Ppk
This set of tests shows how to configure and connect more than two subnets with each other through a VPN tunnel using PPK authentication in different ways.
Test PPK Options
Description
In this test, we will check the different options for PPK authentication (i.e., when it is required or not, when it remains unmatched, etc.).
Scenario
Note
Set default configuration for both DUTs, where PPK is not required and the PPK is the same.
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap carol encrypted-secret U2FsdGVkX18CBoFGLZp2BMCvcpPVQBs6CyF48tIzJT4= set vpn ipsec auth-profile AUTH-SA remote auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA remote auth eap dave encrypted-secret U2FsdGVkX1+lVX3L61qKmM/e1Tg19xPxk/YHPT59E14= set vpn ipsec auth-profile AUTH-SA remote auth eap dave type ttls set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth eap carol encrypted-secret U2FsdGVkX1926mH5JlR7JAwW3sns4XY+J4po6K05k9w= set vpn ipsec auth-profile AUTH-SA local auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA local id carol set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.029 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.029/0.029/0.029/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.032 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.032/0.032/0.032/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 79b41628068eaca5_i 2f43a0e34d9159fb_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 24471s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3257s, expires in 3960s in ce73b699, 0 bytes, 0 packets out c15e8571, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.310 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.310/0.310/0.310/0.000 ms
Step 7: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.274 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.274/0.274/0.274/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 79b41628068eaca5_i 2f43a0e34d9159fb_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 1s ago, rekeying in 24470s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3256s, expires in 3959s in ce73b699, 168 bytes, 2 packets, 0s ago out c15e8571, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Note
Delete the PPK from DUT0 and check that the SA falls back to standard authentication.
Step 9: Modify the following configuration lines in DUT0 :
delete vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org
Step 10: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[1] between 80.0.0.1[CN=moon.teldat.org]...80.0.0.2[carol] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[1] [ENC] generating INFORMATIONAL request 0 [ D ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 0 [ ] [IKE] IKE_SA deleted terminate completed successfully [IKE] not establishing CHILD_SA peer-PEER-tunnel-1{3} due to existing duplicate {2} with SPIs c6b620b0_i cb0c679a_o and TS 10.1.0.0/24 === 10.2.0.0/24 initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 11: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[2] between 80.0.0.2[carol]...80.0.0.1[CN=moon.teldat.org] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[2] [ENC] generating INFORMATIONAL request 8 [ D ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (65 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 8 [ ] [IKE] IKE_SA deleted terminate completed successfully [IKE] initiating IKE_SA vpn-peer-PEER[3] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{3} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0xE1) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0xEB) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (162 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (181 bytes) [ENC] parsed IKE_AUTH response 7 [ AUTH SA TSi TSr ] [IKE] authentication of 'CN=moon.teldat.org' with EAP successful [CFG] peer didn't use PPK for PPK_ID 'carol@teldat.org' [IKE] IKE_SA vpn-peer-PEER[3] established between 80.0.0.2[carol]...80.0.0.1[CN=moon.teldat.org] [IKE] scheduling rekeying in 20300s [IKE] maximum IKE_SA lifetime 23180s [CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ [IKE] CHILD_SA peer-PEER-tunnel-1{3} established with SPIs cc0ef6fc_i c7ec8017_o and TS 10.2.0.0/24 === 10.1.0.0/24 initiate completed successfully
Step 12: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, bded63517e7ff32c_i 90c8afcb9176084b_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 23672s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3343s, expires in 3960s in c7ec8017, 0 bytes, 0 packets out cc0ef6fc, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 13: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.427 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.427/0.427/0.427/0.000 ms
Step 14: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.299 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.299/0.299/0.299/0.000 ms
Step 15: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, bded63517e7ff32c_i 90c8afcb9176084b_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 23672s peer-PEER-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3343s, expires in 3960s in c7ec8017, 168 bytes, 2 packets, 0s ago out cc0ef6fc, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Note
Set the PPK as required in DUT0 and, with DUT1’s corresponding PPK deleted, check that the connection fails.
Step 16: Modify the following configuration lines in DUT0 :
set vpn ipsec auth-profile AUTH-SA remote ppk required
Step 17: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[3] between 80.0.0.1[CN=moon.teldat.org]...80.0.0.2[carol] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[3] [ENC] generating INFORMATIONAL request 0 [ D ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 0 [ ] [IKE] IKE_SA deleted terminate completed successfully [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (120 bytes) [ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID] [IKE] received EAP identity 'carol' [IKE] phase2 method EAP_MD5 selected [IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5] [ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (132 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (132 bytes) [ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5] [IKE] EAP_TTLS phase2 authentication of 'carol' with EAP_MD5 successful [IKE] EAP method EAP_TTLS succeeded, MSK established [ENC] generating IKE_AUTH response 6 [ EAP/SUCC ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (162 bytes) [ENC] parsed IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [CFG] PPK required but no PPK found for 'carol@teldat.org' [ENC] generating IKE_AUTH response 7 [ N(AUTH_FAILED) ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 18: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] initiating IKE_SA vpn-peer-PEER[5] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{5} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0x41) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0x6B) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (162 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 7 [ N(AUTH_FAILED) ] [IKE] received AUTHENTICATION_FAILED notify error initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 19: Expect a failure in the following command:
Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. --- 10.2.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Note
Set the PPK as required in DUT1 and change the PPK in DUT0 back to not required. Check that the connection is still failing.
Step 20: Modify the following configuration lines in DUT0 :
delete vpn ipsec auth-profile AUTH-SA remote ppk required
Step 21: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local ppk required
Step 22: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] unable to resolve %any, initiate aborted initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 23: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] initiating IKE_SA vpn-peer-PEER[7] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{7} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0xD7) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0xAD) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (122 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 7 [ N(AUTH_FAILED) ] [IKE] received AUTHENTICATION_FAILED notify error initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 24: Expect a failure in the following command:
Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. --- 10.2.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test PPK EAP-TTLS STS
Description
Test the site-to-site VPN with PPK authentication and EAP-TTLS
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap carol encrypted-secret U2FsdGVkX19EE+GE9frVoXouWPbpI44l/ECQaqcW1w4= set vpn ipsec auth-profile AUTH-SA remote auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA remote auth eap dave encrypted-secret U2FsdGVkX195ZJl2aHB5RIi48Rg3bs38ogKealYybsA= set vpn ipsec auth-profile AUTH-SA remote auth eap dave type ttls set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth eap carol encrypted-secret U2FsdGVkX1+lLnyar7N7wjhURnTyByGg1kHHX0GDJGg= set vpn ipsec auth-profile AUTH-SA local auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA local id carol set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.035 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.035/0.035/0.035/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.026 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth eap dave encrypted-secret U2FsdGVkX18KIN2ZI71e6vkNDSGG+ykk9nY4MJ7GjHI= set vpn ipsec auth-profile AUTH-SA local auth eap dave type ttls set vpn ipsec auth-profile AUTH-SA local id dave set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 80.0.0.3 from DUT2:
admin@DUT2$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, c4229aadaf19d5c0_i ebdc455fa59e8985_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 24597s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3376s, expires in 3960s in c2982edc, 0 bytes, 0 packets out c821be52, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 644882c18b4a04c4_i ab90a5772cb52326_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 16381s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3532s, expires in 3955s in cb1246e6, 0 bytes, 0 packets out c7298fb0, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.269 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.269/0.269/0.269/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.297 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.297/0.297/0.297/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, c4229aadaf19d5c0_i ebdc455fa59e8985_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 24593s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3372s, expires in 3956s in c2982edc, 0 bytes, 0 packets out c821be52, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 644882c18b4a04c4_i ab90a5772cb52326_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 16377s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3528s, expires in 3951s in cb1246e6, 168 bytes, 2 packets, 1s ago out c7298fb0, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, c4229aadaf19d5c0_i ebdc455fa59e8985_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 24593s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3372s, expires in 3956s in c2982edc, 0 bytes, 0 packets out c821be52, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 644882c18b4a04c4_i ab90a5772cb52326_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 16377s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3528s, expires in 3951s in cb1246e6, 168 bytes, 2 packets, 1s ago out c7298fb0, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.292 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.292/0.292/0.292/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.261 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.261/0.261/0.261/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, c4229aadaf19d5c0_i ebdc455fa59e8985_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 24592s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3371s, expires in 3955s in c2982edc, 168 bytes, 2 packets, 0s ago out c821be52, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 644882c18b4a04c4_i ab90a5772cb52326_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 10s ago, rekeying in 16376s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 10s ago, rekeying in 3527s, expires in 3950s in cb1246e6, 168 bytes, 2 packets, 2s ago out c7298fb0, 168 bytes, 2 packets, 2s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK PSK STS
Description
Test the site-to-site VPN with PPK authentication and PSK
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+12xaBi9n0STs3CwqlP5pR6AEfO+NeDGE= set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX18lCbFiW+deIk/lYiCiEGUTEuvj9EDAxPc= set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX19mBbiTMTepWCtlJNwyD48bv6LddQTHkaY= set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX18RQ3ICQFGOmKHXtloWw3f76YRutIshAdc= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.035 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.035/0.035/0.035/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.029 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.029/0.029/0.029/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX194ajMb66MspK2WEo1rO9d+2EE2JXN4b3Q= set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX1/1xRBFP4hq+lsrSXQNEfiLAbSoWwkk3Bc= set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 80.0.0.3 from DUT2:
admin@DUT2$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.035 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.035/0.035/0.035/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 5990dd7295a64170_i 34481ba4ec0a79c3_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 1s ago, rekeying in 26950s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3400s, expires in 3959s in cd4e3ec5, 0 bytes, 0 packets out c9d4da1c, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, cea23bbb22fcb68c_i 64aeedd3773e7534_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 25314s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3329s, expires in 3956s in c625edbc, 0 bytes, 0 packets out cbb04f85, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.334 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.334/0.334/0.334/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.280 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.280/0.280/0.280/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 5990dd7295a64170_i 34481ba4ec0a79c3_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 26946s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3396s, expires in 3955s in cd4e3ec5, 0 bytes, 0 packets out c9d4da1c, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, cea23bbb22fcb68c_i 64aeedd3773e7534_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 25310s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3325s, expires in 3952s in c625edbc, 168 bytes, 2 packets, 0s ago out cbb04f85, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 5990dd7295a64170_i 34481ba4ec0a79c3_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 26946s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3396s, expires in 3955s in cd4e3ec5, 0 bytes, 0 packets out c9d4da1c, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, cea23bbb22fcb68c_i 64aeedd3773e7534_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 25310s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3325s, expires in 3952s in c625edbc, 168 bytes, 2 packets, 0s ago out cbb04f85, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.306 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.306/0.306/0.306/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.285 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.285/0.285/0.285/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 5990dd7295a64170_i 34481ba4ec0a79c3_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.3' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 26946s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3396s, expires in 3955s in cd4e3ec5, 168 bytes, 2 packets, 0s ago out c9d4da1c, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, cea23bbb22fcb68c_i 64aeedd3773e7534_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 25310s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3325s, expires in 3952s in c625edbc, 168 bytes, 2 packets, 0s ago out cbb04f85, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK RSA STS
Description
Test the site-to-site VPN with PPK authentication and RSA
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local id CN=carol@teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.026 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.027 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.027/0.027/0.027/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set protocols static route 10.215.168.0/24 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local id CN=dave@teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 80.0.0.3 from DUT2:
admin@DUT2$ ping 80.0.0.3 count 1 size 56 timeout 1Show output
PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data. 64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 53c8de551822a680_i 80fda35ba77e4024_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 1s ago, rekeying in 26686s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3370s, expires in 3959s in c0dfe079, 0 bytes, 0 packets out c5de15c2, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 9a0fc64fbf7204c9_i 1d97f70de41538d3_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 21160s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3240s, expires in 3956s in c0432a48, 0 bytes, 0 packets out c6886f3f, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.262 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.262/0.262/0.262/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.281 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.281/0.281/0.281/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 53c8de551822a680_i 80fda35ba77e4024_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 26682s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3366s, expires in 3955s in c0dfe079, 0 bytes, 0 packets out c5de15c2, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 9a0fc64fbf7204c9_i 1d97f70de41538d3_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 21156s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3236s, expires in 3952s in c0432a48, 168 bytes, 2 packets, 0s ago out c6886f3f, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 53c8de551822a680_i 80fda35ba77e4024_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 26682s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3366s, expires in 3955s in c0dfe079, 0 bytes, 0 packets out c5de15c2, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 9a0fc64fbf7204c9_i 1d97f70de41538d3_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 21156s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3236s, expires in 3952s in c0432a48, 168 bytes, 2 packets, 0s ago out c6886f3f, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.334 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.334/0.334/0.334/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.294 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.294/0.294/0.294/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 53c8de551822a680_i 80fda35ba77e4024_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 5s ago, rekeying in 26682s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3366s, expires in 3955s in c0dfe079, 168 bytes, 2 packets, 0s ago out c5de15c2, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 9a0fc64fbf7204c9_i 1d97f70de41538d3_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 8s ago, rekeying in 21156s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 8s ago, rekeying in 3236s, expires in 3952s in c0432a48, 168 bytes, 2 packets, 0s ago out c6886f3f, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK PSK DMVPN
Description
Test the DMVPN scenario with PPK authentication and PSK
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 80.0.0.2/24 set interfaces tunnel tun0 address 10.0.0.2/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.2 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 600 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp nhs 10.0.0.1 nbma 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX185L+Le7hT4VUQvtn7XB4D4fRUM0PhHfbs= set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX19vlUN5w8vgr7fChT0UUz+ldAd9n54yXXQ= set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces tunnel tun0 address 10.0.0.1/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.1 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 60 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp transport-nat-support set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1/UYobDQOYbCL1uZ69SFPS/qq27y4SwExQ= set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth encrypted-pre-shared-secret U2FsdGVkX19c/WnfJwU4zdUlQI9756c/BledV2Nu6pI= set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.027 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.027/0.027/0.027/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.028 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+80.0.0.*Show output
IPSEC: #1, ESTABLISHED, IKEv2, ea728d6448031a56_i c79bae93830bfa85_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 54206s IPSEC: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 20828s, expires in 31680s in c61007ce, 116 bytes, 1 packets, 0s ago out c5de95ff, 0 bytes, 0 packets local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]
Step 6: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 local-address 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 : 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.350 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.350/0.350/0.350/0.000 ms
Step 7: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 local-address 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) from 10.0.0.2 : 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.344 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.344/0.344/0.344/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+80.0.0.*Show output
IPSEC: #1, ESTABLISHED, IKEv2, ea728d6448031a56_i c79bae93830bfa85_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 54202s IPSEC: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 20824s, expires in 31676s in c61007ce, 564 bytes, 5 packets, 0s ago out c5de95ff, 352 bytes, 3 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]