Eap
This scenario shows how to configure and connect two subnets with each other through a VPN tunnel using different eap methods
Test MD5 Method
Description
Simple VPN site-to-site configuration with md5 authentication for DUT1 (client) and pre shared secret for DUT0 (server)
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth1 address 80.0.0.1/24 set protocols static route 10.2.0.0/24 interface dum0 set protocols static route 10.3.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX19xk5xGRT9z/gx/Qmu2YNEJHPUd0dQIpLY= set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test_psk encrypted-secret U2FsdGVkX1991Cn0AIJ8v2oZhR/LE5TwmHJz3hCP9G8= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test_psk set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 type md5 set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth1 address 80.0.0.2/24 set protocols static route 10.1.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX18CssjT9DOrOwj/Ygfip1Nsk8PAGNUXkBI= set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test_psk encrypted-secret U2FsdGVkX1/ozolB/jd+LiohBleQdxt+TOWH0wMYq28= set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type md5 set vpn ipsec auth-profile AUTH-SA local id dut0 set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.261 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.261/0.261/0.261/0.000 ms
Step 4: Ping the IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.024 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms
Step 5: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, cfdbc7ca5ca239e8_i c4fdb075d82afe13_r* local 'test_psk' @ 80.0.0.1[500] remote 'dut0' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 20561s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3242s, expires in 3959s in c75e977e, 0 bytes, 0 packets out c2b85f89, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping the IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.488 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.488/0.488/0.488/0.000 ms
Step 7: Ping the IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.647 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.647/0.647/0.647/0.000 ms
Step 8: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, cfdbc7ca5ca239e8_i c4fdb075d82afe13_r* local 'test_psk' @ 80.0.0.1[500] remote 'dut0' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 20561s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3242s, expires in 3959s in c75e977e, 168 bytes, 2 packets, 0s ago out c2b85f89, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test TLS Method
Description
Simple VPN site-to-site configuration with tls authentication in both sides
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth1 address 80.0.0.1/24 set protocols static route 10.2.0.0/24 interface dum0 set protocols static route 10.3.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA local auth eap dut1 type tls set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 type tls set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth1 address 80.0.0.2/24 set protocols static route 10.1.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type tls set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap dut1 type tls set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=Server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.276 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.276/0.276/0.276/0.000 ms
Step 4: Ping the IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.029 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.029/0.029/0.029/0.000 ms
Step 5: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 07ed7ed6dcdeeaca_i 8f4b4ed6f4ba2937_r* local 'CN=Server' @ 80.0.0.1[500] remote 'CN=Client' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 15415s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3353s, expires in 3959s in cffb37b5, 0 bytes, 0 packets out cd3d33bc, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping the IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.333 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.333/0.333/0.333/0.000 ms
Step 7: Ping the IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.247 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.247/0.247/0.247/0.000 ms
Step 8: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 07ed7ed6dcdeeaca_i 8f4b4ed6f4ba2937_r* local 'CN=Server' @ 80.0.0.1[500] remote 'CN=Client' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 15415s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3353s, expires in 3959s in cffb37b5, 168 bytes, 2 packets, 0s ago out cd3d33bc, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test MSCHAPV2 Method
Description
Simple VPN site-to-site configuration with mschapv2 authentication for DUT1 (client) and X.509 certificate for DUT0 (server)
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth1 address 80.0.0.1/24 set protocols static route 10.2.0.0/24 interface dum0 set protocols static route 10.3.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX1/gj4czVEd9UJXkaQiVGLNfi2kYmwVJlyY= set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap %any type mschapv2 set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth1 address 80.0.0.2/24 set protocols static route 10.1.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX19qI0r1kpz6WCVrq2Ym5nqO1lXeTsB4wcc= set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type mschapv2 set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=Server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 4: Ping the IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 5: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, de567994290b684b_i 954312285657dff0_r* local 'CN=Server' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] EAP: 'dut0' AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 22606s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3458s, expires in 3959s in ca8edc78, 0 bytes, 0 packets out c320333b, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping the IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.436 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.436/0.436/0.436/0.000 ms
Step 7: Ping the IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.271 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.271/0.271/0.271/0.000 ms
Step 8: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, de567994290b684b_i 954312285657dff0_r* local 'CN=Server' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] EAP: 'dut0' AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 22606s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3458s, expires in 3959s in ca8edc78, 168 bytes, 2 packets, 0s ago out c320333b, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test TTLS Method
Description
Simple VPN site-to-site configuration with ttls authentication in both sides, but DUT1 (client) using a secret password and DUT0 (server) a X.509 certificate
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth1 address 80.0.0.1/24 set protocols static route 10.2.0.0/24 interface dum0 set protocols static route 10.3.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX18YL9UFxmWf7O8qmFy+lvm9p+bFe8fEw9I= set vpn ipsec auth-profile AUTH-SA local auth eap dut1 type ttls set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 type ttls set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth1 address 80.0.0.2/24 set protocols static route 10.1.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX1/tOywO1fumkHOtqGnqPHKsVn7BVXMHDi8= set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type ttls set vpn ipsec auth-profile AUTH-SA local id dut0 set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap dut1 type ttls set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=Server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.274 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.274/0.274/0.274/0.000 ms
Step 4: Ping the IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.024 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms
Step 5: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 3454dd0f269e7a3e_i 36421aaa4f74fc9e_r* local 'CN=Server' @ 80.0.0.1[500] remote 'dut0' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 21646s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3246s, expires in 3959s in ce1dce62, 0 bytes, 0 packets out c76cad80, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping the IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.638 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.638/0.638/0.638/0.000 ms
Step 7: Ping the IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.252 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.252/0.252/0.252/0.000 ms
Step 8: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 3454dd0f269e7a3e_i 36421aaa4f74fc9e_r* local 'CN=Server' @ 80.0.0.1[500] remote 'dut0' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 21646s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3246s, expires in 3959s in ce1dce62, 168 bytes, 2 packets, 0s ago out c76cad80, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test EAP With Multiple Remotes
Description
Test with multiple remotes using the same EAP method and different secrets.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth1 address 80.0.0.1/24 set protocols static route 10.2.0.0/24 interface dum0 set protocols static route 10.3.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX18iS/I2WNHvWA5t78sHKYctnmZ6YCaoDM4= set vpn ipsec auth-profile AUTH-SA global-secrets eap dut1 encrypted-secret U2FsdGVkX1+qfEwl7G9fvgEKpLjYuA2HUqbrWYoAil4= set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test_psk encrypted-secret U2FsdGVkX1+JuY6IcBd0LTuKB/dJWkUSRln/i4Q+IKs= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test_psk set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap %any type md5 set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth1 address 80.0.0.2/24 set protocols static route 10.1.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX1+88KXoJo5QDbR7e4Ex7KfCOsuID4vxRGQ= set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test_psk encrypted-secret U2FsdGVkX1+Q+LwaomTgpdE7S3mVObvneYDNkJTLucQ= set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type md5 set vpn ipsec auth-profile AUTH-SA local id dut0 set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 4: Ping the IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.039 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.039/0.039/0.039/0.000 ms
Step 5: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, ce2b2777b8b9c97d_i 48f39a1b754b8b67_r* local 'test_psk' @ 80.0.0.1[500] remote 'dut0' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 22092s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3379s, expires in 3960s in c08e8e6e, 0 bytes, 0 packets out c0c03eb3, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping the IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.331 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.331/0.331/0.331/0.000 ms
Step 7: Ping the IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.313 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.313/0.313/0.313/0.000 ms
Step 8: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, ce2b2777b8b9c97d_i 48f39a1b754b8b67_r* local 'test_psk' @ 80.0.0.1[500] remote 'dut0' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 22092s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3379s, expires in 3960s in c08e8e6e, 168 bytes, 2 packets, 0s ago out c0c03eb3, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 9: Modify the following configuration lines in DUT1 :
delete vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 delete vpn ipsec auth-profile AUTH-SA local auth eap dut0 set vpn ipsec auth-profile AUTH-SA global-secrets eap dut1 encrypted-secret U2FsdGVkX1/78OvqPuJGBO+UsvxU7sc48l84VIMU+e0= set vpn ipsec auth-profile AUTH-SA local auth eap dut1 type md5 set vpn ipsec auth-profile AUTH-SA local id dut1
Step 10: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 11: Run the command vpn ipsec initiate peer PEER on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 12: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 81676b1ff2b8a055_i 276a749dfaaf7cd3_r* local 'test_psk' @ 80.0.0.1[500] remote 'dut1' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 19138s peer-PEER-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3298s, expires in 3960s in ce18787f, 0 bytes, 0 packets out c55d7c52, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 13: Ping the IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.293 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.293/0.293/0.293/0.000 ms
Step 14: Ping the IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.721 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.721/0.721/0.721/0.000 ms
Step 15: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 81676b1ff2b8a055_i 276a749dfaaf7cd3_r* local 'test_psk' @ 80.0.0.1[500] remote 'dut1' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 19137s peer-PEER-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3297s, expires in 3959s in ce18787f, 168 bytes, 2 packets, 0s ago out c55d7c52, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24