Xfrm-Interface

Test suite to check IPsec with xfrm interface

Test IPsec With Multipath XFRM Interfaces

Description

DUT0 and DUT1 are connected to each other through multiple IPsec tunnels with same local and remote prefixes.

In this test case, we will check the IPsec tunnels are installing the multipath routes correctly and the traffic is being balanced between the two tunnels.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces ethernet eth1 address 90.0.0.1/24
set interfaces xfrm xfrm80 mtu 1400
set interfaces xfrm xfrm90 mtu 1400
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set traffic policy POL rule 1 selector SEL
set traffic policy POL rule 2 action drop
set traffic selector SEL rule 1 protocol esp
set traffic selector SEL rule 2 protocol icmp
set traffic selector SEL rule 3 protocol udp
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+i476iFrD3M7RHIeDc4fZZ94sMDVNuRvw=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type respond
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 xfrm-interface-out xfrm80
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type respond
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 xfrm-interface-out xfrm90

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set interfaces ethernet eth1 address 90.0.0.2/24
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+mTa1roU6HeXFIgh+c1TlVo2JCRW+IQG8=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type initiate
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type initiate
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.1.0.0/24

In order to test the multipath routes that the traffic is being balanced between the two tunnels,
we will use ssh connections to verify that it can reach another host through either of the tunnels.

Warning

The traffic steering is not done in the both sides yet, so from responder side we will force the traffic to go through one of the tunnels by adding drop policy to the xfrm interface of the other tunnel, and also in the initiator DUT we will set the default route to the negotiated tunnel instead.

Step 3: Modify the following configuration lines in DUT0 :

set interfaces xfrm xfrm90 traffic policy in POL

Step 4: Modify the following configuration lines in DUT1 :

set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes main

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Run command vpn ipsec clear peer PEER80 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER80[4] between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER80[4]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (65 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER80[6] to 80.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (264 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '80.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER80-tunnel-1{6}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (217 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '80.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER80[6] established between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] scheduling rekeying in 26048s
[IKE] maximum IKE_SA lifetime 28928s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER80-tunnel-1{6} established with SPIs c2b141d2_i c28eb279_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 7: Run command protocols ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:07
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:07
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90, weight 1, 00:00:01
  *                   is directly connected, xfrm80, weight 1, 00:00:01
C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:07
L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:07
C>* 90.0.0.0/24 is directly connected, eth1, weight 1, 00:00:07
L>* 90.0.0.1/32 is directly connected, eth1, weight 1, 00:00:07

Note

We have installed a multipath route in the kernel and we also have a drop policy in one of the xfrm interfaces, so the below ssh connection only works when kernel decides to establish the connection through the tunnel that is not dropped by the traffic policy.

Step 8: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.5.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue May 13 14:09:28 2025
admin@osdx$

Step 9: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER80:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'80\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER80: #6, ESTABLISHED, IKEv2, eb15ea2d306f3780_i dd8d6f0ec4454632_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 21s ago, rekeying in 17104s
  peer-PEER80-tunnel-1: #6, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 21s ago, rekeying in 3299s, expires in 3939s
    in  c28eb279 (-|0x00000051),   4972 bytes,    23 packets,     0s ago
    out c2b141d2 (-|0x00000051),   5136 bytes,    26 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER90: #5, ESTABLISHED, IKEv2, 898b1dcb8a4f546a_i 71212b54f66228f1_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 21s ago, rekeying in 17615s
  peer-PEER90-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 21s ago, rekeying in 3295s, expires in 3939s
    in  cec201ac (-|0x0000005b),      0 bytes,     0 packets
    out cef6e0cc (-|0x0000005b),    360 bytes,     6 packets,     7s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Same as above, but now we will check the other tunnel.

Step 10: Modify the following configuration lines in DUT0 :

delete interfaces xfrm xfrm90 traffic
set interfaces xfrm xfrm80 traffic policy in POL

Step 11: Modify the following configuration lines in DUT1 :

delete vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes main

Step 12: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 13: Run command vpn ipsec clear peer PEER90 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER90[9] between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER90[9]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (65 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER90[11] to 90.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (264 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '90.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER90-tunnel-1{11}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (217 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '90.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER90[11] established between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] scheduling rekeying in 14834s
[IKE] maximum IKE_SA lifetime 17714s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER90-tunnel-1{11} established with SPIs c153bd7c_i cbfc0675_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 14: Run command protocols ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:29
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:29
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90, weight 1, 00:00:00
  *                   is directly connected, xfrm80, weight 1, 00:00:00
C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:29
L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:29
C>* 90.0.0.0/24 is directly connected, eth1, weight 1, 00:00:29
L>* 90.0.0.1/32 is directly connected, eth1, weight 1, 00:00:29

Step 15: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.5.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue May 13 14:16:45 2025 from 10.1.0.1
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER90:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'90\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER90: #11, ESTABLISHED, IKEv2, cd511bc36f2aea0b_i 71a11c9c99fae76f_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 17330s
  peer-PEER90-tunnel-1: #11, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3456s, expires in 3959s
    in  cbfc0675 (-|0x0000005b),   5112 bytes,    24 packets,     0s ago
    out c153bd7c (-|0x0000005b),   5188 bytes,    27 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER80: #10, ESTABLISHED, IKEv2, bb69240f7250b598_i 244a987131ca07d3_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 15212s
  peer-PEER80-tunnel-1: #10, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3447s, expires in 3959s
    in  cb1a9eb5 (-|0x00000051),      0 bytes,     0 packets
    out cd6fe6bd (-|0x00000051),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test IPsec With Multipath XFRM Interfaces And VRFs

Description

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces dummy dum0 vrf LAN
set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces ethernet eth0 vrf WAN_A
set interfaces ethernet eth1 address 90.0.0.1/24
set interfaces ethernet eth1 vrf WAN_B
set interfaces xfrm xfrm80 local-interface eth0
set interfaces xfrm xfrm80 mtu 1400
set interfaces xfrm xfrm80 vrf WAN_A
set interfaces xfrm xfrm90 local-interface eth1
set interfaces xfrm xfrm90 mtu 1400
set interfaces xfrm xfrm90 vrf WAN_B
set protocols vrf WAN_A static route 10.1.0.0/24 next-hop-vrf LAN
set protocols vrf WAN_B static route 10.1.0.0/24 next-hop-vrf LAN
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN
set system vrf WAN_A
set system vrf WAN_B
set system vrf main
set traffic policy POL rule 1 selector SEL
set traffic policy POL rule 2 action drop
set traffic selector SEL rule 1 protocol esp
set traffic selector SEL rule 2 protocol icmp
set traffic selector SEL rule 3 protocol udp
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX19flBVhD8KRvbkkjNXGwi9vd1HBGa9Q35I=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type respond
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes LAN
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 xfrm-interface-out xfrm80
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type respond
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes LAN
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 xfrm-interface-out xfrm90

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set interfaces ethernet eth1 address 90.0.0.2/24
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX19R0FulaJmNw7zYhYG6oe+JjCuJQhDaTBY=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type initiate
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type initiate
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.1.0.0/24

Same as above test case, but now we will check with the VRFs.

Step 3: Modify the following configuration lines in DUT0 :

set interfaces xfrm xfrm90 traffic policy in POL

Step 4: Modify the following configuration lines in DUT1 :

set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes main

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Run command vpn ipsec clear peer PEER80 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER80[4] between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER80[4]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (65 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER80[6] to 80.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (264 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '80.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER80-tunnel-1{6}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (217 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '80.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER80[6] established between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] scheduling rekeying in 25228s
[IKE] maximum IKE_SA lifetime 28108s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER80-tunnel-1{6} established with SPIs c2900964_i cafb0c54_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 7: Run command protocols vrf LAN ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF LAN:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:06
C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:06
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:06
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90 (vrf WAN_B), weight 1, 00:00:00
  *                   is directly connected, xfrm80 (vrf WAN_A), weight 1, 00:00:00

Note

We have installed a multipath route in the kernel and we also have a drop policy in one of the xfrm interfaces, so the below ssh connection only works when kernel decides to establish the connection through the tunnel that is not dropped by the traffic policy.

Step 8: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1 vrf LAN

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.5.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue May 13 14:16:47 2025 from 10.1.0.1
admin@osdx$

Step 9: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER80:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'80\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER80: #6, ESTABLISHED, IKEv2, 6d58a2160086d438_i cdd26c0d0735f145_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 27929s
  peer-PEER80-tunnel-1: #6, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3495s, expires in 3959s
    in  cafb0c54 (-|0x00000051),   4952 bytes,    22 packets,     0s ago
    out c2900964 (-|0x00000051),   5084 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER90: #5, ESTABLISHED, IKEv2, c67895216e58a707_i cd2d8c6c7c598d3d_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 28024s
  peer-PEER90-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3290s, expires in 3959s
    in  c9bbb193 (-|0x0000005b),      0 bytes,     0 packets
    out cb9c59ea (-|0x0000005b),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Same as above, but now we will check the other tunnel.

Step 10: Modify the following configuration lines in DUT0 :

delete interfaces xfrm xfrm90 traffic
set interfaces xfrm xfrm80 traffic policy in POL

Step 11: Modify the following configuration lines in DUT1 :

delete vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes main

Step 12: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 13: Run command vpn ipsec clear peer PEER90 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER90[9] between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER90[9]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (65 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER90[11] to 90.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (264 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '90.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER90-tunnel-1{11}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (217 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '90.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER90[11] established between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] scheduling rekeying in 16695s
[IKE] maximum IKE_SA lifetime 19575s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER90-tunnel-1{11} established with SPIs cf94df41_i cb21a08a_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 14: Run command protocols vrf LAN ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF LAN:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:09
C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:09
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:09
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90 (vrf WAN_B), weight 1, 00:00:00
  *                   is directly connected, xfrm80 (vrf WAN_A), weight 1, 00:00:00

Step 15: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1 vrf LAN

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.5.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue May 13 14:17:06 2025 from 10.1.0.1
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER90:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'90\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER90: #11, ESTABLISHED, IKEv2, afdec6ef3e82f6de_i eb1b22b916ba284b_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 8s ago, rekeying in 26340s
  peer-PEER90-tunnel-1: #11, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 8s ago, rekeying in 3372s, expires in 3952s
    in  cb21a08a (-|0x0000005b),   4884 bytes,    21 packets,     0s ago
    out cf94df41 (-|0x0000005b),   4980 bytes,    23 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER80: #10, ESTABLISHED, IKEv2, 4818910c43323cd8_i c576de692eb874db_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 8s ago, rekeying in 21407s
  peer-PEER80-tunnel-1: #10, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 8s ago, rekeying in 3472s, expires in 3952s
    in  cc8fa3e6 (-|0x00000051),      0 bytes,     0 packets
    out cbd63efc (-|0x00000051),    360 bytes,     6 packets,     2s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---