Ppk
This set of tests shows how to configure and connect more than two subnets with each other through a VPN tunnel using PPK authentication in different ways.
Test PPK Options
Description
In this test, we will check the different options for PPK authentication (i.e., when it is required or not, when it remains unmatched, etc.).
Scenario
Note
Set default configuration for both DUTs, where PPK is not required and the PPK is the same.
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap carol encrypted-secret U2FsdGVkX19+UArzKD/wv/DGPQILyrKVEvPiTlvWhVI= set vpn ipsec auth-profile AUTH-SA remote auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA remote auth eap dave encrypted-secret U2FsdGVkX1/RYrumZMb9xP2JH17HLW1MTyIyVA9aSeo= set vpn ipsec auth-profile AUTH-SA remote auth eap dave type ttls set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth eap carol encrypted-secret U2FsdGVkX1/wDf2B369jwow4Nt9Hq6WAM3oNoy6A9AE= set vpn ipsec auth-profile AUTH-SA local auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA local id carol set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 6696695133cc246d_i 180efdcfb0342765_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 23583s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3250s, expires in 3960s in c51246fa, 0 bytes, 0 packets out c433cfc8, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.282 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.282/0.282/0.282/0.000 ms
Step 7: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.263 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.263/0.263/0.263/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 6696695133cc246d_i 180efdcfb0342765_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 1s ago, rekeying in 23582s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3249s, expires in 3959s in c51246fa, 168 bytes, 2 packets, 0s ago out c433cfc8, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Note
Delete the PPK from DUT0 and check that the SA falls back to standard authentication.
Step 9: Modify the following configuration lines in DUT0 :
delete vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org
Step 10: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[1] between 80.0.0.1[CN=moon.teldat.org]...80.0.0.2[carol] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[1] [ENC] generating INFORMATIONAL request 0 [ D ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 0 [ ] [IKE] IKE_SA deleted terminate completed successfully [IKE] not establishing CHILD_SA peer-PEER-tunnel-1{3} due to existing duplicate {2} with SPIs cc0fdf41_i c25b4371_o and TS 10.1.0.0/24 === 10.2.0.0/24 initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 11: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[2] between 80.0.0.2[carol]...80.0.0.1[CN=moon.teldat.org] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[2] [ENC] generating INFORMATIONAL request 8 [ D ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (65 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 8 [ ] [IKE] IKE_SA deleted terminate completed successfully [IKE] initiating IKE_SA vpn-peer-PEER[3] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{3} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0xEF) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0xC0) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (162 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (181 bytes) [ENC] parsed IKE_AUTH response 7 [ AUTH SA TSi TSr ] [IKE] authentication of 'CN=moon.teldat.org' with EAP successful [CFG] peer didn't use PPK for PPK_ID 'carol@teldat.org' [IKE] IKE_SA vpn-peer-PEER[3] established between 80.0.0.2[carol]...80.0.0.1[CN=moon.teldat.org] [IKE] scheduling rekeying in 28276s [IKE] maximum IKE_SA lifetime 31156s [CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ [IKE] CHILD_SA peer-PEER-tunnel-1{3} established with SPIs c9d3b85c_i c4d1963d_o and TS 10.2.0.0/24 === 10.1.0.0/24 initiate completed successfully
Step 12: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 10010ffe6903815c_i 2f66d924fec9f62e_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 24194s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3315s, expires in 3960s in c4d1963d, 0 bytes, 0 packets out c9d3b85c, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 13: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.335 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.335/0.335/0.335/0.000 ms
Step 14: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.271 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.271/0.271/0.271/0.000 ms
Step 15: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 10010ffe6903815c_i 2f66d924fec9f62e_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 24194s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3315s, expires in 3960s in c4d1963d, 168 bytes, 2 packets, 0s ago out c9d3b85c, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Note
Set the PPK as required in DUT0 and, with DUT1’s corresponding PPK deleted, check that the connection fails.
Step 16: Modify the following configuration lines in DUT0 :
set vpn ipsec auth-profile AUTH-SA remote ppk required
Step 17: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[3] between 80.0.0.1[CN=moon.teldat.org]...80.0.0.2[carol] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[3] [ENC] generating INFORMATIONAL request 0 [ D ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 0 [ ] [IKE] IKE_SA deleted terminate completed successfully [IKE] unable to resolve %any, initiate aborted initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 18: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] initiating IKE_SA vpn-peer-PEER[5] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{5} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0xBF) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0x91) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (162 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 7 [ N(AUTH_FAILED) ] [IKE] received AUTHENTICATION_FAILED notify error initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 19: Expect a failure in the following command:
Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. --- 10.2.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Note
Set the PPK as required in DUT1 and change the PPK in DUT0 back to not required. Check that the connection is still failing.
Step 20: Modify the following configuration lines in DUT0 :
delete vpn ipsec auth-profile AUTH-SA remote ppk required
Step 21: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local ppk required
Step 22: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] unable to resolve %any, initiate aborted initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 23: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] initiating IKE_SA vpn-peer-PEER[7] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{7} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0x55) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0x19) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (122 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 7 [ N(AUTH_FAILED) ] [IKE] received AUTHENTICATION_FAILED notify error initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 24: Expect a failure in the following command:
Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. --- 10.2.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test PPK EAP-TTLS STS
Description
Test the site-to-site VPN with PPK authentication and EAP-TTLS
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap carol encrypted-secret U2FsdGVkX18+wdLB6ZtN1G48OkeYwd0f6J3ozPDceVE= set vpn ipsec auth-profile AUTH-SA remote auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA remote auth eap dave encrypted-secret U2FsdGVkX1+/4Ir05oKu9+Qg+VhXpbfe5kO3J5tiAmc= set vpn ipsec auth-profile AUTH-SA remote auth eap dave type ttls set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth eap carol encrypted-secret U2FsdGVkX190WF1qof0kP6yDl37MnOKUUHSLBTxvzn4= set vpn ipsec auth-profile AUTH-SA local auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA local id carol set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.027 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.027/0.027/0.027/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth eap dave encrypted-secret U2FsdGVkX1/efJtVjjjZ2aAc5Ab1eOfLd/YIG6vXYkU= set vpn ipsec auth-profile AUTH-SA local auth eap dave type ttls set vpn ipsec auth-profile AUTH-SA local id dave set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 80.0.0.3 from DUT2:
admin@DUT2$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.029 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.029/0.029/0.029/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 7c7af229e59f2d10_i 4d6fcee4eb24efda_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 26594s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3302s, expires in 3960s in c5965927, 0 bytes, 0 packets out ca52bfc3, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, d339866b3872dbef_i e7cf08d966c53c0a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 19678s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3367s, expires in 3956s in c8fd7ff9, 0 bytes, 0 packets out c1c0593f, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.324 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.324/0.324/0.324/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.255 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.255/0.255/0.255/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 7c7af229e59f2d10_i 4d6fcee4eb24efda_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 26590s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3298s, expires in 3956s in c5965927, 0 bytes, 0 packets out ca52bfc3, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, d339866b3872dbef_i e7cf08d966c53c0a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 19674s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3363s, expires in 3952s in c8fd7ff9, 168 bytes, 2 packets, 1s ago out c1c0593f, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 7c7af229e59f2d10_i 4d6fcee4eb24efda_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 26589s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3297s, expires in 3955s in c5965927, 0 bytes, 0 packets out ca52bfc3, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, d339866b3872dbef_i e7cf08d966c53c0a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 19673s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3362s, expires in 3951s in c8fd7ff9, 168 bytes, 2 packets, 2s ago out c1c0593f, 168 bytes, 2 packets, 2s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.280 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.280/0.280/0.280/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.341 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.341/0.341/0.341/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 7c7af229e59f2d10_i 4d6fcee4eb24efda_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 26589s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3297s, expires in 3955s in c5965927, 168 bytes, 2 packets, 0s ago out ca52bfc3, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, d339866b3872dbef_i e7cf08d966c53c0a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 19673s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3362s, expires in 3951s in c8fd7ff9, 168 bytes, 2 packets, 2s ago out c1c0593f, 168 bytes, 2 packets, 2s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK PSK STS
Description
Test the site-to-site VPN with PPK authentication and PSK
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX183VIZVD5N9wQipM+z25MFRgH+D0ykJ8c8= set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX18ZDMfYO9vGZK9UY+pBd6MpOaHlRY7GkjU= set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/Y2f9zkOB/IaTE+iRUVK/9+fPYT9eEkkg= set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX19M8guq4iicQmQ25hNeqD+a2E4YDtlHT/0= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.026 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX19F1wk40ozLko9wP1FkK9kQkTO75ZyL3aA= set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX18wDmT4R7I63eQVKi1hnxoO4gz859U9JCg= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 80.0.0.3 from DUT2:
admin@DUT2$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 196f8236291d776b_i d931a3258ad01a71_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 26787s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3276s, expires in 3960s in c9c54d26, 0 bytes, 0 packets out cf89ccbb, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, ecfb12b5d11d6f6c_i 230c444f97de7cb6_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 3s ago, rekeying in 16749s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 3s ago, rekeying in 3264s, expires in 3957s in c712bd1d, 0 bytes, 0 packets out cb934899, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.292 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.292/0.292/0.292/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.307 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.307/0.307/0.307/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 196f8236291d776b_i d931a3258ad01a71_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 26782s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3271s, expires in 3955s in c9c54d26, 0 bytes, 0 packets out cf89ccbb, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, ecfb12b5d11d6f6c_i 230c444f97de7cb6_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 16744s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3259s, expires in 3952s in c712bd1d, 168 bytes, 2 packets, 0s ago out cb934899, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 196f8236291d776b_i d931a3258ad01a71_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 26782s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3271s, expires in 3955s in c9c54d26, 0 bytes, 0 packets out cf89ccbb, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, ecfb12b5d11d6f6c_i 230c444f97de7cb6_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 16744s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3259s, expires in 3952s in c712bd1d, 168 bytes, 2 packets, 0s ago out cb934899, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.271 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.271/0.271/0.271/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.304 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.304/0.304/0.304/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 196f8236291d776b_i d931a3258ad01a71_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 26782s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3271s, expires in 3955s in c9c54d26, 168 bytes, 2 packets, 0s ago out cf89ccbb, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, ecfb12b5d11d6f6c_i 230c444f97de7cb6_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 16744s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3259s, expires in 3952s in c712bd1d, 168 bytes, 2 packets, 0s ago out cb934899, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK RSA STS
Description
Test the site-to-site VPN with PPK authentication and RSA
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local id CN=carol@teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.027 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.027/0.027/0.027/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.025 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.025/0.025/0.025/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local id CN=dave@teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 80.0.0.3 from DUT2:
admin@DUT2$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.027 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.027/0.027/0.027/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 3256bb28ea2ef073_i 8e45199700cadb77_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 1s ago, rekeying in 23116s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3421s, expires in 3959s in cb2a9305, 0 bytes, 0 packets out c21beb95, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, d1d2a405b7ab3477_i 4f94d730c6a64e05_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 25333s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3275s, expires in 3956s in c322ea1f, 0 bytes, 0 packets out ce879ffe, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.272 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.272/0.272/0.272/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.291 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.291/0.291/0.291/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 3256bb28ea2ef073_i 8e45199700cadb77_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 23112s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3417s, expires in 3955s in cb2a9305, 0 bytes, 0 packets out c21beb95, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, d1d2a405b7ab3477_i 4f94d730c6a64e05_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 25329s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3271s, expires in 3952s in c322ea1f, 168 bytes, 2 packets, 1s ago out ce879ffe, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 3256bb28ea2ef073_i 8e45199700cadb77_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 23112s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3417s, expires in 3955s in cb2a9305, 0 bytes, 0 packets out c21beb95, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, d1d2a405b7ab3477_i 4f94d730c6a64e05_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 25329s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3271s, expires in 3952s in c322ea1f, 168 bytes, 2 packets, 1s ago out ce879ffe, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.270 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.270/0.270/0.270/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.295 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.295/0.295/0.295/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 3256bb28ea2ef073_i 8e45199700cadb77_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 23112s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3417s, expires in 3955s in cb2a9305, 168 bytes, 2 packets, 0s ago out c21beb95, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, d1d2a405b7ab3477_i 4f94d730c6a64e05_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 25329s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3271s, expires in 3952s in c322ea1f, 168 bytes, 2 packets, 1s ago out ce879ffe, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK PSK DMVPN
Description
Test the DMVPN scenario with PPK authentication and PSK
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 80.0.0.2/24 set interfaces tunnel tun0 address 10.0.0.2/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.2 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 600 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp nhs 10.0.0.1 nbma 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+Uzrp20lu3vDYSOhBn6otniq+7S/F9mqA= set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX1+DigaAvqIlQ0q0HMK8OPbzhkFK3GZuZMg= set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces tunnel tun0 address 10.0.0.1/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.1 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 60 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp transport-nat-support set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/lwjYjExI1e8H4c7FrwJLwD7jNy3FyssE= set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX1/pcTC2b75SYRY4bDZ+iy8TTvIzoLYmWH0= set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.032 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.032/0.032/0.032/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.032 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.032/0.032/0.032/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+80.0.0.*Show output
IPSEC: #1, ESTABLISHED, IKEv2, f562479e69205f4a_i 75039cde3adb526c_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 2s ago, rekeying in 76378s IPSEC: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 18484s, expires in 31678s in cbf9f0c3, 232 bytes, 2 packets, 1s ago out cd738edc, 136 bytes, 1 packets, 1s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]
Step 6: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 local-address 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 : 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.313 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.313/0.313/0.313/0.000 ms
Step 7: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 local-address 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) from 10.0.0.2 : 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.354 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.354/0.354/0.354/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+80.0.0.*Show output
IPSEC: #1, ESTABLISHED, IKEv2, f562479e69205f4a_i 75039cde3adb526c_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 2s ago, rekeying in 76378s IPSEC: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 18484s, expires in 31678s in cbf9f0c3, 448 bytes, 4 packets, 0s ago out cd738edc, 352 bytes, 3 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]