10: Run command system conntrack clear at DUT0.
Step 11: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints
admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1 admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060
Step 12: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
unknown\s+50.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*] gre\s+47.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*] udp\s+17.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*]Show output
udp 17 src=192.168.10.2 dst=192.168.20.1 sport=6060 dport=5050 packets=5 bytes=240 src=192.168.20.1 dst=192.168.10.2 sport=5050 dport=6060 packets=5 bytes=240 [OFFLOAD, packets=3 bytes=144 packets=4 bytes=192] mark=0 use=2 gre 47 src=60.0.0.10 dst=60.0.0.20 packets=5 bytes=360 src=60.0.0.20 dst=60.0.0.10 packets=5 bytes=360 [ASSURED] [OFFLOAD, packets=3 bytes=216 packets=3 bytes=216] mark=0 use=2 unknown 50 src=60.0.0.10 dst=60.0.0.20 packets=5 bytes=540 src=60.0.0.20 dst=60.0.0.10 packets=5 bytes=540 [OFFLOAD, packets=3 bytes=324 packets=3 bytes=324] mark=0 use=2 conntrack v1.4.7 (conntrack-tools): 3 flow entries have been shown.
Step 13: Run command system conntrack clear at DUT0.
Step 14: Initiate a udp connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 5050 udp local-address 192.168.10.2 admin@DUT1$ monitor test connection client 192.168.10.2 5050 udp source-port 6060 local-address 192.168.20.1
Step 15: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints
admin@DUT1$ monitor test connection server 6060 udp local-address 192.168.20.1 admin@DUT2$ monitor test connection client 192.168.20.1 6060 udp source-port 5050
Step 16: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
unknown\s+50.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*] gre\s+47.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*] udp\s+17.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*]Show output
unknown 50 src=60.0.0.20 dst=60.0.0.10 packets=10 bytes=1080 src=60.0.0.10 dst=60.0.0.20 packets=10 bytes=1080 [OFFLOAD, packets=7 bytes=756 packets=8 bytes=864] mark=0 use=2 udp 17 24 src=127.0.0.1 dst=127.0.0.1 sport=59202 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=59202 packets=0 bytes=0 mark=0 use=1 udp 17 26 src=127.0.0.1 dst=127.0.0.1 sport=58955 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=58955 packets=0 bytes=0 mark=0 use=1 udp 17 28 src=127.0.0.1 dst=127.0.0.1 sport=33273 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=33273 packets=0 bytes=0 mark=0 use=1 udp 17 24 src=127.0.0.1 dst=127.0.0.1 sport=50912 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=50912 packets=0 bytes=0 mark=0 use=1 udp 17 src=192.168.20.1 dst=192.168.10.2 sport=6060 dport=5050 packets=10 bytes=480 src=192.168.10.2 dst=192.168.20.1 sport=5050 dport=6060 packets=10 bytes=480 [OFFLOAD, packets=8 bytes=384 packets=9 bytes=432] mark=0 use=2 gre 47 src=60.0.0.20 dst=60.0.0.10 packets=10 bytes=720 src=60.0.0.10 dst=60.0.0.20 packets=10 bytes=720 [ASSURED] [OFFLOAD, packets=7 bytes=504 packets=8 bytes=576] mark=0 use=2 udp 17 28 src=127.0.0.1 dst=127.0.0.1 sport=36346 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=36346 packets=0 bytes=0 mark=0 use=1 udp 17 26 src=127.0.0.1 dst=127.0.0.1 sport=50531 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=50531 packets=0 bytes=0 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 9 flow entries have been shown.
Test XFRM Offload With Site To Site
Description
In this scenario, the tunnel is established by using a site-to-site peer.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 60.0.0.10/24 set interfaces ethernet eth1 address 192.168.10.1/24 set protocols static route 0.0.0.0/0 next-hop 60.0.0.20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system offload timeout 30 set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/Cji4xd9XSgM5K9bze6OCgDm6b2p/6YUk= set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type on-demand set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 60.0.0.10 set vpn ipsec site-to-site peer PEER remote-address 60.0.0.20 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.10.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.20.0/24
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 60.0.0.20/24 set interfaces ethernet eth1 address 192.168.20.1/24 set protocols static route 0.0.0.0/0 next-hop 60.0.0.10 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system offload timeout 30 set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/L1AusTlgj+dvG/njYxnRP2TjQiqfzTq8= set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 60.0.0.20 set vpn ipsec site-to-site peer PEER remote-address 60.0.0.10 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.20.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.10.0/24
Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:
INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 8c63c6e9b6122eaa_i c8d1537d7f9d57b5_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 18053s peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3321s, expires in 3960s in cedcefa0, 0 bytes, 0 packets out cd3a0b1f, 0 bytes, 0 packets local 192.168.10.0/24 remote 192.168.20.0/24
Step 4: Set the following configuration in DUT2:
set interfaces ethernet eth0 address 192.168.10.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.10.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Ping IP address 192.168.20.1 from DUT2:
admin@DUT2$ ping 192.168.20.1 count 1 size 56 timeout 1Show output
PING 192.168.20.1 (192.168.20.1) 56(84) bytes of data. 64 bytes from 192.168.20.1: icmp_seq=1 ttl=63 time=1.11 ms --- 192.168.20.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.108/1.108/1.108/0.000 ms
Step 6: Run command system conntrack clear at DUT0.
Step 7: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints
admin@DUT1$ monitor test connection server 5050 udp local-address 192.168.20.1 admin@DUT2$ monitor test connection client 192.168.20.1 5050 udp source-port 6060
Step 8: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
unknown\s+50.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*] udp\s+17.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*]Show output
udp 17 src=192.168.10.2 dst=192.168.20.1 sport=6060 dport=5050 packets=5 bytes=240 src=192.168.20.1 dst=192.168.10.2 sport=5050 dport=6060 packets=5 bytes=240 [OFFLOAD, packets=2 bytes=96 packets=3 bytes=144] mark=0 use=3 udp 17 27 src=127.0.0.1 dst=127.0.0.1 sport=56386 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=56386 packets=0 bytes=0 mark=0 use=1 unknown 50 src=60.0.0.10 dst=60.0.0.20 packets=5 bytes=520 src=60.0.0.20 dst=60.0.0.10 packets=5 bytes=520 [OFFLOAD, packets=3 bytes=312 packets=3 bytes=312] mark=0 use=2 udp 17 27 src=127.0.0.1 dst=127.0.0.1 sport=45455 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=45455 packets=0 bytes=0 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.
Step 9: Run command system conntrack clear at DUT0.
Step 10: Initiate a udp connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 5050 udp local-address 192.168.10.2 admin@DUT1$ monitor test connection client 192.168.10.2 5050 udp source-port 6060 local-address 192.168.20.1
Step 11: Initiate a udp connection from DUT2 to DUT1 and try to send some messages between both endpoints
admin@DUT1$ monitor test connection server 6060 udp local-address 192.168.20.1 admin@DUT2$ monitor test connection client 192.168.20.1 6060 udp source-port 5050
Step 12: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
unknown\s+50.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*] udp\s+17.*[OFFLOAD, packets=[1-9]\d* bytes=[1-9]\d* packets=[1-9]\d* bytes=[1-9]\d*]Show output
unknown 50 src=60.0.0.20 dst=60.0.0.10 packets=10 bytes=1040 src=60.0.0.10 dst=60.0.0.20 packets=10 bytes=1040 [OFFLOAD, packets=7 bytes=728 packets=8 bytes=832] mark=0 use=2 udp 17 25 src=127.0.0.1 dst=127.0.0.1 sport=42481 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=42481 packets=0 bytes=0 mark=0 use=1 udp 17 src=192.168.20.1 dst=192.168.10.2 sport=6060 dport=5050 packets=10 bytes=480 src=192.168.10.2 dst=192.168.20.1 sport=5050 dport=6060 packets=10 bytes=480 [OFFLOAD, packets=7 bytes=336 packets=7 bytes=336] mark=0 use=2 udp 17 25 src=127.0.0.1 dst=127.0.0.1 sport=50843 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=50843 packets=0 bytes=0 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.