X509

Contents

These scenarios show how to establish a VPN IPsec site-to-site connection between two end-points using X.509 certificates.

Test Local And Remote Auth With X509 Files

Description

In this scenario, both devices use pre-installed X.509 certificate files for local and remote authentication.

Scenario

Step 1: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 8.0.0.1/24
set interfaces ethernet eth1 address 9.0.0.1/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT2 :

set interfaces dummy dum0 address 192.168.2.1/24
set interfaces ethernet eth0 address 9.0.0.2/24
set interfaces ethernet eth1 address 10.215.168.66/24
set protocols static route 0.0.0.0/0 next-hop 9.0.0.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH local ca-cert-file 'running://ca.pem'
set vpn ipsec auth-profile AUTH local ca-cert-file 'running://root.pem'
set vpn ipsec auth-profile AUTH local cert-file 'running://dut2.pem'
set vpn ipsec auth-profile AUTH local key file 'running://dut2.key'
set vpn ipsec auth-profile AUTH mirror-config false
set vpn ipsec auth-profile AUTH mode x509
set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://ca.pem'
set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://root.pem'
set vpn ipsec esp-group ESP-POLICY lifetime 28800
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null
set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1
set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15
set vpn ipsec ike-group IKE-POLICY key-exchange ikev2
set vpn ipsec ike-group IKE-POLICY lifetime 28800
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null
set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY
set vpn ipsec site-to-site peer PEER local-address 9.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 8.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.2.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.1.0/24

Step 3: Ping IP address 9.0.0.1 from DUT2:

admin@DUT2$ ping 9.0.0.1 count 1 size 56 timeout 1

Show output

PING 9.0.0.1 (9.0.0.1) 56(84) bytes of data.
64 bytes from 9.0.0.1: icmp_seq=1 ttl=64 time=0.261 ms

--- 9.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.261/0.261/0.261/0.000 ms

Step 4: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 192.168.1.1/24
set interfaces ethernet eth0 address 8.0.0.2/24
set interfaces ethernet eth1 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 8.0.0.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH local ca-cert-file 'running://ca.pem'
set vpn ipsec auth-profile AUTH local ca-cert-file 'running://root.pem'
set vpn ipsec auth-profile AUTH local cert-file 'running://dut0.pem'
set vpn ipsec auth-profile AUTH local key file 'running://dut0.key'
set vpn ipsec auth-profile AUTH mirror-config false
set vpn ipsec auth-profile AUTH mode x509
set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://ca.pem'
set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://root.pem'
set vpn ipsec esp-group ESP-POLICY lifetime 28800
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null
set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1
set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15
set vpn ipsec ike-group IKE-POLICY key-exchange ikev2
set vpn ipsec ike-group IKE-POLICY lifetime 28800
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null
set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH
set vpn ipsec site-to-site peer PEER connection-type on-demand
set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY
set vpn ipsec site-to-site peer PEER local-address 8.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 9.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.2.0/24

Step 5: Ping IP address 8.0.0.1 from DUT0:

admin@DUT0$ ping 8.0.0.1 count 1 size 56 timeout 1

Show output

PING 8.0.0.1 (8.0.0.1) 56(84) bytes of data.
64 bytes from 8.0.0.1: icmp_seq=1 ttl=64 time=0.516 ms

--- 8.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.516/0.516/0.516/0.000 ms

Step 6: Ping IP address 192.168.2.1 from DUT0:

admin@DUT0$ ping 192.168.2.1 local-address 192.168.1.1 count 1 size 56 timeout 1

Show output

PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.482 ms

--- 192.168.2.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.482/0.482/0.482/0.000 ms

Step 7: Ping IP address 192.168.1.1 from DUT2:

admin@DUT2$ ping 192.168.1.1 local-address 192.168.2.1 count 1 size 56 timeout 1

Show output

PING 192.168.1.1 (192.168.1.1) from 192.168.2.1 : 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.448 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.448/0.448/0.448/0.000 ms

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER: \#\d, ESTABLISHED, IKEv2
[1-9]\d* packets,

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 8eab1653034badfe_i* 22c9070971e45fd4_r
  local  'C=ES, O=Teldat, CN=DUT0' @ 8.0.0.2[500]
  remote 'C=ES, O=Teldat, CN=DUT2' @ 9.0.0.2[500]
  NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072
  established 2s ago, rekeying in 24924s
  peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96
    installed 2s ago, rekeying in 15094s, expires in 31678s
    in  c4ad2813,    168 bytes,     2 packets,     0s ago
    out c6b36622,    168 bytes,     2 packets,     0s ago
    local  192.168.1.0/24
    remote 192.168.2.0/24

---

Test Local Auth With SCEP And Remote Auth With X509 Files

Description

In this scenario, DUT0 uses SCEP for local authentication, while the remote peer is authenticated using X.509 certificate files.

Scenario

Step 1: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 8.0.0.1/24
set interfaces ethernet eth1 address 9.0.0.1/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT2 :

set interfaces dummy dum0 address 192.168.2.1/24
set interfaces ethernet eth0 address 9.0.0.2/24
set interfaces ethernet eth1 address 10.215.168.66/24
set protocols static route 0.0.0.0/0 next-hop 9.0.0.1
set system certificate scep csr CSR cgi-path /scep
set system certificate scep csr CSR cipher aes
set system certificate scep csr CSR distinguished-names CN=DUT2
set system certificate scep csr CSR encrypted-password U2FsdGVkX19C/fNp2IgFDY6CW2GZjn8JGd+yVNRChms=
set system certificate scep csr CSR port 8080
set system certificate scep csr CSR url 'http://10.215.168.1'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH local ca-cert-file 'running://ca.pem'
set vpn ipsec auth-profile AUTH local ca-cert-file 'running://root.pem'
set vpn ipsec auth-profile AUTH local cert-file 'running://dut2.pem'
set vpn ipsec auth-profile AUTH local key file 'running://dut2.key'
set vpn ipsec auth-profile AUTH mirror-config false
set vpn ipsec auth-profile AUTH mode x509
set vpn ipsec auth-profile AUTH remote csr CSR
set vpn ipsec esp-group ESP-POLICY lifetime 28800
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null
set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1
set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15
set vpn ipsec ike-group IKE-POLICY key-exchange ikev2
set vpn ipsec ike-group IKE-POLICY lifetime 28800
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null
set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY
set vpn ipsec site-to-site peer PEER local-address 9.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 8.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.2.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.1.0/24

Step 3: Ping IP address 9.0.0.1 from DUT2:

admin@DUT2$ ping 9.0.0.1 count 1 size 56 timeout 1

Show output

PING 9.0.0.1 (9.0.0.1) 56(84) bytes of data.
64 bytes from 9.0.0.1: icmp_seq=1 ttl=64 time=0.314 ms

--- 9.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.314/0.314/0.314/0.000 ms

Step 4: Run command pki scep show CSR at DUT2 and check if output matches the following regular expressions:

ca\s+Valid
usercert\s+Valid

Show output

-------------------------------------------------------------------------------------------------
Certificate  Status           Usage                   NotBefore                  NotAfter
-------------------------------------------------------------------------------------------------
ca           Valid   Encipherment & Signature  Apr 16 09:19:39 2025 GMT  Apr 11 09:19:39 2045 GMT
usercert     Valid   -                         Jun 20 12:06:18 2025 GMT  Jun 20 12:06:18 2026 GMT

Step 5: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 192.168.1.1/24
set interfaces ethernet eth0 address 8.0.0.2/24
set interfaces ethernet eth1 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 8.0.0.1
set system certificate scep csr CSR cgi-path /scep
set system certificate scep csr CSR cipher aes
set system certificate scep csr CSR distinguished-names CN=DUT0
set system certificate scep csr CSR encrypted-password U2FsdGVkX1/tYQGGLPjIQUY6HHmwSM05Y/2TvI9JJnE=
set system certificate scep csr CSR port 8080
set system certificate scep csr CSR url 'http://10.215.168.1'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH local csr CSR
set vpn ipsec auth-profile AUTH mirror-config false
set vpn ipsec auth-profile AUTH mode x509
set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://ca.pem'
set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://root.pem'
set vpn ipsec esp-group ESP-POLICY lifetime 28800
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null
set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1
set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15
set vpn ipsec ike-group IKE-POLICY key-exchange ikev2
set vpn ipsec ike-group IKE-POLICY lifetime 28800
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null
set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH
set vpn ipsec site-to-site peer PEER connection-type on-demand
set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY
set vpn ipsec site-to-site peer PEER local-address 8.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 9.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.2.0/24

Step 6: Ping IP address 8.0.0.1 from DUT0:

admin@DUT0$ ping 8.0.0.1 count 1 size 56 timeout 1

Show output

PING 8.0.0.1 (8.0.0.1) 56(84) bytes of data.
64 bytes from 8.0.0.1: icmp_seq=1 ttl=64 time=0.619 ms

--- 8.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.619/0.619/0.619/0.000 ms

Step 7: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:

ca\s+Valid
usercert\s+Valid

Show output

-------------------------------------------------------------------------------------------------
Certificate  Status           Usage                   NotBefore                  NotAfter
-------------------------------------------------------------------------------------------------
ca           Valid   Encipherment & Signature  Apr 16 09:19:39 2025 GMT  Apr 11 09:19:39 2045 GMT
usercert     Valid   -                         Jun 20 12:06:58 2025 GMT  Jun 20 12:06:58 2026 GMT

Step 8: Ping IP address 192.168.2.1 from DUT0:

admin@DUT0$ ping 192.168.2.1 local-address 192.168.1.1 count 1 size 56 timeout 1

Show output

PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.426 ms

--- 192.168.2.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.426/0.426/0.426/0.000 ms

Step 9: Ping IP address 192.168.1.1 from DUT2:

admin@DUT2$ ping 192.168.1.1 local-address 192.168.2.1 count 1 size 56 timeout 1

Show output

PING 192.168.1.1 (192.168.1.1) from 192.168.2.1 : 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.386 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.386/0.386/0.386/0.000 ms

Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER: \#\d, ESTABLISHED, IKEv2
[1-9]\d* packets,

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, ec6a07031ed5fb80_i* 70b6ca7b4e75445b_r
  local  'CN=DUT0' @ 8.0.0.2[500]
  remote 'C=ES, O=Teldat, CN=DUT2' @ 9.0.0.2[500]
  NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072
  established 1s ago, rekeying in 24677s
  peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96
    installed 1s ago, rekeying in 16651s, expires in 31679s
    in  cec4e093,    168 bytes,     2 packets,     0s ago
    out c3fc8050,    168 bytes,     2 packets,     0s ago
    local  192.168.1.0/24
    remote 192.168.2.0/24

---

Test Local Auth With X509 Files And Remote Auth With SCEP

Description

In this scenario, DUT0 uses SCEP for remote authentication, while local authentication relies on X.509 certificate files.

Scenario

Step 1: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 8.0.0.1/24
set interfaces ethernet eth1 address 9.0.0.1/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT2 :

set interfaces dummy dum0 address 192.168.2.1/24
set interfaces ethernet eth0 address 9.0.0.2/24
set interfaces ethernet eth1 address 10.215.168.66/24
set protocols static route 0.0.0.0/0 next-hop 9.0.0.1
set system certificate scep csr CSR cgi-path /scep
set system certificate scep csr CSR cipher aes
set system certificate scep csr CSR distinguished-names CN=DUT2
set system certificate scep csr CSR encrypted-password U2FsdGVkX18YHdYhUsyqzJxiR0B0jmYjmAWIwGZlhXo=
set system certificate scep csr CSR port 8080
set system certificate scep csr CSR url 'http://10.215.168.1'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH local csr CSR
set vpn ipsec auth-profile AUTH mirror-config false
set vpn ipsec auth-profile AUTH mode x509
set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://ca.pem'
set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://root.pem'
set vpn ipsec esp-group ESP-POLICY lifetime 28800
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null
set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1
set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15
set vpn ipsec ike-group IKE-POLICY key-exchange ikev2
set vpn ipsec ike-group IKE-POLICY lifetime 28800
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null
set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY
set vpn ipsec site-to-site peer PEER local-address 9.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 8.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.2.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.1.0/24

Step 3: Ping IP address 9.0.0.1 from DUT2:

admin@DUT2$ ping 9.0.0.1 count 1 size 56 timeout 1

Show output

PING 9.0.0.1 (9.0.0.1) 56(84) bytes of data.
64 bytes from 9.0.0.1: icmp_seq=1 ttl=64 time=0.347 ms

--- 9.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.347/0.347/0.347/0.000 ms

Step 4: Run command pki scep show CSR at DUT2 and check if output matches the following regular expressions:

ca\s+Valid
usercert\s+Valid

Show output

-------------------------------------------------------------------------------------------------
Certificate  Status           Usage                   NotBefore                  NotAfter
-------------------------------------------------------------------------------------------------
ca           Valid   Encipherment & Signature  Apr 16 09:19:39 2025 GMT  Apr 11 09:19:39 2045 GMT
usercert     Valid   -                         Jun 20 12:07:46 2025 GMT  Jun 20 12:07:46 2026 GMT

Step 5: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 192.168.1.1/24
set interfaces ethernet eth0 address 8.0.0.2/24
set interfaces ethernet eth1 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 8.0.0.1
set system certificate scep csr CSR cgi-path /scep
set system certificate scep csr CSR cipher aes
set system certificate scep csr CSR distinguished-names CN=DUT0
set system certificate scep csr CSR encrypted-password U2FsdGVkX18n0bU426On/1qWn5efaKyeIz/DNjctwrU=
set system certificate scep csr CSR port 8080
set system certificate scep csr CSR url 'http://10.215.168.1'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH local ca-cert-file 'running://ca.pem'
set vpn ipsec auth-profile AUTH local ca-cert-file 'running://root.pem'
set vpn ipsec auth-profile AUTH local cert-file 'running://dut0.pem'
set vpn ipsec auth-profile AUTH local key file 'running://dut0.key'
set vpn ipsec auth-profile AUTH mirror-config false
set vpn ipsec auth-profile AUTH mode x509
set vpn ipsec auth-profile AUTH remote csr CSR
set vpn ipsec esp-group ESP-POLICY lifetime 28800
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null
set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1
set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15
set vpn ipsec ike-group IKE-POLICY key-exchange ikev2
set vpn ipsec ike-group IKE-POLICY lifetime 28800
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null
set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH
set vpn ipsec site-to-site peer PEER connection-type on-demand
set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY
set vpn ipsec site-to-site peer PEER local-address 8.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 9.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.2.0/24

Step 6: Ping IP address 8.0.0.1 from DUT0:

admin@DUT0$ ping 8.0.0.1 count 1 size 56 timeout 1

Show output

PING 8.0.0.1 (8.0.0.1) 56(84) bytes of data.
64 bytes from 8.0.0.1: icmp_seq=1 ttl=64 time=0.551 ms

--- 8.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.551/0.551/0.551/0.000 ms

Step 7: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:

ca\s+Valid
usercert\s+Valid

Show output

-------------------------------------------------------------------------------------------------
Certificate  Status           Usage                   NotBefore                  NotAfter
-------------------------------------------------------------------------------------------------
ca           Valid   Encipherment & Signature  Apr 16 09:19:39 2025 GMT  Apr 11 09:19:39 2045 GMT
usercert     Valid   -                         Jun 20 12:08:27 2025 GMT  Jun 20 12:08:27 2026 GMT

Step 8: Ping IP address 192.168.2.1 from DUT0:

admin@DUT0$ ping 192.168.2.1 local-address 192.168.1.1 count 1 size 56 timeout 1

Show output

PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.504 ms

--- 192.168.2.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.504/0.504/0.504/0.000 ms

Step 9: Ping IP address 192.168.1.1 from DUT2:

admin@DUT2$ ping 192.168.1.1 local-address 192.168.2.1 count 1 size 56 timeout 1

Show output

PING 192.168.1.1 (192.168.1.1) from 192.168.2.1 : 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.460 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.460/0.460/0.460/0.000 ms

Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER: \#\d, ESTABLISHED, IKEv2
[1-9]\d* packets,

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 7b336fa48b558099_i* 9fa57630447dcbfc_r
  local  'C=ES, O=Teldat, CN=DUT0' @ 8.0.0.2[500]
  remote 'CN=DUT2' @ 9.0.0.2[500]
  NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072
  established 2s ago, rekeying in 23408s
  peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96
    installed 2s ago, rekeying in 14520s, expires in 31678s
    in  c7f234b5,    168 bytes,     2 packets,     0s ago
    out cca43b4c,    168 bytes,     2 packets,     0s ago
    local  192.168.1.0/24
    remote 192.168.2.0/24

---

Test Local And Remote Auth With SCEP

Description

In this scenario, both devices use SCEP for local and remote authentication.

Scenario

Step 1: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 8.0.0.1/24
set interfaces ethernet eth1 address 9.0.0.1/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT2 :

set interfaces dummy dum0 address 192.168.2.1/24
set interfaces ethernet eth0 address 9.0.0.2/24
set interfaces ethernet eth1 address 10.215.168.66/24
set protocols static route 0.0.0.0/0 next-hop 9.0.0.1
set system certificate scep csr CSR cgi-path /scep
set system certificate scep csr CSR cipher aes
set system certificate scep csr CSR distinguished-names CN=DUT2
set system certificate scep csr CSR encrypted-password U2FsdGVkX19zPh1gz2CWr2w5NArPiM5VZzYDD8CInEc=
set system certificate scep csr CSR port 8080
set system certificate scep csr CSR url 'http://10.215.168.1'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH local csr CSR
set vpn ipsec auth-profile AUTH mirror-config false
set vpn ipsec auth-profile AUTH mode x509
set vpn ipsec auth-profile AUTH remote csr CSR
set vpn ipsec esp-group ESP-POLICY lifetime 28800
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null
set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1
set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15
set vpn ipsec ike-group IKE-POLICY key-exchange ikev2
set vpn ipsec ike-group IKE-POLICY lifetime 28800
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null
set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY
set vpn ipsec site-to-site peer PEER local-address 9.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 8.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.2.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.1.0/24

Step 3: Ping IP address 9.0.0.1 from DUT2:

admin@DUT2$ ping 9.0.0.1 count 1 size 56 timeout 1

Show output

PING 9.0.0.1 (9.0.0.1) 56(84) bytes of data.
64 bytes from 9.0.0.1: icmp_seq=1 ttl=64 time=0.610 ms

--- 9.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.610/0.610/0.610/0.000 ms

Step 4: Run command pki scep show CSR at DUT2 and check if output matches the following regular expressions:

ca\s+Valid
usercert\s+Valid

Show output

-------------------------------------------------------------------------------------------------
Certificate  Status           Usage                   NotBefore                  NotAfter
-------------------------------------------------------------------------------------------------
ca           Valid   Encipherment & Signature  Apr 16 09:19:39 2025 GMT  Apr 11 09:19:39 2045 GMT
usercert     Valid   -                         Jun 20 12:09:16 2025 GMT  Jun 20 12:09:16 2026 GMT

Step 5: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 192.168.1.1/24
set interfaces ethernet eth0 address 8.0.0.2/24
set interfaces ethernet eth1 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 8.0.0.1
set system certificate scep csr CSR cgi-path /scep
set system certificate scep csr CSR cipher aes
set system certificate scep csr CSR distinguished-names CN=DUT0
set system certificate scep csr CSR encrypted-password U2FsdGVkX1/Eny2aKSJ5eYesVLPPy9WCo6iYWAIPo98=
set system certificate scep csr CSR port 8080
set system certificate scep csr CSR url 'http://10.215.168.1'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH local csr CSR
set vpn ipsec auth-profile AUTH mirror-config false
set vpn ipsec auth-profile AUTH mode x509
set vpn ipsec auth-profile AUTH remote csr CSR
set vpn ipsec esp-group ESP-POLICY lifetime 28800
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null
set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1
set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15
set vpn ipsec ike-group IKE-POLICY key-exchange ikev2
set vpn ipsec ike-group IKE-POLICY lifetime 28800
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null
set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH
set vpn ipsec site-to-site peer PEER connection-type on-demand
set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY
set vpn ipsec site-to-site peer PEER local-address 8.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 9.0.0.2
set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.2.0/24

Step 6: Ping IP address 8.0.0.1 from DUT0:

admin@DUT0$ ping 8.0.0.1 count 1 size 56 timeout 1

Show output

PING 8.0.0.1 (8.0.0.1) 56(84) bytes of data.
64 bytes from 8.0.0.1: icmp_seq=1 ttl=64 time=0.465 ms

--- 8.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.465/0.465/0.465/0.000 ms

Step 7: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:

ca\s+Valid
usercert\s+Valid

Show output

-------------------------------------------------------------------------------------------------
Certificate  Status           Usage                   NotBefore                  NotAfter
-------------------------------------------------------------------------------------------------
ca           Valid   Encipherment & Signature  Apr 16 09:19:39 2025 GMT  Apr 11 09:19:39 2045 GMT
usercert     Valid   -                         Jun 20 12:09:55 2025 GMT  Jun 20 12:09:55 2026 GMT

Step 8: Ping IP address 192.168.2.1 from DUT0:

admin@DUT0$ ping 192.168.2.1 local-address 192.168.1.1 count 1 size 56 timeout 1

Show output

PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.452 ms

--- 192.168.2.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.452/0.452/0.452/0.000 ms

Step 9: Ping IP address 192.168.1.1 from DUT2:

admin@DUT2$ ping 192.168.1.1 local-address 192.168.2.1 count 1 size 56 timeout 1

Show output

PING 192.168.1.1 (192.168.1.1) from 192.168.2.1 : 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.450 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.450/0.450/0.450/0.000 ms

Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER: \#\d, ESTABLISHED, IKEv2
[1-9]\d* packets,

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 6ab71c6e8ab56562_i* 5788fc7bc09890b8_r
  local  'CN=DUT0' @ 8.0.0.2[500]
  remote 'CN=DUT2' @ 9.0.0.2[500]
  NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072
  established 2s ago, rekeying in 20639s
  peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96
    installed 2s ago, rekeying in 25703s, expires in 31678s
    in  c57fde26,    168 bytes,     2 packets,     0s ago
    out c5cf0f64,    168 bytes,     2 packets,     0s ago
    local  192.168.1.0/24
    remote 192.168.2.0/24

---