Xfrm-Interface

Test suite to check IPsec with xfrm interface

Test IPsec With Multipath XFRM Interfaces

Description

DUT0 and DUT1 are connected to each other through multiple IPsec tunnels with same local and remote prefixes.

In this test case, we will check the IPsec tunnels are installing the multipath routes correctly and the traffic is being balanced between the two tunnels.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces ethernet eth1 address 90.0.0.1/24
set interfaces xfrm xfrm80 mtu 1400
set interfaces xfrm xfrm90 mtu 1400
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set traffic policy POL rule 1 selector SEL
set traffic policy POL rule 2 action drop
set traffic selector SEL rule 1 protocol esp
set traffic selector SEL rule 2 protocol icmp
set traffic selector SEL rule 3 protocol udp
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+r3O0eMtoGIRt5d9m2wMJkziasD6hcTBk=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type respond
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 xfrm-interface-out xfrm80
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type respond
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 xfrm-interface-out xfrm90

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set interfaces ethernet eth1 address 90.0.0.2/24
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX18Z6yzOM3xZu6ZTymwGgj/HE/J1xKmAQFs=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type initiate
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type initiate
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.1.0.0/24

In order to test the multipath routes that the traffic is being balanced between the two tunnels,
we will use ssh connections to verify that it can reach another host through either of the tunnels.

Warning

The traffic steering is not done in the both sides yet, so from responder side we will force the traffic to go through one of the tunnels by adding drop policy to the xfrm interface of the other tunnel, and also in the initiator DUT we will set the default route to the negotiated tunnel instead.

Step 3: Modify the following configuration lines in DUT0 :

set interfaces xfrm xfrm90 traffic policy in POL

Step 4: Modify the following configuration lines in DUT1 :

set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes main

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Run command vpn ipsec clear peer PEER80 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER80[6] between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER80[6]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (65 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER80[7] to 80.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (264 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '80.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER80-tunnel-1{7}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (217 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '80.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER80[7] established between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] scheduling rekeying in 20647s
[IKE] maximum IKE_SA lifetime 23527s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[KNL] about to flush conntrack entries due to change on route/link
[KNL] installing route on table 254: 10.1.0.0/24 via 80.0.0.1 src 10.2.0.1 dev eth0 metric 0
[KNL] about to flush conntrack entries due to change on route/link
[IKE] CHILD_SA peer-PEER80-tunnel-1{7} established with SPIs c622543a_i c9b6f19e_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 7: Run command protocols ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:07
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:07
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90, weight 1, 00:00:00
  *                   is directly connected, xfrm80, weight 1, 00:00:00
L   10.215.168.20/32 is directly connected, eth0 inactive, weight 1, 00:01:42
L   10.215.168.20/32 is directly connected, eth0 inactive, weight 1, 00:22:55
L   20.0.0.2/32 is directly connected, unknown inactive, weight 1, 00:04:32
L   20.0.0.2/32 is directly connected, unknown inactive, weight 1, 00:04:32
C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:07
L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:07
C>* 90.0.0.0/24 is directly connected, eth1, weight 1, 00:00:07
L>* 90.0.0.1/32 is directly connected, eth1, weight 1, 00:00:07

Note

We have installed a multipath route in the kernel and we also have a drop policy in one of the xfrm interfaces, so the below ssh connection only works when kernel decides to establish the connection through the tunnel that is not dropped by the traffic policy.

Step 8: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.5.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Sep  5 10:13:59 2025 from 20.0.0.2
admin@osdx$

Step 9: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER80:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'80\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER80: #7, ESTABLISHED, IKEv2, 0b338dbbea69325c_i f53bf528d1603db0_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 17696s
  peer-PEER80-tunnel-1: #7, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3389s, expires in 3959s
    in  c9b6f19e (-|0x00000051),   4820 bytes,    21 packets,     0s ago
    out c622543a (-|0x00000051),   5084 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER90: #5, ESTABLISHED, IKEv2, cbb9927bb0c622b9_i 4314203fe9b564b1_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 22485s
  peer-PEER90-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3523s, expires in 3959s
    in  c50d1e4f (-|0x0000005b),      0 bytes,     0 packets
    out c6a4be9a (-|0x0000005b),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Same as above, but now we will check the other tunnel.

Step 10: Modify the following configuration lines in DUT0 :

delete interfaces xfrm xfrm90 traffic
set interfaces xfrm xfrm80 traffic policy in POL

Step 11: Modify the following configuration lines in DUT1 :

delete vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes main

Step 12: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 13: Run command vpn ipsec clear peer PEER90 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER90[10] between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER90[10]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (65 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER90[12] to 90.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (264 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '90.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER90-tunnel-1{12}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (217 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '90.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER90[12] established between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] scheduling rekeying in 17980s
[IKE] maximum IKE_SA lifetime 20860s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER90-tunnel-1{12} established with SPIs cb96e57d_i c66da04b_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 14: Run command protocols ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:09
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:09
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90, weight 1, 00:00:00
  *                   is directly connected, xfrm80, weight 1, 00:00:00
L   10.215.168.20/32 is directly connected, eth0 inactive, weight 1, 00:01:44
L   10.215.168.20/32 is directly connected, eth0 inactive, weight 1, 00:22:57
L   20.0.0.2/32 is directly connected, unknown inactive, weight 1, 00:04:34
L   20.0.0.2/32 is directly connected, unknown inactive, weight 1, 00:04:34
C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:09
L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:09
C>* 90.0.0.0/24 is directly connected, eth1, weight 1, 00:00:09
L>* 90.0.0.1/32 is directly connected, eth1, weight 1, 00:00:09

Step 15: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.5.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Sep  5 11:41:47 2025 from 10.1.0.1
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER90:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'90\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER90: #12, ESTABLISHED, IKEv2, af028c3e7be96ffa_i 751750b3ad36aa0a_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 9s ago, rekeying in 28767s
  peer-PEER90-tunnel-1: #12, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 9s ago, rekeying in 3266s, expires in 3951s
    in  c66da04b (-|0x0000005b),   4908 bytes,    22 packets,     0s ago
    out cb96e57d (-|0x0000005b),   5032 bytes,    24 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER80: #11, ESTABLISHED, IKEv2, fcdcef9263d7271a_i 68ce1ab92e9ef1e6_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 9s ago, rekeying in 17562s
  peer-PEER80-tunnel-1: #11, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 9s ago, rekeying in 3451s, expires in 3951s
    in  c7a6e122 (-|0x00000051),      0 bytes,     0 packets
    out c17670c6 (-|0x00000051),    360 bytes,     6 packets,     2s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test IPsec With Multipath XFRM Interfaces And VRFs

Description

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces dummy dum0 vrf LAN
set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces ethernet eth0 vrf WAN_A
set interfaces ethernet eth1 address 90.0.0.1/24
set interfaces ethernet eth1 vrf WAN_B
set interfaces xfrm xfrm80 local-interface eth0
set interfaces xfrm xfrm80 mtu 1400
set interfaces xfrm xfrm80 vrf WAN_A
set interfaces xfrm xfrm90 local-interface eth1
set interfaces xfrm xfrm90 mtu 1400
set interfaces xfrm xfrm90 vrf WAN_B
set protocols vrf WAN_A static route 10.1.0.0/24 next-hop-vrf LAN
set protocols vrf WAN_B static route 10.1.0.0/24 next-hop-vrf LAN
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN
set system vrf WAN_A
set system vrf WAN_B
set system vrf main
set traffic policy POL rule 1 selector SEL
set traffic policy POL rule 2 action drop
set traffic selector SEL rule 1 protocol esp
set traffic selector SEL rule 2 protocol icmp
set traffic selector SEL rule 3 protocol udp
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+9nqz2dSflT7emGGOXO+Xu3l+0JNxB8pw=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type respond
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes LAN
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 xfrm-interface-out xfrm80
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type respond
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes LAN
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 xfrm-interface-out xfrm90

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set interfaces ethernet eth1 address 90.0.0.2/24
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+7cNNxK2HW6cfVC80LJIW/MXGI2wkL4iQ=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type initiate
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type initiate
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.1.0.0/24

Same as above test case, but now we will check with the VRFs.

Step 3: Modify the following configuration lines in DUT0 :

set interfaces xfrm xfrm90 traffic policy in POL

Step 4: Modify the following configuration lines in DUT1 :

set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes main

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Run command vpn ipsec clear peer PEER80 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER80[6] between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER80[6]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (65 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER80[7] to 80.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (264 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '80.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER80-tunnel-1{7}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (217 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '80.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER80[7] established between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] scheduling rekeying in 27607s
[IKE] maximum IKE_SA lifetime 30487s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[KNL] about to flush conntrack entries due to change on route/link
[KNL] installing route on table 254: 10.1.0.0/24 via 80.0.0.1 src 10.2.0.1 dev eth0 metric 0
[KNL] about to flush conntrack entries due to change on route/link
[IKE] CHILD_SA peer-PEER80-tunnel-1{7} established with SPIs c22d9f16_i c7af881c_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 7: Run command protocols vrf LAN ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF LAN:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:06
C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:06
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:06
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90 (vrf WAN_B), weight 1, 00:00:00
  *                   is directly connected, xfrm80 (vrf WAN_A), weight 1, 00:00:00

Note

We have installed a multipath route in the kernel and we also have a drop policy in one of the xfrm interfaces, so the below ssh connection only works when kernel decides to establish the connection through the tunnel that is not dropped by the traffic policy.

Step 8: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1 vrf LAN

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.5.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Sep  5 11:41:57 2025 from 10.1.0.1
admin@osdx$

Step 9: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER80:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'80\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER80: #7, ESTABLISHED, IKEv2, d56c3a716bf5c16a_i f33e00597e58b749_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 25818s
  peer-PEER80-tunnel-1: #7, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3239s, expires in 3959s
    in  c7af881c (-|0x00000051),   4944 bytes,    22 packets,     0s ago
    out c22d9f16 (-|0x00000051),   5032 bytes,    24 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER90: #5, ESTABLISHED, IKEv2, 05100646dccc4931_i 11b34e3cbe79e11f_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 15838s
  peer-PEER90-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3270s, expires in 3959s
    in  c65b5a61 (-|0x0000005b),      0 bytes,     0 packets
    out ce3cba43 (-|0x0000005b),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Same as above, but now we will check the other tunnel.

Step 10: Modify the following configuration lines in DUT0 :

delete interfaces xfrm xfrm90 traffic
set interfaces xfrm xfrm80 traffic policy in POL

Step 11: Modify the following configuration lines in DUT1 :

delete vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes main

Step 12: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 13: Run command vpn ipsec clear peer PEER90 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER90[10] between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER90[10]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (65 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER90[12] to 90.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (264 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '90.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER90-tunnel-1{12}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (217 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '90.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER90[12] established between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] scheduling rekeying in 17568s
[IKE] maximum IKE_SA lifetime 20448s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER90-tunnel-1{12} established with SPIs c2636850_i cf8e6c9e_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 14: Run command protocols vrf LAN ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF LAN:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:09
C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:09
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:09
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90 (vrf WAN_B), weight 1, 00:00:00
  *                   is directly connected, xfrm80 (vrf WAN_A), weight 1, 00:00:00

Step 15: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1 vrf LAN

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.5.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Sep  5 11:42:14 2025 from 10.1.0.1
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER90:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'90\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER90: #12, ESTABLISHED, IKEv2, 40536ac31929035d_i 7a772951928ee518_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 20509s
  peer-PEER90-tunnel-1: #12, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3364s, expires in 3960s
    in  cf8e6c9e (-|0x0000005b),   4820 bytes,    21 packets,     0s ago
    out c2636850 (-|0x0000005b),   5084 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER80: #11, ESTABLISHED, IKEv2, 534d1b42878f42ef_i bb8235ece80fae9b_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 23934s
  peer-PEER80-tunnel-1: #11, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3244s, expires in 3959s
    in  c0b62464 (-|0x00000051),      0 bytes,     0 packets
    out c0b548c6 (-|0x00000051),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

---