Check Vti To Global Ipsec
This scenario shows how to configure and route traffic via one VTI (Virtual Tunnel Interface) device. The other end-point does not use VTI devices, but a global IPSec policy.
Test VTI To Global IPSec
Description
A tunnel is configured between DUT0 and DUT1. On
the one hand, in DUT0, a vti interface is configured
to encapsulate traffic. On the other hand, in DUT1, an
IPSec policy with global selectors is configured.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 60.0.0.10/24 set interfaces ethernet eth1 address 192.168.10.1/24 set interfaces vti vti0 ipsec PEER set interfaces vti vti0 local-address 60.0.0.10 set protocols static route 0.0.0.0/0 interface vti0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX18p9RpqgywhNp7w3vnjAP53+OP67tV3ZkY= set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type on-demand set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 60.0.0.10 set vpn ipsec site-to-site peer PEER remote-address 60.0.0.20 set vpn ipsec site-to-site peer PEER vti local prefix 192.168.10.0/24 set vpn ipsec site-to-site peer PEER vti remote prefix 192.168.20.0/24
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 60.0.0.20/24 set interfaces ethernet eth1 address 192.168.20.1/24 set protocols static route 0.0.0.0/0 interface eth0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX19uUO4PI6Ir803dIdaAN9ExY93rgMTc0Uc= set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 60.0.0.20 set vpn ipsec site-to-site peer PEER remote-address 60.0.0.10 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group CHILD-SA set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.20.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.10.0/24
Step 3: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:
ESTABLISHEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, cdc46b7ad3557c15_i e25ccad1142f0e0f_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 20438s peer-PEER-tunnel-VTI: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3284s, expires in 3960s in cd6faee6 (0x90000000), 0 bytes, 0 packets out c3d214c2 (0x90000000), 0 bytes, 0 packets local 192.168.10.0/24 remote 192.168.20.0/24
Step 4: Run command vpn ipsec show sa at DUT1 and check if output contains the following tokens:
ESTABLISHEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, cdc46b7ad3557c15_i* e25ccad1142f0e0f_r local '60.0.0.20' @ 60.0.0.20[500] remote '60.0.0.10' @ 60.0.0.10[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 25301s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3291s, expires in 3959s in c3d214c2, 0 bytes, 0 packets out cd6faee6, 0 bytes, 0 packets local 192.168.20.0/24 remote 192.168.10.0/24
Step 5: Ping IP address 192.168.10.1 from DUT1:
admin@DUT1$ ping 192.168.10.1 local-address 192.168.20.1 count 1 size 56 timeout 1Show output
PING 192.168.10.1 (192.168.10.1) from 192.168.20.1 : 56(84) bytes of data. 64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=0.369 ms --- 192.168.10.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.369/0.369/0.369/0.000 ms
Step 6: Ping IP address 192.168.20.1 from DUT0:
admin@DUT0$ ping 192.168.20.1 local-address 192.168.10.1 count 1 size 56 timeout 1Show output
PING 192.168.20.1 (192.168.20.1) from 192.168.10.1 : 56(84) bytes of data. 64 bytes from 192.168.20.1: icmp_seq=1 ttl=64 time=0.263 ms --- 192.168.20.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.263/0.263/0.263/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
,\s+[^0] packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, cdc46b7ad3557c15_i e25ccad1142f0e0f_r* local '60.0.0.10' @ 60.0.0.10[500] remote '60.0.0.20' @ 60.0.0.20[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 20438s peer-PEER-tunnel-VTI: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3284s, expires in 3960s in cd6faee6 (0x90000000), 168 bytes, 2 packets, 0s ago out c3d214c2 (0x90000000), 168 bytes, 2 packets, 0s ago local 192.168.10.0/24 remote 192.168.20.0/24