Site-To-Site
This scenario shows how to configure and connect two subnets
with each other through a VPN tunnel and automatically configure
the negotiated remote prefixes as routes. DUT0 acts as a
responder and DUT1 as a initiator.
Test Site-To-Site With Basic Route Installation
Description
In this scenario, both devices install routes
for the VPN traffic in the main table.
Scenario
Step 1: Run command protocols ip show route at DUT0 and check if output does not contain the following tokens:
K>* 10.3.0.0/24
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/xEXdfUHqL6ulIFFaCmghYBuYQS7hLzkI= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 3: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/UKGrJweDjP+j6F4MysxHdpZtWSgR75wo= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 4: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.797 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.797/0.797/0.797/0.000 ms
Step 5: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.652 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.652/0.652/0.652/0.000 ms
Step 6: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, d032b8a5993e3747_i 764f08b27b4569bf_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 19651s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3373s, expires in 3959s in c82d92cf, 0 bytes, 0 packets out c47157de, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 7: Run command protocols ip show route at DUT0 and check if output contains the following tokens:
K>* 10.3.0.0/24Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:09 L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:09 K>* 10.3.0.0/24 [0/0] via 80.0.0.2, eth0, weight 1, 00:00:01 C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:09 L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:09
Step 8: Run command vpn ipsec clear sa at DUT1 and expect this output:
Show output
Deleting IPSec SAs... 100.0% Closed tunnels: 1
Step 9: Run command vpn ipsec initiate peer PEER at DUT1 and expect this output:
Show output
Initiating IPSec SAs... 0.0% Initiated tunnels: 1
Step 10: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.402 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.402/0.402/0.402/0.000 ms
Step 11: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.1.0.1 8080 tcp local-address 10.3.0.1
Step 12: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, f1e715bb72c0a259_i 4e7fd3ac7b3e27ec_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 4s ago, rekeying in 26872s peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3414s, expires in 3956s in c3206254, 920 bytes, 15 packets, 1s ago out c79c68a1, 868 bytes, 14 packets, 1s ago local 10.1.0.0/24 remote 10.3.0.0/24
Test Site-To-Site With VRF Route Installation
Description
In this scenario, DUT0 install reoutes
in a separate VRF called LAN.
Scenario
Step 1: Run command protocols vrf LAN ip show route at DUT0 and check if output does not contain the following tokens:
K>* 10.3.0.0/24Show output
% VRF LAN not found
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces dummy dum0 vrf LAN set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces ethernet eth0 vrf WAN set protocols vrf WAN static route 10.1.0.0/24 next-hop-vrf LAN set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf LAN set system vrf WAN set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/FrVWA7nzpRoI8HTvwKD0PssOBK8dv9nM= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes LAN set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 3: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX19NBW0wIJS4HsG9BFh9WFx9PLwlpv+oNbk= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 4: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.424 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.424/0.424/0.424/0.000 ms
Step 5: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 vrf WAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: WAN PING 80.0.0.2 (80.0.0.2) from 80.0.0.1 WAN: 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.611 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.611/0.611/0.611/0.000 ms
Step 6: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b3663575e77db57f_i 8d2f8d8a56ebd754_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 22304s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3371s, expires in 3959s in c2bd9de8, 0 bytes, 0 packets out ceb161c2, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 7: Run command protocols vrf LAN ip show route at DUT0 and check if output contains the following tokens:
K>* 10.3.0.0/24Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure VRF LAN: K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:10 C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:10 L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:10 K>* 10.3.0.0/24 [0/0] via 80.0.0.2, eth0 (vrf WAN), weight 1, 00:00:02
Step 8: Run command vpn ipsec clear sa at DUT1 and expect this output:
Show output
Deleting IPSec SAs... 100.0% Closed tunnels: 1
Step 9: Run command vpn ipsec initiate peer PEER at DUT1 and expect this output:
Show output
Initiating IPSec SAs... 0.0% Initiated tunnels: 1
Step 10: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.439 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.439/0.439/0.439/0.000 ms
Step 11: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp vrf LAN admin@DUT1$ monitor test connection client 10.1.0.1 8080 tcp local-address 10.3.0.1
Step 12: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, f15f09f58c978371_i ac6a5dd7c103706a_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 4s ago, rekeying in 28400s peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3504s, expires in 3956s in cdeea222, 920 bytes, 15 packets, 1s ago out c34cf67e, 868 bytes, 14 packets, 1s ago local 10.1.0.0/24 remote 10.3.0.0/24
Test Site-To-Site With Route Installation And Metrics
Description
In this scenario, DUT0 installs routes with
differents metrics for both IPsec peers. The point is
to check if the routes are installed correctly and most
importantly, whenever the prioritized route is down, the
backup route is used.
Scenario
Step 1: Run command protocols ip show route at DUT0 and check if output does not contain the following tokens:
K>* 10.3.0.0/24
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces ethernet eth1 address 90.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX18g8h6ImXEsQaSmtS5EdYZEvXe3r8+bTY8= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 2 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 route-priority 10 set vpn ipsec site-to-site peer PEER1 auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER1 connection-type respond set vpn ipsec site-to-site peer PEER1 default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER1 ike-group IKE-SA set vpn ipsec site-to-site peer PEER1 local-address 90.0.0.1 set vpn ipsec site-to-site peer PEER1 remote-address 90.0.0.3 set vpn ipsec site-to-site peer PEER1 tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER1 tunnel 1 route-priority 100
Step 3: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX19WnxXH3G5uBM9r/NLezwLQFi9hhboZ8vo= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 4: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth1 address 90.0.0.3/24 set protocols static route 0.0.0.0/0 next-hop 90.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/RkHCYkUhme8v8dP6B95jtHYNMfRzZTwE= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 90.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 90.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 5: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=3.98 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.982/3.982/3.982/0.000 ms
Step 6: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=1.44 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.439/1.439/1.439/0.000 ms
Step 7: Ping IP address 90.0.0.3 from DUT2:
admin@DUT2$ ping 90.0.0.3 count 1 size 56 timeout 1Show output
PING 90.0.0.3 (90.0.0.3) 56(84) bytes of data. 64 bytes from 90.0.0.3: icmp_seq=1 ttl=64 time=0.034 ms --- 90.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.034/0.034/0.034/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER1: #2, ESTABLISHED, IKEv2, 59a8f2008667fbc7_i d2b1258d32908485_r* local '90.0.0.1' @ 90.0.0.1[500] remote '90.0.0.3' @ 90.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 24525s peer-PEER1-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3350s, expires in 3960s in c3fa9faf, 0 bytes, 0 packets out ca00c9a5, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 43622e2c09e6e75b_i 5529b7df2a59251f_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 7s ago, rekeying in 22151s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 7s ago, rekeying in 3552s, expires in 3953s in ccea5c6d, 0 bytes, 0 packets out c22aba8c, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 9: Run command protocols ip show route at DUT0 and check if output contains the following tokens:
K>* 10.3.0.0/24Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:15 L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:15 K * 10.3.0.0/24 [0/100] via 90.0.0.3, eth1, weight 1, 00:00:01 K>* 10.3.0.0/24 [0/10] via 80.0.0.2, eth0, weight 1, 00:00:08 C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:15 L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:15 C>* 90.0.0.0/24 is directly connected, eth1, weight 1, 00:00:15 L>* 90.0.0.1/32 is directly connected, eth1, weight 1, 00:00:15
Step 10: Run command show system route ip at DUT0 and check if output contains the following tokens:
10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100 10.3.0.0/24 via 80.0.0.2 dev eth0 proto static metric 10Show output
10.1.0.0/24 dev dum0 proto kernel scope link src 10.1.0.1 10.3.0.0/24 via 80.0.0.2 dev eth0 proto static metric 10 10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100 80.0.0.0/24 dev eth0 proto kernel scope link src 80.0.0.1 90.0.0.0/24 dev eth1 proto kernel scope link src 90.0.0.1
Note
The tunnel with the lowest metric configured in the route-priority parameter should be the one used to route the traffic.
Step 11: Run command vpn ipsec clear sa at DUT1 and expect this output:
Show output
Deleting IPSec SAs... 100.0% Closed tunnels: 1
Step 12: Run command vpn ipsec initiate peer PEER at DUT1 and expect this output:
Show output
Initiating IPSec SAs... 0.0% Initiated tunnels: 1
Step 13: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.398 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.398/0.398/0.398/0.000 ms
Step 14: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.1.0.1 8080 tcp local-address 10.3.0.1
Step 15: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 0cbb57b6580d2585_i 394f52034e48c753_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 4s ago, rekeying in 15567s peer-PEER-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3492s, expires in 3956s in c11ca79c, 920 bytes, 15 packets, 1s ago out c7a3f1dc, 868 bytes, 14 packets, 1s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER1: #2, ESTABLISHED, IKEv2, 59a8f2008667fbc7_i d2b1258d32908485_r* local '90.0.0.1' @ 90.0.0.1[500] remote '90.0.0.3' @ 90.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 24520s peer-PEER1-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3345s, expires in 3955s in c3fa9faf, 0 bytes, 0 packets out ca00c9a5, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Note
Now we will shutdown the tunnel with the lowest metric from DUT1 and check if the traffic is routed through the backup tunnel.
Step 16: Run command vpn ipsec clear sa at DUT1 and expect this output:
Show output
Deleting IPSec SAs... 100.0% Closed tunnels: 1
Step 17: Run command vpn ipsec clear sa at DUT2 and expect this output:
Show output
Deleting IPSec SAs... 100.0% Closed tunnels: 1
Step 18: Run command vpn ipsec initiate peer PEER at DUT2 and expect this output:
Show output
Initiating IPSec SAs... 0.0% Initiated tunnels: 1
Step 19: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.378 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.378/0.378/0.378/0.000 ms
Step 20: Initiate a tcp connection from DUT2 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT2$ monitor test connection client 10.1.0.1 8080 tcp local-address 10.3.0.1
Step 21: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER1: #4, ESTABLISHED, IKEv2, 66395d42621cfa65_i e0d0d86aec4b2112_r* local '90.0.0.1' @ 90.0.0.1[500] remote '90.0.0.3' @ 90.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 4s ago, rekeying in 23724s peer-PEER1-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3361s, expires in 3956s in c505efcb, 920 bytes, 15 packets, 1s ago out c14611dd, 868 bytes, 14 packets, 1s ago local 10.1.0.0/24 remote 10.3.0.0/24
Step 22: Run command show system route ip at DUT0 and check if output contains the following tokens:
10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100Show output
10.1.0.0/24 dev dum0 proto kernel scope link src 10.1.0.1 10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100 80.0.0.0/24 dev eth0 proto kernel scope link src 80.0.0.1 90.0.0.0/24 dev eth1 proto kernel scope link src 90.0.0.1
Step 23: Run command show system route ip at DUT0 and check if output does not contain the following tokens:
10.3.0.0/24 via 80.0.0.2 dev eth0 proto static metric 10Show output
10.1.0.0/24 dev dum0 proto kernel scope link src 10.1.0.1 10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100 80.0.0.0/24 dev eth0 proto kernel scope link src 80.0.0.1 90.0.0.0/24 dev eth1 proto kernel scope link src 90.0.0.1