Xfrm-Interface

Test suite to check IPsec with xfrm interface

Test IPsec With Multipath XFRM Interfaces

Description

DUT0 and DUT1 are connected to each other through multiple IPsec tunnels with same local and remote prefixes.

In this test case, we will check the IPsec tunnels are installing the multipath routes correctly and the traffic is being balanced between the two tunnels.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces ethernet eth1 address 90.0.0.1/24
set interfaces xfrm xfrm80 mtu 1400
set interfaces xfrm xfrm90 mtu 1400
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set traffic policy POL rule 1 selector SEL
set traffic policy POL rule 2 action drop
set traffic selector SEL rule 1 protocol esp
set traffic selector SEL rule 2 protocol icmp
set traffic selector SEL rule 3 protocol udp
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/xBGhHEI1qN1ax7DRUPyzM6tO7RzwNpKY=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type respond
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 xfrm-interface-out xfrm80
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type respond
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 xfrm-interface-out xfrm90

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set interfaces ethernet eth1 address 90.0.0.2/24
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX19T/FBn++twH1VZFjF8CdCRnpR7uiTfX/0=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type initiate
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type initiate
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.1.0.0/24

In order to test the multipath routes that the traffic is being balanced between the two tunnels,
we will use ssh connections to verify that it can reach another host through either of the tunnels.

Warning

The traffic steering is not done in the both sides yet, so from responder side we will force the traffic to go through one of the tunnels by adding drop policy to the xfrm interface of the other tunnel, and also in the initiator DUT we will set the default route to the negotiated tunnel instead.

Step 3: Modify the following configuration lines in DUT0 :

set interfaces xfrm xfrm90 traffic policy in POL

Step 4: Modify the following configuration lines in DUT1 :

set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes main

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Run command vpn ipsec clear peer PEER80 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER80[4] between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER80[4]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (65 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER80[6] to 80.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (264 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '80.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER80-tunnel-1{6}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (217 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '80.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER80[6] established between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] scheduling rekeying in 27366s
[IKE] maximum IKE_SA lifetime 30246s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER80-tunnel-1{6} established with SPIs cc98a674_i cca0adef_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 7: Run command protocols ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:06
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:06
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90, weight 1, 00:00:00
  *                   is directly connected, xfrm80, weight 1, 00:00:00
C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:06
L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:06
C>* 90.0.0.0/24 is directly connected, eth1, weight 1, 00:00:06
L>* 90.0.0.1/32 is directly connected, eth1, weight 1, 00:00:06
L   192.168.100.100/32 is directly connected, eth0 inactive, weight 1, 00:22:53

Note

We have installed a multipath route in the kernel and we also have a drop policy in one of the xfrm interfaces, so the below ssh connection only works when kernel decides to establish the connection through the tunnel that is not dropped by the traffic policy.

Step 8: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.5.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Jun 20 11:15:39 2025
admin@osdx$

Step 9: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER80:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'80\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER80: #6, ESTABLISHED, IKEv2, ff6b7594b22a55bd_i 31922ff1bc343862_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 18468s
  peer-PEER80-tunnel-1: #6, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3334s, expires in 3959s
    in  cca0adef (-|0x00000051),   4936 bytes,    22 packets,     0s ago
    out cc98a674 (-|0x00000051),   5032 bytes,    24 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER90: #5, ESTABLISHED, IKEv2, 20828d8cc2bf88e4_i 038878dbc0fb19a5_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 15107s
  peer-PEER90-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3277s, expires in 3959s
    in  c05a4bc1 (-|0x0000005b),      0 bytes,     0 packets
    out c3e7670c (-|0x0000005b),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Same as above, but now we will check the other tunnel.

Step 10: Modify the following configuration lines in DUT0 :

delete interfaces xfrm xfrm90 traffic
set interfaces xfrm xfrm80 traffic policy in POL

Step 11: Modify the following configuration lines in DUT1 :

delete vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes main

Step 12: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 13: Run command vpn ipsec clear peer PEER90 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER90[9] between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER90[9]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (65 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER90[11] to 90.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (264 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '90.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER90-tunnel-1{11}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (217 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '90.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER90[11] established between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] scheduling rekeying in 25513s
[IKE] maximum IKE_SA lifetime 28393s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER90-tunnel-1{11} established with SPIs c9f87c0d_i c2884f85_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 14: Run command protocols ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:09
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:09
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90, weight 1, 00:00:00
  *                   is directly connected, xfrm80, weight 1, 00:00:00
C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:09
L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:09
C>* 90.0.0.0/24 is directly connected, eth1, weight 1, 00:00:09
L>* 90.0.0.1/32 is directly connected, eth1, weight 1, 00:00:09
L   192.168.100.100/32 is directly connected, eth0 inactive, weight 1, 00:22:56

Step 15: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.5.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Jun 20 12:21:41 2025 from 10.1.0.1
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER90:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'90\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER90: #11, ESTABLISHED, IKEv2, 1c0ad96bbe1f6137_i 33b4b356a63c80c0_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 3s ago, rekeying in 19026s
  peer-PEER90-tunnel-1: #11, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 3s ago, rekeying in 3335s, expires in 3957s
    in  c2884f85 (-|0x0000005b),   4892 bytes,    21 packets,     0s ago
    out c9f87c0d (-|0x0000005b),   5084 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER80: #10, ESTABLISHED, IKEv2, 7d3be844140ce4b9_i 3b4a9f2137beecf9_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 3s ago, rekeying in 16436s
  peer-PEER80-tunnel-1: #10, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 3s ago, rekeying in 3284s, expires in 3957s
    in  c7896516 (-|0x00000051),      0 bytes,     0 packets
    out c1020f2d (-|0x00000051),    120 bytes,     2 packets,     2s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test IPsec With Multipath XFRM Interfaces And VRFs

Description

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces dummy dum0 vrf LAN
set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces ethernet eth0 vrf WAN_A
set interfaces ethernet eth1 address 90.0.0.1/24
set interfaces ethernet eth1 vrf WAN_B
set interfaces xfrm xfrm80 local-interface eth0
set interfaces xfrm xfrm80 mtu 1400
set interfaces xfrm xfrm80 vrf WAN_A
set interfaces xfrm xfrm90 local-interface eth1
set interfaces xfrm xfrm90 mtu 1400
set interfaces xfrm xfrm90 vrf WAN_B
set protocols vrf WAN_A static route 10.1.0.0/24 next-hop-vrf LAN
set protocols vrf WAN_B static route 10.1.0.0/24 next-hop-vrf LAN
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN
set system vrf WAN_A
set system vrf WAN_B
set system vrf main
set traffic policy POL rule 1 selector SEL
set traffic policy POL rule 2 action drop
set traffic selector SEL rule 1 protocol esp
set traffic selector SEL rule 2 protocol icmp
set traffic selector SEL rule 3 protocol udp
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX19ZtZRqCuHCJ38toRbsguJVm39g2f8sEJk=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type respond
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes LAN
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 xfrm-interface-out xfrm80
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type respond
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes LAN
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 xfrm-interface-out xfrm90

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set interfaces ethernet eth1 address 90.0.0.2/24
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX18rmGMReBq6pxUgfrUTuY5i+zN+V47YE+Q=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type initiate
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type initiate
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.1.0.0/24

Same as above test case, but now we will check with the VRFs.

Step 3: Modify the following configuration lines in DUT0 :

set interfaces xfrm xfrm90 traffic policy in POL

Step 4: Modify the following configuration lines in DUT1 :

set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes main

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Run command vpn ipsec clear peer PEER80 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER80[4] between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER80[4]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (65 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER80[6] to 80.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (264 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '80.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER80-tunnel-1{6}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (217 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '80.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER80[6] established between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] scheduling rekeying in 22061s
[IKE] maximum IKE_SA lifetime 24941s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER80-tunnel-1{6} established with SPIs cb612f9c_i c6404244_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 7: Run command protocols vrf LAN ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF LAN:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:07
C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:07
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:07
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90 (vrf WAN_B), weight 1, 00:00:00
  *                   is directly connected, xfrm80 (vrf WAN_A), weight 1, 00:00:00

Note

We have installed a multipath route in the kernel and we also have a drop policy in one of the xfrm interfaces, so the below ssh connection only works when kernel decides to establish the connection through the tunnel that is not dropped by the traffic policy.

Step 8: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1 vrf LAN

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.5.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Jun 20 12:21:46 2025 from 10.1.0.1
admin@osdx$

Step 9: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER80:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'80\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER80: #6, ESTABLISHED, IKEv2, c2bd4a66580b6bc1_i 82fcfd822b9c585d_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 18657s
  peer-PEER80-tunnel-1: #6, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3521s, expires in 3959s
    in  c6404244 (-|0x00000051),   4856 bytes,    21 packets,     0s ago
    out cb612f9c (-|0x00000051),   5084 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER90: #5, ESTABLISHED, IKEv2, abab0c1cb3160fd0_i 81dc64a060667c1c_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 26717s
  peer-PEER90-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3248s, expires in 3959s
    in  cf4df200 (-|0x0000005b),      0 bytes,     0 packets
    out ccf46fa8 (-|0x0000005b),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Same as above, but now we will check the other tunnel.

Step 10: Modify the following configuration lines in DUT0 :

delete interfaces xfrm xfrm90 traffic
set interfaces xfrm xfrm80 traffic policy in POL

Step 11: Modify the following configuration lines in DUT1 :

delete vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes main

Step 12: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 13: Run command vpn ipsec clear peer PEER90 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER90[9] between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER90[9]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (65 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER90[11] to 90.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (264 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '90.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER90-tunnel-1{11}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (217 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '90.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER90[11] established between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] scheduling rekeying in 18559s
[IKE] maximum IKE_SA lifetime 21439s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER90-tunnel-1{11} established with SPIs cdc9da0b_i c9d2af01_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 14: Run command protocols vrf LAN ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF LAN:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:09
C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:09
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:09
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90 (vrf WAN_B), weight 1, 00:00:00
  *                   is directly connected, xfrm80 (vrf WAN_A), weight 1, 00:00:00

Step 15: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1 vrf LAN

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.5.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Jun 20 12:22:05 2025 from 10.1.0.1
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER90:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'90\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER90: #11, ESTABLISHED, IKEv2, bfd860438f3363c8_i 238a00c227a1de70_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 27197s
  peer-PEER90-tunnel-1: #11, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3289s, expires in 3959s
    in  c9d2af01 (-|0x0000005b),   5112 bytes,    24 packets,     0s ago
    out cdc9da0b (-|0x0000005b),   5188 bytes,    27 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER80: #10, ESTABLISHED, IKEv2, b3e9a7b9d528bd4f_i c94693e1ceb3fa0a_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 25586s
  peer-PEER80-tunnel-1: #10, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3415s, expires in 3959s
    in  c91fe22c (-|0x00000051),      0 bytes,     0 packets
    out cb4d4392 (-|0x00000051),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

---