Ppk
This set of tests shows how to configure and connect more than two subnets with each other through a VPN tunnel using PPK authentication in different ways.
Test PPK Options
Description
In this test, we will check the different options for PPK authentication (i.e., when it is required or not, when it remains unmatched, etc.).
Scenario
Note
Set default configuration for both DUTs, where PPK is not required and the PPK is the same.
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap carol encrypted-secret U2FsdGVkX1+944tD8dKEU5xK36e/cl/mX3K5QJC/z5U= set vpn ipsec auth-profile AUTH-SA remote auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA remote auth eap dave encrypted-secret U2FsdGVkX1+J7eSod+FLCVfnVUcLstukfJOhN+5oJBs= set vpn ipsec auth-profile AUTH-SA remote auth eap dave type ttls set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth eap carol encrypted-secret U2FsdGVkX1/sumLb6xBwkcF5Nn4qLdeG9sJWhmuKIzs= set vpn ipsec auth-profile AUTH-SA local auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA local id carol set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.027 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.027/0.027/0.027/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.026 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, a76c5e97f640d897_i 20c90a877f307d9a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 17033s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3484s, expires in 3960s in c29e59ff, 0 bytes, 0 packets out ce3ea57b, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.339 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.339/0.339/0.339/0.000 ms
Step 7: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.260 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.260/0.260/0.260/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, a76c5e97f640d897_i 20c90a877f307d9a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 1s ago, rekeying in 17032s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3483s, expires in 3959s in c29e59ff, 168 bytes, 2 packets, 0s ago out ce3ea57b, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Note
Delete the PPK from DUT0 and check that the SA falls back to standard authentication.
Step 9: Modify the following configuration lines in DUT0 :
delete vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org
Step 10: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[1] between 80.0.0.1[CN=moon.teldat.org]...80.0.0.2[carol] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[1] [ENC] generating INFORMATIONAL request 0 [ D ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 0 [ ] [IKE] IKE_SA deleted terminate completed successfully [IKE] not establishing CHILD_SA peer-PEER-tunnel-1{3} due to existing duplicate {2} with SPIs cef0d324_i c7257541_o and TS 10.1.0.0/24 === 10.2.0.0/24 initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 11: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[2] between 80.0.0.2[carol]...80.0.0.1[CN=moon.teldat.org] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[2] [ENC] generating INFORMATIONAL request 8 [ D ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (65 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 8 [ ] [IKE] IKE_SA deleted terminate completed successfully [IKE] initiating IKE_SA vpn-peer-PEER[3] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{3} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0x67) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0xEF) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (162 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (181 bytes) [ENC] parsed IKE_AUTH response 7 [ AUTH SA TSi TSr ] [IKE] authentication of 'CN=moon.teldat.org' with EAP successful [CFG] peer didn't use PPK for PPK_ID 'carol@teldat.org' [IKE] IKE_SA vpn-peer-PEER[3] established between 80.0.0.2[carol]...80.0.0.1[CN=moon.teldat.org] [IKE] scheduling rekeying in 27283s [IKE] maximum IKE_SA lifetime 30163s [CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ [IKE] CHILD_SA peer-PEER-tunnel-1{3} established with SPIs cebf1f0e_i c4d39732_o and TS 10.2.0.0/24 === 10.1.0.0/24 initiate completed successfully
Step 12: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, a61b631be51fc3af_i 54976ad4f728278e_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 20120s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3438s, expires in 3960s in c4d39732, 0 bytes, 0 packets out cebf1f0e, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 13: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.321 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.321/0.321/0.321/0.000 ms
Step 14: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.321 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.321/0.321/0.321/0.000 ms
Step 15: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, a61b631be51fc3af_i 54976ad4f728278e_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 20120s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3438s, expires in 3960s in c4d39732, 168 bytes, 2 packets, 0s ago out cebf1f0e, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Note
Set the PPK as required in DUT0 and, with DUT1’s corresponding PPK deleted, check that the connection fails.
Step 16: Modify the following configuration lines in DUT0 :
set vpn ipsec auth-profile AUTH-SA remote ppk required
Step 17: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[3] between 80.0.0.1[CN=moon.teldat.org]...80.0.0.2[carol] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[3] [ENC] generating INFORMATIONAL request 0 [ D ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 0 [ ] [IKE] IKE_SA deleted terminate completed successfully [IKE] unable to resolve %any, initiate aborted initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 18: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] initiating IKE_SA vpn-peer-PEER[5] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{5} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0x5D) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0x9B) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (162 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 7 [ N(AUTH_FAILED) ] [IKE] received AUTHENTICATION_FAILED notify error initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 19: Expect a failure in the following command:
Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. --- 10.2.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Note
Set the PPK as required in DUT1 and change the PPK in DUT0 back to not required. Check that the connection is still failing.
Step 20: Modify the following configuration lines in DUT0 :
delete vpn ipsec auth-profile AUTH-SA remote ppk required
Step 21: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local ppk required
Step 22: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] unable to resolve %any, initiate aborted initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 23: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] initiating IKE_SA vpn-peer-PEER[7] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{7} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0xB9) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0x6F) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (122 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 7 [ N(AUTH_FAILED) ] [IKE] received AUTHENTICATION_FAILED notify error initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 24: Expect a failure in the following command:
Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. --- 10.2.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test PPK EAP-TTLS STS
Description
Test the site-to-site VPN with PPK authentication and EAP-TTLS
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap carol encrypted-secret U2FsdGVkX18boUWzpJC4gwsguhLZX7P+0wwOn5HhuYA= set vpn ipsec auth-profile AUTH-SA remote auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA remote auth eap dave encrypted-secret U2FsdGVkX18R7ma16V+gJn19wb0mIhC7hM2/CO5MQyA= set vpn ipsec auth-profile AUTH-SA remote auth eap dave type ttls set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth eap carol encrypted-secret U2FsdGVkX19egH4gg4l4jkLq77qqjfxbC8AL5dIa4HM= set vpn ipsec auth-profile AUTH-SA local auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA local id carol set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.027 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.027/0.027/0.027/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.031 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.031/0.031/0.031/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth eap dave encrypted-secret U2FsdGVkX1+kiEqRM0LYSJ5+AD+0bu9ALW52SEEjdBs= set vpn ipsec auth-profile AUTH-SA local auth eap dave type ttls set vpn ipsec auth-profile AUTH-SA local id dave set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 80.0.0.3 from DUT2:
admin@DUT2$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 35db3b5500b693b1_i c34c1aad7b789921_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 21259s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3524s, expires in 3960s in c54bf9c8, 0 bytes, 0 packets out c08376c0, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 0e41d7235115519f_i a0d6ca7e3e6cfe7e_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 23883s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3356s, expires in 3956s in c2ce6b78, 0 bytes, 0 packets out ceb1a432, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.282 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.282/0.282/0.282/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.289 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.289/0.289/0.289/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 35db3b5500b693b1_i c34c1aad7b789921_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 21255s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3520s, expires in 3956s in c54bf9c8, 0 bytes, 0 packets out c08376c0, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 0e41d7235115519f_i a0d6ca7e3e6cfe7e_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 23879s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3352s, expires in 3952s in c2ce6b78, 168 bytes, 2 packets, 0s ago out ceb1a432, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 35db3b5500b693b1_i c34c1aad7b789921_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 21255s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3520s, expires in 3956s in c54bf9c8, 0 bytes, 0 packets out c08376c0, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 0e41d7235115519f_i a0d6ca7e3e6cfe7e_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 23879s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3352s, expires in 3952s in c2ce6b78, 168 bytes, 2 packets, 0s ago out ceb1a432, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.268 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.268/0.268/0.268/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.292 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.292/0.292/0.292/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 35db3b5500b693b1_i c34c1aad7b789921_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 21254s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3519s, expires in 3955s in c54bf9c8, 168 bytes, 2 packets, 1s ago out c08376c0, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 0e41d7235115519f_i a0d6ca7e3e6cfe7e_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 23878s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3351s, expires in 3951s in c2ce6b78, 168 bytes, 2 packets, 1s ago out ceb1a432, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK PSK STS
Description
Test the site-to-site VPN with PPK authentication and PSK
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/U51KMwjujks7D99tWU0gTJ+P0oYq4ip4= set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX18nCrmZ74dhRFJ9ts1mNy2ZjIZov2gAM0Q= set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX193uwjQjDkw/m5U31VzOJprBCm5mV7NdiU= set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX19oFZIkj0cvvQNQzGyNACRo1Y3bx+uizJs= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.030 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.030/0.030/0.030/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.031 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.031/0.031/0.031/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/y4pYz8JE4qOldB0KRSO4idOD7tV4Tw3E= set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX1/ImiNTM/WzBb4FcUmq7j4E3ME018wBLAE= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 80.0.0.3 from DUT2:
admin@DUT2$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 98f41da9da218fbd_i 09ee6d4d9305bffe_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 22492s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3284s, expires in 3960s in c33926fe, 0 bytes, 0 packets out c21f9ea2, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, ced7ee287f5566cf_i afa4d34696c8e017_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 15752s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3285s, expires in 3956s in cf6fd4c7, 0 bytes, 0 packets out cd70bddd, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.304 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.304/0.304/0.304/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.343 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.343/0.343/0.343/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 98f41da9da218fbd_i 09ee6d4d9305bffe_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 22487s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3279s, expires in 3955s in c33926fe, 0 bytes, 0 packets out c21f9ea2, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, ced7ee287f5566cf_i afa4d34696c8e017_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 15747s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3280s, expires in 3951s in cf6fd4c7, 168 bytes, 2 packets, 0s ago out cd70bddd, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 98f41da9da218fbd_i 09ee6d4d9305bffe_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 22487s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3279s, expires in 3955s in c33926fe, 0 bytes, 0 packets out c21f9ea2, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, ced7ee287f5566cf_i afa4d34696c8e017_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 15747s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3280s, expires in 3951s in cf6fd4c7, 168 bytes, 2 packets, 0s ago out cd70bddd, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.247 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.247/0.247/0.247/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.295 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.295/0.295/0.295/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 98f41da9da218fbd_i 09ee6d4d9305bffe_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 22487s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3279s, expires in 3955s in c33926fe, 168 bytes, 2 packets, 0s ago out c21f9ea2, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, ced7ee287f5566cf_i afa4d34696c8e017_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 15747s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3280s, expires in 3951s in cf6fd4c7, 168 bytes, 2 packets, 0s ago out cd70bddd, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK RSA STS
Description
Test the site-to-site VPN with PPK authentication and RSA
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local id CN=carol@teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.030 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.030/0.030/0.030/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.036 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.036/0.036/0.036/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local id CN=dave@teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 80.0.0.3 from DUT2:
admin@DUT2$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.036 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.036/0.036/0.036/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 19a4018c51b19f4d_i 6cdaba9b01ab817a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 25137s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3344s, expires in 3960s in c6a9a15d, 0 bytes, 0 packets out cb014bd3, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 8da06e6246722450_i 5eef68d2736c45d0_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 23512s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3295s, expires in 3956s in c8b34fb6, 0 bytes, 0 packets out c567d155, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.401 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.401/0.401/0.401/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.286 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.286/0.286/0.286/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 19a4018c51b19f4d_i 6cdaba9b01ab817a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 25132s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3339s, expires in 3955s in c6a9a15d, 0 bytes, 0 packets out cb014bd3, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 8da06e6246722450_i 5eef68d2736c45d0_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 23507s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3290s, expires in 3951s in c8b34fb6, 168 bytes, 2 packets, 0s ago out c567d155, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 19a4018c51b19f4d_i 6cdaba9b01ab817a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 25132s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3339s, expires in 3955s in c6a9a15d, 0 bytes, 0 packets out cb014bd3, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 8da06e6246722450_i 5eef68d2736c45d0_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 23507s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3290s, expires in 3951s in c8b34fb6, 168 bytes, 2 packets, 0s ago out c567d155, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.338 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.338/0.338/0.338/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.289 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.289/0.289/0.289/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 19a4018c51b19f4d_i 6cdaba9b01ab817a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 25132s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3339s, expires in 3955s in c6a9a15d, 168 bytes, 2 packets, 1s ago out cb014bd3, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 8da06e6246722450_i 5eef68d2736c45d0_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 23507s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3290s, expires in 3951s in c8b34fb6, 168 bytes, 2 packets, 0s ago out c567d155, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK PSK DMVPN
Description
Test the DMVPN scenario with PPK authentication and PSK
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 80.0.0.2/24 set interfaces tunnel tun0 address 10.0.0.2/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.2 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 600 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp nhs 10.0.0.1 nbma 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX18nwddsivSS+AhzdUJSnEmgbU0qYBCzcgc= set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX19TydsuXgeE/lVBR/DeSJD97WXi00Z4tEA= set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces tunnel tun0 address 10.0.0.1/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.1 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 60 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp transport-nat-support set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/0qkePo0/Afk+r7eqyN2OvdcCqxHYnOWE= set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX18+xcfO0+ZaRlunFjCEItIC4p3fGVLNTb4= set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.034 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.034/0.034/0.034/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.038 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.038/0.038/0.038/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+80.0.0.*Show output
IPSEC: #1, ESTABLISHED, IKEv2, 5881285006077e1a_i ddfe0e80f575a689_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 2s ago, rekeying in 58239s IPSEC: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 14412s, expires in 31678s in c74edec5, 232 bytes, 2 packets, 1s ago out ccfdfa5d, 136 bytes, 1 packets, 1s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]
Step 6: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 local-address 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 : 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.350 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.350/0.350/0.350/0.000 ms
Step 7: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 local-address 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) from 10.0.0.2 : 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.386 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.386/0.386/0.386/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+80.0.0.*Show output
IPSEC: #1, ESTABLISHED, IKEv2, 5881285006077e1a_i ddfe0e80f575a689_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 3s ago, rekeying in 58238s IPSEC: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 3s ago, rekeying in 14411s, expires in 31677s in c74edec5, 448 bytes, 4 packets, 0s ago out ccfdfa5d, 352 bytes, 3 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]