Push Pull
These scenarios show how to configure the push/pull mechanism to send configuration options from the server to the client
Push Route IP
Description
A route to a single IP address is pushed to the client to be routed through the server
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server server-profile SRV set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn server-profile SRV push route destination 1.2.3.4/32 set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping the IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.241 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.241/0.241/0.241/0.000 ms
Step 4: Run the command interfaces openvpn ovpn1 status on DUT1 and check whether the output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.611 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.611/0.611/0.611/0.000 ms
Step 6: Run the command protocols ip show route on DUT1 and check whether the output contains the following tokens:
1.2.3.4/32Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF default: S>* 1.2.3.4/32 [1/0] via 10.0.0.1, ovpn1, weight 1, 00:00:01 C>* 10.0.0.0/29 is directly connected, ovpn1, weight 1, 00:00:01 L>* 10.0.0.2/32 is directly connected, ovpn1, weight 1, 00:00:01 L> 10.95.0.99/32 is directly connected, eth0 inactive, weight 1, 03:10:32 C>* 192.168.100.0/24 is directly connected, eth1, weight 1, 00:00:02 L>* 192.168.100.2/32 is directly connected, eth1, weight 1, 00:00:02
Push Route Network
Description
A network route is pushed to the client to be routed through the server
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server server-profile SRV set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn server-profile SRV push route destination 1.0.0.0/8 set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping the IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.336 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.336/0.336/0.336/0.000 ms
Step 4: Run the command interfaces openvpn ovpn1 status on DUT1 and check whether the output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.826 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.826/0.826/0.826/0.000 ms
Step 6: Run the command protocols ip show route on DUT1 and check whether the output contains the following tokens:
1.0.0.0/8Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF default: S>* 1.0.0.0/8 [1/0] via 10.0.0.1, ovpn1, weight 1, 00:00:02 C>* 10.0.0.0/29 is directly connected, ovpn1, weight 1, 00:00:02 L>* 10.0.0.2/32 is directly connected, ovpn1, weight 1, 00:00:02 L> 10.95.0.99/32 is directly connected, eth0 inactive, weight 1, 03:10:43 C>* 192.168.100.0/24 is directly connected, eth1, weight 1, 00:00:03 L>* 192.168.100.2/32 is directly connected, eth1, weight 1, 00:00:03
Client Push Route Network
Description
A network route is pushed to a specific client based on their common name
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server server-profile SRV set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn server-profile SRV client Client push route destination 1.0.0.0/8 set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping the IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.464 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.464/0.464/0.464/0.000 ms
Step 4: Run the command interfaces openvpn ovpn1 status on DUT1 and check whether the output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.724 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.724/0.724/0.724/0.000 ms
Step 6: Run the command protocols ip show route on DUT1 and check whether the output contains the following tokens:
1.0.0.0/8Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF default: S>* 1.0.0.0/8 [1/0] via 10.0.0.1, ovpn1, weight 1, 00:00:02 C>* 10.0.0.0/29 is directly connected, ovpn1, weight 1, 00:00:02 L>* 10.0.0.2/32 is directly connected, ovpn1, weight 1, 00:00:02 L> 10.95.0.99/32 is directly connected, eth0 inactive, weight 1, 03:11:13 C>* 192.168.100.0/24 is directly connected, eth1, weight 1, 00:00:03 L>* 192.168.100.2/32 is directly connected, eth1, weight 1, 00:00:03
Push Route VRF
Description
A VRF-aware network route is pushed to the client
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server server-profile SRV set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn server-profile SRV push route destination 1.2.3.4/32 set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set interfaces openvpn ovpn1 vrf VRF1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf VRF1 set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping the IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.261 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.261/0.261/0.261/0.000 ms
Step 4: Run the command interfaces openvpn ovpn1 status on DUT1 and check whether the output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 vrf VRF1 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: VRF1 PING 10.0.0.1 (10.0.0.1) from 10.0.0.2 VRF1: 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=1.03 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.025/1.025/1.025/0.000 ms
Step 6: Run the command protocols vrf VRF1 ip show route on DUT1 and check whether the output contains the following tokens:
1.2.3.4/32Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF VRF1: K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:03 S>* 1.2.3.4/32 [1/0] via 10.0.0.1, ovpn1, weight 1, 00:00:02 C>* 10.0.0.0/29 is directly connected, ovpn1, weight 1, 00:00:02 L>* 10.0.0.2/32 is directly connected, ovpn1, weight 1, 00:00:02 K>* 127.0.0.0/8 [0/0] is directly connected, VRF1, weight 1, 00:00:03
Pull Filter
Description
A client configures a filter to ignore any option pushed by the server starting with the text “route 1.2.3.4” but accept all others
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server server-profile SRV set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn server-profile SRV push route destination 1.0.0.0/8 set vpn openvpn server-profile SRV push route destination 1.2.3.4/32 set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client client-profile CNT set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn client-profile CNT pull filter 1 policy ignore set vpn openvpn client-profile CNT pull filter 1 text 'route 1.2.3.4' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping the IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.392 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.392/0.392/0.392/0.000 ms
Step 4: Run the command interfaces openvpn ovpn1 status on DUT1 and check whether the output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.586 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.586/0.586/0.586/0.000 ms
Step 6: Run the command protocols ip show route on DUT1 and check whether the output contains the following tokens:
1.0.0.0/8Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF default: S>* 1.0.0.0/8 [1/0] via 10.0.0.1, ovpn1, weight 1, 00:00:02 C>* 10.0.0.0/29 is directly connected, ovpn1, weight 1, 00:00:02 L>* 10.0.0.2/32 is directly connected, ovpn1, weight 1, 00:00:02 L> 10.95.0.99/32 is directly connected, eth0 inactive, weight 1, 03:11:44 C>* 192.168.100.0/24 is directly connected, eth1, weight 1, 00:00:02 L>* 192.168.100.2/32 is directly connected, eth1, weight 1, 00:00:02
Step 7: Run the command protocols ip show route on DUT1 and check whether the output does not contain the following tokens:
1.2.3.4/32Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF default: S>* 1.0.0.0/8 [1/0] via 10.0.0.1, ovpn1, weight 1, 00:00:02 C>* 10.0.0.0/29 is directly connected, ovpn1, weight 1, 00:00:02 L>* 10.0.0.2/32 is directly connected, ovpn1, weight 1, 00:00:02 L> 10.95.0.99/32 is directly connected, eth0 inactive, weight 1, 03:11:44 C>* 192.168.100.0/24 is directly connected, eth1, weight 1, 00:00:02 L>* 192.168.100.2/32 is directly connected, eth1, weight 1, 00:00:02