Xauth

Contents

This scenario shows how to configure and connect two subnets with each other through a VPN tunnel using different xauth methods

Test XAuth PSK Configuration

Description

VPN site-to-site configuration with XAuth-PSK for DUT0 (client) and pre shared secret for DUT1 (server), this last one delegates the authentication to a radius server.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces ethernet eth1 address 10.215.168.2/24
set protocols static route 0.0.0.0/0 interface dum0
set protocols static route 10.215.168.0/24 next-hop 10.215.168.1
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX1+1i5y68e++JTxz2zDWCsYKx/nNELUeF9xd4jNT1Z5Wt9koJFo238MU8+ORXY+ZvQGOa4uscRkuhw==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/AQFcSi32eEqK8NEdyLBb52B2vj5C2v1rKijbaNzTJO+xy837PjX2dIF2dNk0FLs7rnFb990AmvA==
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX1+IjbRKqCfPCnairZT8m5evVVHBoLz+aCy05NtiVw/gDtx2HBawvm88QuwrC9ATLOmf80f5axAW9A==
set vpn ipsec auth-profile AUTH-SA remote xauth radius
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev1
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec radius authentication-list list1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set interfaces ethernet eth1 address 10.215.168.2/24
set protocols static route 0.0.0.0/0 interface dum0
set protocols static route 10.215.168.0/24 next-hop 10.215.168.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+QIvEkhsV3L7ruTWKhE2WrY+CQlfFVidL9qknI4Krz3RnWBEy1na7ZIe6qsR5yYBSAiM22Zl1jlQ==
set vpn ipsec auth-profile AUTH-SA local xauth user testing encrypted-secret U2FsdGVkX1/kLwmg06+vEqHIA8mtfrXnCTAKCjsINNI=
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX19OrKOc46Qp9Oz56c5xoVj85Tf/aLhrvze5epLptCIYP7S6m7XTUHL21IvZc/oR+4rIp1qhIKy7mw==
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev1
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24

Step 3: Ping IP address 80.0.0.2 from DUT1:

admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1

Show output

PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.033 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.033/0.033/0.033/0.000 ms

Step 4: Ping IP address 80.0.0.1 from DUT0:

admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1

Show output

PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data.
64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.035 ms

--- 80.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.035/0.035/0.035/0.000 ms

Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv1, c0cf25745f8dfdda_i 0fd1d1a9b78c4f41_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500] XAuth: 'testing'
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 20260s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256
    installed 0s ago, rekeying in 3486s, expires in 3960s
    in  c14f6ba6,      0 bytes,     0 packets
    out c9d57a32,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 6: Ping IP address 10.2.0.1 from DUT0:

admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1

Show output

PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.315 ms

--- 10.2.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.315/0.315/0.315/0.000 ms

Step 7: Ping IP address 10.1.0.1 from DUT1:

admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1

Show output

PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.294 ms

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.294/0.294/0.294/0.000 ms

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv1, c0cf25745f8dfdda_i 0fd1d1a9b78c4f41_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500] XAuth: 'testing'
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 20260s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256
    installed 0s ago, rekeying in 3486s, expires in 3960s
    in  c14f6ba6,    168 bytes,     2 packets,     0s ago
    out c9d57a32,    168 bytes,     2 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test XAuth RSA Configuration

Description

Simple VPN site-to-site configuration with an authentication based on RSA signatures followed by extended authentication (XAUTH).

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces ethernet eth1 address 10.215.168.2/24
set protocols static route 0.0.0.0/0 interface dum0
set protocols static route 10.215.168.0/24 next-hop 10.215.168.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt'
set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org
set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem'
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt'
set vpn ipsec auth-profile AUTH-SA remote xauth user carol encrypted-secret U2FsdGVkX19Wiw7pyjmC1r8h3T1QX0Teq3ICYJppu7Y=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev1
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set interfaces ethernet eth1 address 10.215.168.3/24
set protocols static route 0.0.0.0/0 interface dum0
set protocols static route 10.215.168.0/24 next-hop 10.215.168.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt'
set vpn ipsec auth-profile AUTH-SA local id CN=carol.teldat.org
set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem'
set vpn ipsec auth-profile AUTH-SA local xauth user carol encrypted-secret U2FsdGVkX18oJoAz41duFUUgs+nElusONFHF8yfWDXc=
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt'
set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev1
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24

Step 3: Ping IP address 80.0.0.2 from DUT1:

admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1

Show output

PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.023 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.023/0.023/0.023/0.000 ms

Step 4: Ping IP address 80.0.0.1 from DUT0:

admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1

Show output

PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data.
64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.024 ms

--- 80.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms

Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv1, 950e7c499f23f30e_i 41203254a16dfb55_r*
  local  'CN=moon.teldat.org' @ 80.0.0.1[500]
  remote 'CN=carol.teldat.org' @ 80.0.0.2[500] XAuth: 'carol'
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 23508s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256
    installed 0s ago, rekeying in 3537s, expires in 3960s
    in  cef921ea,      0 bytes,     0 packets
    out cdde9e4b,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 6: Ping IP address 10.2.0.1 from DUT0:

admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1

Show output

PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.288 ms

--- 10.2.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.288/0.288/0.288/0.000 ms

Step 7: Ping IP address 10.1.0.1 from DUT1:

admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1

Show output

PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.262 ms

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.262/0.262/0.262/0.000 ms

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv1, 950e7c499f23f30e_i 41203254a16dfb55_r*
  local  'CN=moon.teldat.org' @ 80.0.0.1[500]
  remote 'CN=carol.teldat.org' @ 80.0.0.2[500] XAuth: 'carol'
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 23508s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256
    installed 0s ago, rekeying in 3537s, expires in 3960s
    in  cef921ea,    168 bytes,     2 packets,     0s ago
    out cdde9e4b,    168 bytes,     2 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---