Site-To-Site
This scenario shows how to configure and connect two subnets with each other through a VPN tunnel set up between the two gateways. One end-point receives the local IP through DHCP.
Test Site-To-Site Responder With Dynamic IP
Description
Simple VPN site-to-site configuration to
connect two subnets. DUT0 acts as a
responder so it only sets the tunnel up when
an incoming connection is received. Instead
of listening on a pre-configured IP address,
the local end-point IP is received through
DHCP.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 vif 100 address 90.0.0.1/24 set interfaces ethernet eth1 vif 200 address 80.0.0.1/24 set service dhcp-server shared-network dhcpserver subnet 90.0.0.0/24 start 90.0.0.2 stop 90.0.0.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 vif 100 address dhcp set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 80.0.0.0/24 next-hop 90.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX19NodfAfrm2SJL12OaxlSgzqFGurXSrpHg= set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER dhcp-interface eth0.100 set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 3: Run command interfaces ethernet eth0 vif 100 show at DUT0 and check if output contains the following tokens:
90.0.0.2Show output
--------------------------------------------------------------------- Name IP Address Admin Oper Vrf Description --------------------------------------------------------------------- eth0.100 90.0.0.2/24 up up fe80::dcad:beff:feef:6c00/64
Step 4: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 vif 200 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 90.0.0.0/24 next-hop 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX18SyK5GMgZsMWJDv/sauq8xcI2XduQBWiA= set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 90.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 5: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=63 time=0.543 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.543/0.543/0.543/0.000 ms
Step 6: Run command vpn ipsec show sa at DUT1 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 639718da14b4a261_i* edbe299d075924b5_r local '80.0.0.2' @ 80.0.0.2[500] remote '90.0.0.2' @ 90.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 26274s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3316s, expires in 3960s in cb82b6c5, 0 bytes, 0 packets out c0bc920a, 0 bytes, 0 packets local 10.3.0.0/24 remote 10.1.0.0/24
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 639718da14b4a261_i edbe299d075924b5_r* local '90.0.0.2' @ 90.0.0.2[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 24208s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3309s, expires in 3960s in c0bc920a, 0 bytes, 0 packets out cb82b6c5, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 8: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.614 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.614/0.614/0.614/0.000 ms
Step 9: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.562 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.562/0.562/0.562/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 639718da14b4a261_i edbe299d075924b5_r* local '90.0.0.2' @ 90.0.0.2[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 24208s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3309s, expires in 3960s in c0bc920a, 168 bytes, 2 packets, 0s ago out cb82b6c5, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Step 11: Run command vpn ipsec show sa at DUT1 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 639718da14b4a261_i* edbe299d075924b5_r local '80.0.0.2' @ 80.0.0.2[500] remote '90.0.0.2' @ 90.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 26274s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3316s, expires in 3960s in cb82b6c5, 168 bytes, 2 packets, 0s ago out c0bc920a, 168 bytes, 2 packets, 0s ago local 10.3.0.0/24 remote 10.1.0.0/24
Attention
The command vpn show ipsec policy can be used to debug
the IPSec selectors that have been installed in OSDx devices.
Example for device DUT0:
Show output
src 10.1.0.0/24 dst 10.3.0.0/24 dev dum0 dir out priority 375421 tmpl src 90.0.0.2 dst 80.0.0.2 proto esp spi 0xcb82b6c5 reqid 1 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir fwd priority 375423 tmpl src 80.0.0.2 dst 90.0.0.2 proto esp reqid 1 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir in priority 375423 tmpl src 80.0.0.2 dst 90.0.0.2 proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0
Test Site-To-Site Initiator With Dynamic IP
Description
Simple VPN site-to-site configuration to
connect two subnets. DUT0 acts as a initiator,
so it automatically attempts to start the tunnel
as soon as a local IP address is assigned
through DHCP.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 vif 100 address 90.0.0.1/24 set interfaces ethernet eth1 vif 200 address 80.0.0.1/24 set service dhcp-server shared-network dhcpserver subnet 90.0.0.0/24 start 90.0.0.2 stop 90.0.0.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 vif 200 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 90.0.0.0/24 next-hop 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX18lCv+vupiTFvj7/xFzRz6zRx/EeXhlWfI= set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 90.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 vif 100 address dhcp set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 80.0.0.0/24 next-hop 90.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+IcO3RejxQAoQNEa1UBrBNxtrO3td4nxA= set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER dhcp-interface eth0.100 set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 4: Run command interfaces ethernet eth0 vif 100 show at DUT0 and check if output contains the following tokens:
90.0.0.2Show output
--------------------------------------------------------------------- Name IP Address Admin Oper Vrf Description --------------------------------------------------------------------- eth0.100 90.0.0.2/24 up up fe80::dcad:beff:feef:6c00/64
Step 5: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=63 time=0.608 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.608/0.608/0.608/0.000 ms
Step 6: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 36d660a1a10a0cb2_i* e2ffc431a555c7d6_r local '90.0.0.2' @ 90.0.0.2[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 2s ago, rekeying in 15690s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 3373s, expires in 3958s in c4e23466, 0 bytes, 0 packets out cb5ad34b, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 7: Run command vpn ipsec show sa at DUT1 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 36d660a1a10a0cb2_i e2ffc431a555c7d6_r* local '80.0.0.2' @ 80.0.0.2[500] remote '90.0.0.2' @ 90.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 2s ago, rekeying in 18014s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 3490s, expires in 3958s in cb5ad34b, 0 bytes, 0 packets out c4e23466, 0 bytes, 0 packets local 10.3.0.0/24 remote 10.1.0.0/24
Step 8: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.703 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.703/0.703/0.703/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.613 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.613/0.613/0.613/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 36d660a1a10a0cb2_i* e2ffc431a555c7d6_r local '90.0.0.2' @ 90.0.0.2[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 3s ago, rekeying in 15689s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 3s ago, rekeying in 3372s, expires in 3957s in c4e23466, 168 bytes, 2 packets, 0s ago out cb5ad34b, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Step 11: Run command vpn ipsec show sa at DUT1 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 36d660a1a10a0cb2_i e2ffc431a555c7d6_r* local '80.0.0.2' @ 80.0.0.2[500] remote '90.0.0.2' @ 90.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 3s ago, rekeying in 18013s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 3s ago, rekeying in 3489s, expires in 3957s in cb5ad34b, 168 bytes, 2 packets, 0s ago out c4e23466, 168 bytes, 2 packets, 0s ago local 10.3.0.0/24 remote 10.1.0.0/24
Attention
The command vpn show ipsec policy can be used to debug
the IPSec selectors that have been installed in OSDx devices.
Example for device DUT0:
Show output
src 10.1.0.0/24 dst 10.3.0.0/24 dev dum0 dir out priority 375421 tmpl src 90.0.0.2 dst 80.0.0.2 proto esp spi 0xcb5ad34b reqid 1 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir fwd priority 375423 tmpl src 80.0.0.2 dst 90.0.0.2 proto esp reqid 1 mode tunnel src 10.3.0.0/24 dst 10.1.0.0/24 dir in priority 375423 tmpl src 80.0.0.2 dst 90.0.0.2 proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0