Unique
Tests for the unique connection option, which controls what happens when a peer (identified by remote IKE identity) establishes a new SA while an existing one is already active. Although these tests use site-to-site peer configurations, the unique option behaves identically for DMVPN profiles. DUT0 acts as responder. DUT1 and DUT2 share the same IKE identity (roadwarrior) to trigger the uniqueness check on DUT0. Tests are split into two groups: proactive tests use unique never on initiators, so they do NOT send INITIAL_CONTACT (isolating the responder’s proactive uniqueness check), and INITIAL_CONTACT tests use the default unique (no) on initiators, so they DO send INITIAL_CONTACT (testing the responder’s reaction to peer-initiated cleanup).
Test Never Without Initial Contact
Description
With unique = never and no INITIAL_CONTACT,
no uniqueness checks are performed. Both SAs
coexist without restriction.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+EGPBlwUF5CB0zZhkVumb5ABZZU9VYNX8= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19gSpMuKeaXzIz+V6+Q587d/smVLY/oDaQ= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.405 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.405/0.405/0.405/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.313 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.313/0.313/0.313/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique never
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique never
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 31e170148cf1031a_i b913643060388be4_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 15834s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3283s, expires in 3960s in c9b8139b, 0 bytes, 0 packets out c9b0ca77, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18Lo/1sy4zOyS8DUsn2O/i1GbCix6r+bN8= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique never
Step 11: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.440 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.440/0.440/0.440/0.000 ms
Step 12: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 31e170148cf1031a_i b913643060388be4_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 9s ago, rekeying in 15825s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3274s, expires in 3951s in c9b8139b, 0 bytes, 0 packets out c9b0ca77, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 75e58f3751a38398_i 6a1f93b20ad0a189_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 25624s peer-PEER-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3250s, expires in 3954s in cc400f9a, 0 bytes, 0 packets out cd8e994e, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 13: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 31e170148cf1031a_i b913643060388be4_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 9s ago, rekeying in 15825s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3274s, expires in 3951s in c9b8139b, 0 bytes, 0 packets out c9b0ca77, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 75e58f3751a38398_i 6a1f93b20ad0a189_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 25624s peer-PEER-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3250s, expires in 3954s in cc400f9a, 0 bytes, 0 packets out cd8e994e, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Test No Without Initial Contact
Description
With unique = no and no INITIAL_CONTACT,
no proactive duplicate check is performed.
Both SAs coexist.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18Djnp8VGsli6ZSLjvmPaRGW4ROYdx/qYA= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18mBuvU42SWNQ6slzCij93w7lpCe+eRlgo= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.461 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.461/0.461/0.461/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.291 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.291/0.291/0.291/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique no
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique never
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 6a7096c2aa603ce3_i 5f3055a19f2975d7_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 17920s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3553s, expires in 3960s in c274a710, 0 bytes, 0 packets out c8a2db6b, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18/aWZco7RVDQxqidDx4znGUNOYx7FzXXk= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique never
Step 11: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=4.71 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.708/4.708/4.708/0.000 ms
Step 12: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 401b92fa2bd7a3c5_i 0c71de1464408a01_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 21476s peer-PEER-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3387s, expires in 3954s in ce8b970d, 0 bytes, 0 packets out c178a3c5, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 6a7096c2aa603ce3_i 5f3055a19f2975d7_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 9s ago, rekeying in 17911s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3544s, expires in 3951s in c274a710, 0 bytes, 0 packets out c8a2db6b, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 13: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 401b92fa2bd7a3c5_i 0c71de1464408a01_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 21476s peer-PEER-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3387s, expires in 3954s in ce8b970d, 0 bytes, 0 packets out c178a3c5, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 6a7096c2aa603ce3_i 5f3055a19f2975d7_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 9s ago, rekeying in 17911s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3544s, expires in 3951s in c274a710, 0 bytes, 0 packets out c8a2db6b, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Test Replace Without Initial Contact
Description
With unique = replace and no
INITIAL_CONTACT, the responder proactively
detects the duplicate and accepts the new SA.
DUT1 may auto-reconnect, so we only verify
that DUT2’s SA is accepted (unlike keep
which rejects it).
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18mWCP71yPLg7hXfw9PuylxXtF9XbUwDT4= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19hQpj8hwR1IKth0id/1Ghy2UB9IeVHXqo= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.470 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.470/0.470/0.470/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.369 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.369/0.369/0.369/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique replace
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique never
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, e8a5cddaf77eb93d_i 166e57cf89190625_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 25892s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3366s, expires in 3960s in ccfd9ccb, 0 bytes, 0 packets out ccc11a0d, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/Kg8ZTknwhwkPmvJ08uAagRJiz1TG3+ko= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique never
Step 11: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=2.88 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.880/2.880/2.880/0.000 ms
Step 12: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
(unnamed): #487, CONNECTING, IKEv2, 636818c6492c2def_i 10c61ae588f4a1b6_r* local '%any' @ 80.0.0.1[500] remote '%any' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 passive: IKE_INIT IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG IKE_MOBIKE IKE_ESTABLISH IKE_AUTH_LIFETIME CHILD_CREATE vpn-peer-PEER: #486, ESTABLISHED, IKEv2, 779b4110faefff41_i 6125e7374073509a_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 15626s peer-PEER-tunnel-1: #487, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3501s, expires in 3960s in c3256fcb, 0 bytes, 0 packets out c0cdc94c, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Test Keep Without Initial Contact
Description
With unique = keep and no INITIAL_CONTACT,
the responder proactively detects the duplicate
and rejects the new connection from a different
IP, keeping the existing SA. If the peer
reconnects from the same IP, the new connection
is allowed (treated as reauthentication).
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+hDW/MTsCxpRmkZSOK5Lt4z9WiR6cStM8= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+9vBuYpwWj8jm7pHaJNUzvU/OLgnoeQ/Y= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.501 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.501/0.501/0.501/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.315 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.315/0.315/0.315/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique keep
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique never
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, d62c46b0519faff6_i 98a16ccf4feccb5e_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 22582s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3239s, expires in 3960s in cc00bd95, 0 bytes, 0 packets out cd682dde, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19qHIJZChscIH3S7ZC8MfjUQP2vdUsLka0= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique never
Step 11: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.919 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.919/0.919/0.919/0.000 ms
Step 12: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, d62c46b0519faff6_i 98a16ccf4feccb5e_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 9s ago, rekeying in 22573s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3230s, expires in 3951s in cc00bd95, 0 bytes, 0 packets out cd682dde, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 13: Expect a failure in the following command:
Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, d62c46b0519faff6_i 98a16ccf4feccb5e_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 9s ago, rekeying in 22573s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3230s, expires in 3951s in cc00bd95, 0 bytes, 0 packets out cd682dde, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Test Never Ignores Initial Contact
Description
With unique = never, INITIAL_CONTACT
notifications from the peer are ignored.
Both SAs coexist even when the new peer
sends INITIAL_CONTACT.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19+tqu+IinSLrU171jGTp+5GmF+83LEq5Y= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+OsDAgoWnlAC4O457QrkjfZvHI8QiGzPk= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.511 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.511/0.511/0.511/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.246 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.246/0.246/0.246/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique never
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique no
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, d7abed63eee80ef9_i 4dbb11267bcd29fd_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 15974s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3242s, expires in 3960s in c40da1c6, 0 bytes, 0 packets out c9ee3276, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1924KzYCtC3W1fFiV1nDElnSwyjna69iF4= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique no
Step 11: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.386 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.386/0.386/0.386/0.000 ms
Step 12: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 2b813fad6960896d_i 015d8b2b31eccdf2_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 25076s peer-PEER-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3248s, expires in 3954s in c42968a7, 0 bytes, 0 packets out c5d749d6, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER: #3, ESTABLISHED, IKEv2, d7abed63eee80ef9_i 4dbb11267bcd29fd_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 9s ago, rekeying in 15965s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3233s, expires in 3951s in c40da1c6, 0 bytes, 0 packets out c9ee3276, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 13: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 2b813fad6960896d_i 015d8b2b31eccdf2_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 25076s peer-PEER-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3248s, expires in 3954s in c42968a7, 0 bytes, 0 packets out c5d749d6, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER: #3, ESTABLISHED, IKEv2, d7abed63eee80ef9_i 4dbb11267bcd29fd_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 9s ago, rekeying in 15965s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3233s, expires in 3951s in c40da1c6, 0 bytes, 0 packets out c9ee3276, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Test No Reacts To Initial Contact
Description
With unique = no, the responder does not
proactively check for duplicates but does
delete existing SAs when the new peer sends
INITIAL_CONTACT.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19mir/cXcyy1YWOzuf4n/xxYFYu1rCblLY= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19nSkIde2xiVFJsIUSySz213/tr4Rc5CXg= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.452 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.452/0.452/0.452/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.519 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.519/0.519/0.519/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique no
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique no
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 524aeb30d7e0e8aa_i 48ccb628d10a343a_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 16454s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3375s, expires in 3960s in c7885b09, 0 bytes, 0 packets out c23fcbf4, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Modify the following configuration lines in DUT1 :
set interfaces ethernet eth0 disable
Step 11: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19YSBlBTnbxzA7Rd3g1GFTVx20TvkW6lv4= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique no
Step 12: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.244 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.244/0.244/0.244/0.000 ms
Step 13: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 3b728d3cd8a5a03b_i 078ab0f8d45453c1_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 18188s peer-PEER-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3266s, expires in 3954s in cf638b0d, 0 bytes, 0 packets out c12eb876, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 14: Expect a failure in the following command:
Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, 3b728d3cd8a5a03b_i 078ab0f8d45453c1_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 18188s peer-PEER-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3266s, expires in 3954s in cf638b0d, 0 bytes, 0 packets out c12eb876, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Test Replace Reacts To Initial Contact
Description
With unique = replace, the responder also
reacts to INITIAL_CONTACT from the new peer,
destroying existing SAs for the same identity.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19uRy/fV4AeAbDcEBo8EsT63L3XW13J7o0= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19XMy7ew+eKM7+iFEdbw2qEpT6eAEzBdxg= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.506 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.506/0.506/0.506/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.341 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.341/0.341/0.341/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique replace
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique no
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 671c71e6d78ffb44_i ca0cbb1809d868ce_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 19395s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3252s, expires in 3959s in cac86dea, 0 bytes, 0 packets out c76e2ee7, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Modify the following configuration lines in DUT1 :
set interfaces ethernet eth0 disable
Step 11: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/OosOHoemGIkLjNMzXZeFGNa1UaKCYkGQ= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique no
Step 12: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.405 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.405/0.405/0.405/0.000 ms
Step 13: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, b3915f1f30ee37ce_i 79ab90bff0966ccf_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 21047s peer-PEER-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3251s, expires in 3955s in ccca214c, 0 bytes, 0 packets out c4d2eddd, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 14: Expect a failure in the following command:
Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, b3915f1f30ee37ce_i 79ab90bff0966ccf_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 21047s peer-PEER-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3251s, expires in 3955s in ccca214c, 0 bytes, 0 packets out c4d2eddd, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Test Keep With Initial Contact
Description
With unique = keep, if the new peer sends
INITIAL_CONTACT, the existing SA is destroyed
regardless of the keep policy. INITIAL_CONTACT
is processed before evaluating the unique
policy.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+Us3qGO1hT5oTUe5Cp2wZnqtklZHU/PkU= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18wUBn8DpPSis5GjnqncVH2lAV/P7LR8bQ= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.419 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.419/0.419/0.419/0.000 ms
Step 4: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.291 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.291/0.291/0.291/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete vpn ipsec site-to-site peer PEER remote-address set vpn ipsec auth-profile AUTH-SA local id server set vpn ipsec auth-profile AUTH-SA remote id roadwarrior set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER unique keep
Step 6: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec site-to-site peer PEER unique no
Step 7: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 8: Run the command vpn ipsec initiate peer PEER tunnel 1 on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 9: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 4be81f7f9ccd935d_i e68d01d2b69d50ca_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 25013s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3345s, expires in 3960s in cd7aaa2b, 0 bytes, 0 packets out c87a7751, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 10: Modify the following configuration lines in DUT1 :
set interfaces ethernet eth0 disable
Step 11: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19F8D5NwThNvlmWuwwjeqy9ar7UgXkcFLY= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA local id roadwarrior set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote id server set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER unique no
Step 12: Ping the IP address 80.0.0.3 from DUT0:
admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.377 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.377/0.377/0.377/0.000 ms
Step 13: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.3\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, b4ed72be131addc7_i f0eae0d4f391c96a_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 20235s peer-PEER-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3345s, expires in 3955s in c72ca0a3, 0 bytes, 0 packets out cb8252ec, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 14: Expect a failure in the following command:
Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
(?s)80.0.0\.2\[500\].*INSTALLEDShow output
vpn-peer-PEER: #4, ESTABLISHED, IKEv2, b4ed72be131addc7_i f0eae0d4f391c96a_r* local 'server' @ 80.0.0.1[500] remote 'roadwarrior' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, rekeying in 20234s peer-PEER-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3344s, expires in 3954s in c72ca0a3, 0 bytes, 0 packets out cb8252ec, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24