Unique
Tests for the unique connection option, which controls what happens when a peer (identified by remote IKE identity) establishes a new SA while an existing one is already active. Although these tests use site-to-site peer configurations, the unique option behaves identically for DMVPN profiles. DUT0 acts as responder. DUT1 and DUT2 share the same IKE identity (roadwarrior) to trigger the uniqueness check on DUT0. Tests are split into two groups: proactive tests use unique never on initiators, so they do NOT send INITIAL_CONTACT (isolating the responder’s proactive uniqueness check), and INITIAL_CONTACT tests use the default unique (no) on initiators, so they DO send INITIAL_CONTACT (testing the responder’s reaction to peer-initiated cleanup).
Test Never Without Initial Contact
Description
With unique = never and no INITIAL_CONTACT,
no uniqueness checks are performed. Both SAs
coexist without restriction.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/Gax5Tg3yxFZWeLYDMA0618VQsKjQjBRs= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18P6FuNc+bAVkLIZX2wQMJAJX+JeqGIJUs= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.166 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.166/0.166/0.166/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.305 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.305/0.305/0.305/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique never
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique never
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 5bdf3e6a8a635bd4_i ebe78552c17565d2_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 22916s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3446s, expires in 3960s in cddb3c74, 0 bytes, 0 packets out c2142a7f, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/v9RXd+UglCGwp5LrhlUaeEJt/zL42F3k= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique never
Step 11: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.318 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.318/0.318/0.318/0.000 ms
Step 12: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 011fea45ed85b995_i d53d188c244cb56a_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 24953s peer-PEER-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3577s, expires in 3955s in ca8de0a9, 0 bytes, 0 packets out cd8bf644, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 5bdf3e6a8a635bd4_i ebe78552c17565d2_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 8s ago, rekeying in 22908s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3438s, expires in 3952s in cddb3c74, 0 bytes, 0 packets out c2142a7f, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 13: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 011fea45ed85b995_i d53d188c244cb56a_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 24953s peer-PEER-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3577s, expires in 3955s in ca8de0a9, 0 bytes, 0 packets out cd8bf644, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 5bdf3e6a8a635bd4_i ebe78552c17565d2_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 8s ago, rekeying in 22908s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3438s, expires in 3952s in cddb3c74, 0 bytes, 0 packets out c2142a7f, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Test No Without Initial Contact
Description
With unique = no and no INITIAL_CONTACT,
no proactive duplicate check is performed.
Both SAs coexist.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+QvYIDRwrN96mRlE9+904kgpCeEWNIB74= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19MQxsZq2BAGbb2jC7Xz+7j1ZToAD5rbcQ= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.372 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.372/0.372/0.372/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.263 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.263/0.263/0.263/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique no
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique never
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 2827e5863ef5c8aa_i c2fff7b2f611f52c_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 20266s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3260s, expires in 3960s in c3ef90af, 0 bytes, 0 packets out c06d3ed6, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18jx4ENLu5Ddca2Wrz4L3jzmhqwYCFkB6g= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique never
Step 11: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.371 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.371/0.371/0.371/0.000 ms
Step 12: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 2827e5863ef5c8aa_i c2fff7b2f611f52c_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 8s ago, rekeying in 20258s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3252s, expires in 3952s in c3ef90af, 0 bytes, 0 packets out c06d3ed6, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 7f142e39fa17410d_i b6c30e59ca474cea_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 19881s peer-PEER-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3484s, expires in 3954s in c4a38346, 0 bytes, 0 packets out c594dade, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 13: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 2827e5863ef5c8aa_i c2fff7b2f611f52c_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 8s ago, rekeying in 20258s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3252s, expires in 3952s in c3ef90af, 0 bytes, 0 packets out c06d3ed6, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 7f142e39fa17410d_i b6c30e59ca474cea_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 19881s peer-PEER-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3484s, expires in 3954s in c4a38346, 0 bytes, 0 packets out c594dade, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Test Replace Without Initial Contact
Description
With unique = replace and no
INITIAL_CONTACT, the responder proactively
detects the duplicate and accepts the new SA.
DUT1 may auto-reconnect, so we only verify
that DUT2’s SA is accepted (unlike keep
which rejects it).
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+nIB5sGr8VlJSc8PDOsnm/AmEskULiMm8= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/ej2iTcHhuxYbA2X/UjQtpvNEbVyJfuZk= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.299 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.299/0.299/0.299/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.310 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.310/0.310/0.310/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique replace
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique never
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 9f4ee5c13bdae5ed_i 126d7fa590cff1c2_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 19406s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3286s, expires in 3960s in ce461985, 0 bytes, 0 packets out cc3e11e3, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+9qUA5xtzfoQ8o02FOqpn96JWwlbkYoF8= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique never
Step 11: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.259 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.259/0.259/0.259/0.000 ms
Step 12: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #537, DELETING, IKEv2, 309c6f3b69df93c1_i 80481837997e7603_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 active: IKE_DELETE peer-PEER-tunnel-1: #538, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3356s, expires in 3959s in c3530143, 0 bytes, 0 packets out caa05be0, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #538, ESTABLISHED, IKEv2, 18e3204081f84eca_i c209927b89b5375e_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 17556s peer-PEER-tunnel-1: #539, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3507s, expires in 3959s in c8b80c53, 0 bytes, 0 packets out c456472c, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Test Keep Without Initial Contact
Description
With unique = keep and no INITIAL_CONTACT,
the responder proactively detects the duplicate
and rejects the new connection from a different
IP, keeping the existing SA. If the peer
reconnects from the same IP, the new connection
is allowed (treated as reauthentication).
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19mUvelk3h0UG5SDWPMg1UyNNqMtDr7gMY= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+15fZycg1nvZDNEp/LNABCtPoSy40sGeM= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.356 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.356/0.356/0.356/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.295 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.295/0.295/0.295/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique keep
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique never
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, e95eea6a524c6728_i 9626fa6c9ce15fb7_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 13281s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3462s, expires in 3960s in c5c5ed01, 0 bytes, 0 packets out c16f4410, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+THEYlW0MILWlkkVUINPT+EHFPCSULy/0= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique never
Step 11: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.494 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.494/0.494/0.494/0.000 ms
Step 12: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, e95eea6a524c6728_i 9626fa6c9ce15fb7_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 8s ago, rekeying in 13273s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3454s, expires in 3952s in c5c5ed01, 0 bytes, 0 packets out c16f4410, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 13: Expect a failure in the following command:
Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, e95eea6a524c6728_i 9626fa6c9ce15fb7_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 8s ago, rekeying in 13273s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3454s, expires in 3952s in c5c5ed01, 0 bytes, 0 packets out c16f4410, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Test Never Ignores Initial Contact
Description
With unique = never, INITIAL_CONTACT
notifications from the peer are ignored.
Both SAs coexist even when the new peer
sends INITIAL_CONTACT.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19ICiqP3znWdWCX13e+ScfoZcx77lr8uo8= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX183qXmo6ksvB1pK0545T97tDWggokIzBFk= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.456 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.456/0.456/0.456/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.285 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.285/0.285/0.285/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique never
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique no
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 9ca7e444bfa83a2e_i 4d87acfafdd02c90_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 15432s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3331s, expires in 3960s in c4a79d2c, 0 bytes, 0 packets out c22d9bef, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/zXieYb3UJrYmyltb3+2EJ1SyF5EIZFg0= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique no
Step 11: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.284 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.284/0.284/0.284/0.000 ms
Step 12: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 9ca7e444bfa83a2e_i 4d87acfafdd02c90_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 8s ago, rekeying in 15424s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3323s, expires in 3952s in c4a79d2c, 0 bytes, 0 packets out c22d9bef, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #4, ESTABLISHED, IKEv2, c36b2dfb4dc52acf_i 6e896343b595c17b_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 21867s peer-PEER-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3349s, expires in 3955s in c53d9ea7, 0 bytes, 0 packets out cea9114a, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 13: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 9ca7e444bfa83a2e_i 4d87acfafdd02c90_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 8s ago, rekeying in 15424s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3323s, expires in 3952s in c4a79d2c, 0 bytes, 0 packets out c22d9bef, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #4, ESTABLISHED, IKEv2, c36b2dfb4dc52acf_i 6e896343b595c17b_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 21867s peer-PEER-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3349s, expires in 3955s in c53d9ea7, 0 bytes, 0 packets out cea9114a, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Test No Reacts To Initial Contact
Description
With unique = no, the responder does not
proactively check for duplicates but does
delete existing SAs when the new peer sends
INITIAL_CONTACT.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/1DbvLy7S8yNm+3FA7TecRPYh29Z/TL9I= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+G1KB8+hDmc2ivQT38kd2iP7+ZLvwNKuo= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.529 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.529/0.529/0.529/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.251 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.251/0.251/0.251/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique no
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique no
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 8a3451838d2fed01_i f4b1d453aab63618_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 13155s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3482s, expires in 3959s in cd36fc0c, 0 bytes, 0 packets out ca3df82f, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Modify the following configuration lines in DUT1 :
set interfaces ethernet eth0 disable
Step 11: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/iDiElEGPO4ytaoapIuOrBKC3UCzDhrWI= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique no
Step 12: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.227 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.227/0.227/0.227/0.000 ms
Step 13: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 0bcff4598b5dd7f8_i 1e81fbdac97c6864_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 16617s peer-PEER-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3290s, expires in 3955s in ca782ae1, 0 bytes, 0 packets out c3f4725c, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 14: Expect a failure in the following command:
Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 0bcff4598b5dd7f8_i 1e81fbdac97c6864_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 16617s peer-PEER-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3290s, expires in 3955s in ca782ae1, 0 bytes, 0 packets out c3f4725c, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Test Replace Reacts To Initial Contact
Description
With unique = replace, the responder also
reacts to INITIAL_CONTACT from the new peer,
destroying existing SAs for the same identity.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18TZ0djNDjacW1kSdvFyoWrd+WqzxPIzCA= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19l25NSys/0c4/65OE+9mhIdMxUUcOk5MA= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.347 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.347/0.347/0.347/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.268 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.268/0.268/0.268/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique replace
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique no
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, b6254045cff63ded_i 1ca8260dca021b08_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 15127s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3384s, expires in 3960s in c2f9d19a, 0 bytes, 0 packets out c21c265f, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Modify the following configuration lines in DUT1 :
set interfaces ethernet eth0 disable
Step 11: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19TJoBmk/W6LqD02tCnL21DeJvSPu3nMzI= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique no
Step 12: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.254 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.254/0.254/0.254/0.000 ms
Step 13: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, b70dee8cba19445b_i 3d0e7b711fa9c984_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 14553s peer-PEER-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3423s, expires in 3954s in c13f7179, 0 bytes, 0 packets out c3f29222, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 14: Expect a failure in the following command:
Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, b70dee8cba19445b_i 3d0e7b711fa9c984_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 14553s peer-PEER-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3423s, expires in 3954s in c13f7179, 0 bytes, 0 packets out c3f29222, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Test Keep With Initial Contact
Description
With unique = keep, if the new peer sends
INITIAL_CONTACT, the existing SA is destroyed
regardless of the keep policy. INITIAL_CONTACT
is processed before evaluating the unique
policy.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/KWc/2D+wGu4zvUB3/LMeIV7IjfIrdM+8= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19yj3p0uyqcu+7WudkCyJwBPbEWWgA8ZYs= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.457 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.457/0.457/0.457/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.393 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.393/0.393/0.393/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique keep
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique no
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, a8b4abaadac42d62_i eb77d628204fc00f_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 20924s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3328s, expires in 3960s in ca199400, 0 bytes, 0 packets out c110c602, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Modify the following configuration lines in DUT1 :
set interfaces ethernet eth0 disable
Step 11: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+Blm2trp7vYUa3eHwRbG/2wvbiAX7CJTA= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique no
Step 12: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.167 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.167/0.167/0.167/0.000 ms
Step 13: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 891ba6a12cb58d02_i fc63d0e8523cb8c0_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 13133s peer-PEER-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3337s, expires in 3954s in c43422f5, 0 bytes, 0 packets out caa6649c, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 14: Expect a failure in the following command:
Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 891ba6a12cb58d02_i fc63d0e8523cb8c0_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 13133s peer-PEER-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3337s, expires in 3954s in c43422f5, 0 bytes, 0 packets out caa6649c, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24