Ppk
This set of tests shows how to configure and connect more than two subnets with each other through a VPN tunnel using PPK authentication in different ways.
Test PPK Options
Description
In this test, we will check the different options for PPK authentication (i.e., when it is required or not, when it remains unmatched, etc.).
Scenario
Note
Set default configuration for both DUTs, where PPK is not required and the PPK is the same.
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap carol encrypted-secret U2FsdGVkX1+3JvF+CXLG4OcxZPXWxgIF2y00T1lDqEk= set vpn ipsec auth-profile AUTH-SA remote auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA remote auth eap dave encrypted-secret U2FsdGVkX182vD2GkVbVTy1zgQJWNSxzHOezn5MZbrA= set vpn ipsec auth-profile AUTH-SA remote auth eap dave type ttls set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth eap carol encrypted-secret U2FsdGVkX1/mstVn+vo4PEa/bik67feLKoQh4Rdud1g= set vpn ipsec auth-profile AUTH-SA local auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA local id carol set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.027 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.027/0.027/0.027/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 1eba1af96e73f6c8_i dd5197b66f1f58b9_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 19274s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3418s, expires in 3960s in c53aa8d8, 0 bytes, 0 packets out c852178b, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.282 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.282/0.282/0.282/0.000 ms
Step 7: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.261 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.261/0.261/0.261/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 1eba1af96e73f6c8_i dd5197b66f1f58b9_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 19274s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3418s, expires in 3960s in c53aa8d8, 168 bytes, 2 packets, 0s ago out c852178b, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Note
Delete the PPK from DUT0 and check that the SA falls back to standard authentication.
Step 9: Modify the following configuration lines in DUT0 :
delete vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org
Step 10: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[1] between 80.0.0.1[CN=moon.teldat.org]...80.0.0.2[carol] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[1] [ENC] generating INFORMATIONAL request 0 [ D ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 0 [ ] [IKE] IKE_SA deleted terminate completed successfully [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (120 bytes) [ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID] [IKE] received EAP identity 'carol' [IKE] phase2 method EAP_MD5 selected [IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5] [ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (132 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (132 bytes) [ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5] [IKE] EAP_TTLS phase2 authentication of 'carol' with EAP_MD5 successful [IKE] EAP method EAP_TTLS succeeded, MSK established [ENC] generating IKE_AUTH response 6 [ EAP/SUCC ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (162 bytes) [ENC] parsed IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [CFG] no PPK for 'carol@teldat.org' found, ignored because PPK is not required [IKE] no PPK available, using NO_PPK_AUTH notify [IKE] authentication of 'carol' with EAP successful [IKE] authentication of 'CN=moon.teldat.org' (myself) with EAP [IKE] IKE_SA vpn-peer-PEER[2] established between 80.0.0.1[CN=moon.teldat.org]...80.0.0.2[carol] [IKE] scheduling rekeying in 15141s [IKE] maximum IKE_SA lifetime 18021s [CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ [IKE] CHILD_SA peer-PEER-tunnel-1{2} established with SPIs cf794c7e_i cf4e16ac_o and TS 10.1.0.0/24 === 10.2.0.0/24 initiate completed successfully
Step 11: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[2] between 80.0.0.2[carol]...80.0.0.1[CN=moon.teldat.org] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[2] [ENC] generating INFORMATIONAL request 8 [ D ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (65 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 8 [ ] [IKE] IKE_SA deleted terminate completed successfully [IKE] initiating IKE_SA vpn-peer-PEER[3] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{3} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0x11) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0x68) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (162 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (181 bytes) [ENC] parsed IKE_AUTH response 7 [ AUTH SA TSi TSr ] [IKE] authentication of 'CN=moon.teldat.org' with EAP successful [CFG] peer didn't use PPK for PPK_ID 'carol@teldat.org' [IKE] IKE_SA vpn-peer-PEER[3] established between 80.0.0.2[carol]...80.0.0.1[CN=moon.teldat.org] [IKE] scheduling rekeying in 26634s [IKE] maximum IKE_SA lifetime 29514s [CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ [IKE] CHILD_SA peer-PEER-tunnel-1{3} established with SPIs c6ef3dc4_i c31b4664_o and TS 10.2.0.0/24 === 10.1.0.0/24 initiate completed successfully
Step 12: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, f25502db36730093_i 75be18a6bb038af5_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 22755s peer-PEER-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3349s, expires in 3960s in c31b4664, 0 bytes, 0 packets out c6ef3dc4, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 13: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.315 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.315/0.315/0.315/0.000 ms
Step 14: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.301 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.301/0.301/0.301/0.000 ms
Step 15: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, f25502db36730093_i 75be18a6bb038af5_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 22754s peer-PEER-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3348s, expires in 3959s in c31b4664, 168 bytes, 2 packets, 0s ago out c6ef3dc4, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Note
Set the PPK as required in DUT0 and, with DUT1’s corresponding PPK deleted, check that the connection fails.
Step 16: Modify the following configuration lines in DUT0 :
set vpn ipsec auth-profile AUTH-SA remote ppk required
Step 17: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[3] between 80.0.0.1[CN=moon.teldat.org]...80.0.0.2[carol] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[3] [ENC] generating INFORMATIONAL request 0 [ D ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 0 [ ] [IKE] IKE_SA deleted terminate completed successfully [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (162 bytes) [ENC] parsed IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [CFG] PPK required but no PPK found for 'carol@teldat.org' [ENC] generating IKE_AUTH response 7 [ N(AUTH_FAILED) ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 18: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] initiating IKE_SA vpn-peer-PEER[5] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{5} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0xF2) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0xF5) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (162 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 7 [ N(AUTH_FAILED) ] [IKE] received AUTHENTICATION_FAILED notify error initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 19: Expect a failure in the following command:
Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. --- 10.2.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Note
Set the PPK as required in DUT1 and change the PPK in DUT0 back to not required. Check that the connection is still failing.
Step 20: Modify the following configuration lines in DUT0 :
delete vpn ipsec auth-profile AUTH-SA remote ppk required
Step 21: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local ppk required
Step 22: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] unable to resolve %any, initiate aborted initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 23: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] initiating IKE_SA vpn-peer-PEER[7] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{7} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0x06) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0xC2) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (122 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 7 [ N(AUTH_FAILED) ] [IKE] received AUTHENTICATION_FAILED notify error initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 24: Expect a failure in the following command:
Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. --- 10.2.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test PPK EAP-TTLS STS
Description
Test the site-to-site VPN with PPK authentication and EAP-TTLS
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap carol encrypted-secret U2FsdGVkX1+itzL4ybjAyEnN+kAlll5bw1V4ZC2pvzk= set vpn ipsec auth-profile AUTH-SA remote auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA remote auth eap dave encrypted-secret U2FsdGVkX1+W1ch1uvrqJ0FyKhD2pplUccdtTev6BtY= set vpn ipsec auth-profile AUTH-SA remote auth eap dave type ttls set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth eap carol encrypted-secret U2FsdGVkX1+lVjwPMdgVkpUAhqg8y+GKJjhZp9/wYyM= set vpn ipsec auth-profile AUTH-SA local auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA local id carol set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.039 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.039/0.039/0.039/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.035 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.035/0.035/0.035/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth eap dave encrypted-secret U2FsdGVkX18Orjgjy1GG38PEeTOQSjfUkj39iDbnd1o= set vpn ipsec auth-profile AUTH-SA local auth eap dave type ttls set vpn ipsec auth-profile AUTH-SA local id dave set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 80.0.0.3 from DUT2:
admin@DUT2$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.025 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.025/0.025/0.025/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, c3c0766fb606ce7e_i b3dc86710414051c_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 20674s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3245s, expires in 3960s in c7dda417, 0 bytes, 0 packets out cff3e068, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 255e31b7fe227031_i cd1ef81901c44503_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 19834s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3307s, expires in 3956s in cdb2299d, 0 bytes, 0 packets out cd652147, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.307 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.307/0.307/0.307/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.286 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.286/0.286/0.286/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, c3c0766fb606ce7e_i b3dc86710414051c_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 20670s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3241s, expires in 3956s in c7dda417, 0 bytes, 0 packets out cff3e068, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 255e31b7fe227031_i cd1ef81901c44503_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 19830s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3303s, expires in 3952s in cdb2299d, 168 bytes, 2 packets, 0s ago out cd652147, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, c3c0766fb606ce7e_i b3dc86710414051c_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 20670s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3241s, expires in 3956s in c7dda417, 0 bytes, 0 packets out cff3e068, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 255e31b7fe227031_i cd1ef81901c44503_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 19830s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3303s, expires in 3952s in cdb2299d, 168 bytes, 2 packets, 0s ago out cd652147, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.286 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.286/0.286/0.286/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.349 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.349/0.349/0.349/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, c3c0766fb606ce7e_i b3dc86710414051c_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 20669s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3240s, expires in 3955s in c7dda417, 168 bytes, 2 packets, 0s ago out cff3e068, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 255e31b7fe227031_i cd1ef81901c44503_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 19829s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3302s, expires in 3951s in cdb2299d, 168 bytes, 2 packets, 1s ago out cd652147, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK PSK STS
Description
Test the site-to-site VPN with PPK authentication and PSK
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+e7McmiDX+6XS7k2hFUEvGmAShqZ+BmFE= set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX1/m/5MwdTWURV7rHa8TLVYieRNxwqPW6+c= set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/eS7QOvKtZFbz9FPyd0LIQqLjc3sZIjuA= set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX1/2DFaF7v31EtePHOE7chIwPeqICBYRrZE= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.025 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.025/0.025/0.025/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.029 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.029/0.029/0.029/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX18LXIxsyhWpRWsR8iCNyrZ4ghdEtOvgfTA= set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX18Z65tBKupVRUQCeCq2U7sPOi/vMaeatHk= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 80.0.0.3 from DUT2:
admin@DUT2$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.027 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.027/0.027/0.027/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, b5fe99a7af35790c_i 369a93d6d1ccc166_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 23787s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3456s, expires in 3960s in c684d60a, 0 bytes, 0 packets out ceef41a6, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, adefad7781aa39f9_i 18089c7a8fe3219b_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 27356s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3252s, expires in 3956s in ca3e9c43, 0 bytes, 0 packets out c51ec29c, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.270 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.270/0.270/0.270/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.278 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.278/0.278/0.278/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, b5fe99a7af35790c_i 369a93d6d1ccc166_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 23782s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3451s, expires in 3955s in c684d60a, 0 bytes, 0 packets out ceef41a6, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, adefad7781aa39f9_i 18089c7a8fe3219b_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 27351s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3247s, expires in 3951s in ca3e9c43, 168 bytes, 2 packets, 1s ago out c51ec29c, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, b5fe99a7af35790c_i 369a93d6d1ccc166_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 23782s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3451s, expires in 3955s in c684d60a, 0 bytes, 0 packets out ceef41a6, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, adefad7781aa39f9_i 18089c7a8fe3219b_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 27351s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3247s, expires in 3951s in ca3e9c43, 168 bytes, 2 packets, 1s ago out c51ec29c, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.252 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.252/0.252/0.252/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.239 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.239/0.239/0.239/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, b5fe99a7af35790c_i 369a93d6d1ccc166_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 23782s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3451s, expires in 3955s in c684d60a, 168 bytes, 2 packets, 0s ago out ceef41a6, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, adefad7781aa39f9_i 18089c7a8fe3219b_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 27351s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3247s, expires in 3951s in ca3e9c43, 168 bytes, 2 packets, 1s ago out c51ec29c, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK RSA STS
Description
Test the site-to-site VPN with PPK authentication and RSA
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local id CN=carol@teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.025 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.025/0.025/0.025/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.027 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.027/0.027/0.027/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local id CN=dave@teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 80.0.0.3 from DUT2:
admin@DUT2$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.035 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.035/0.035/0.035/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 23f5a8cb048c6e7e_i 67040aa9bb0455f5_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 28524s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3457s, expires in 3960s in cb388228, 0 bytes, 0 packets out c88358cd, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, a6cae0ab58094b5b_i d228dedbc259abff_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 25612s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3407s, expires in 3956s in cf1f4c99, 0 bytes, 0 packets out c4404ea6, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.270 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.270/0.270/0.270/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.252 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.252/0.252/0.252/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 23f5a8cb048c6e7e_i 67040aa9bb0455f5_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 28520s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3453s, expires in 3956s in cb388228, 0 bytes, 0 packets out c88358cd, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, a6cae0ab58094b5b_i d228dedbc259abff_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 25608s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3403s, expires in 3952s in cf1f4c99, 168 bytes, 2 packets, 0s ago out c4404ea6, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 23f5a8cb048c6e7e_i 67040aa9bb0455f5_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 28519s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3452s, expires in 3955s in cb388228, 0 bytes, 0 packets out c88358cd, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, a6cae0ab58094b5b_i d228dedbc259abff_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 25607s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3402s, expires in 3951s in cf1f4c99, 168 bytes, 2 packets, 1s ago out c4404ea6, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.277 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.277/0.277/0.277/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.301 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.301/0.301/0.301/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 23f5a8cb048c6e7e_i 67040aa9bb0455f5_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 28519s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3452s, expires in 3955s in cb388228, 168 bytes, 2 packets, 0s ago out c88358cd, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, a6cae0ab58094b5b_i d228dedbc259abff_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 25607s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3402s, expires in 3951s in cf1f4c99, 168 bytes, 2 packets, 1s ago out c4404ea6, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK PSK DMVPN
Description
Test the DMVPN scenario with PPK authentication and PSK
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 80.0.0.2/24 set interfaces tunnel tun0 address 10.0.0.2/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.2 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 600 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp nhs 10.0.0.1 nbma 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX18O67loKTZSjD9W+12Fh+l1yDFEwTlCWG8= set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX1+KFb1L77dyfYTsQSe8HQP0Z12RAeAomfw= set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces tunnel tun0 address 10.0.0.1/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.1 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 60 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp transport-nat-support set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+f9FrRFX8cxbI2FxFZIdwMG44oLHM6eq4= set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX1+9na9lRRwd/ADQ7rnDGaigZxHbSeid4+E= set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.027 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.027/0.027/0.027/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.036 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.036/0.036/0.036/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+80.0.0.*Show output
IPSEC: #1, ESTABLISHED, IKEv2, c473ee4a462491b2_i ba350b12e5c3c600_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 2s ago, rekeying in 50047s IPSEC: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 17446s, expires in 31678s in ca622a17, 232 bytes, 2 packets, 1s ago out cba05321, 136 bytes, 1 packets, 1s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]
Step 6: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 local-address 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 : 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.308 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.308/0.308/0.308/0.000 ms
Step 7: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 local-address 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) from 10.0.0.2 : 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.353 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.353/0.353/0.353/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+80.0.0.*Show output
IPSEC: #1, ESTABLISHED, IKEv2, c473ee4a462491b2_i ba350b12e5c3c600_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 2s ago, rekeying in 50047s IPSEC: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 17446s, expires in 31678s in ca622a17, 448 bytes, 4 packets, 0s ago out cba05321, 352 bytes, 3 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]