Xfrm-Interface

Test suite to check IPsec with xfrm interface

Test IPsec With Multipath XFRM Interfaces

Description

DUT0 and DUT1 are connected to each other through multiple IPsec tunnels with same local and remote prefixes.

In this test case, we will check the IPsec tunnels are installing the multipath routes correctly and the traffic is being balanced between the two tunnels.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces ethernet eth1 address 90.0.0.1/24
set interfaces xfrm xfrm80 mtu 1400
set interfaces xfrm xfrm90 mtu 1400
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set traffic policy POL rule 1 selector SEL
set traffic policy POL rule 2 action drop
set traffic selector SEL rule 1 protocol esp
set traffic selector SEL rule 2 protocol icmp
set traffic selector SEL rule 3 protocol udp
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX192CBx8SLRtmsRQwFK8eGfwB6FTwKGKxwU=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type respond
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 xfrm-interface-out xfrm80
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type respond
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 xfrm-interface-out xfrm90

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set interfaces ethernet eth1 address 90.0.0.2/24
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+efVR4oJDU+ey7ld6fe7iiIL0MqU+PuqY=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type initiate
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type initiate
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.1.0.0/24

In order to test the multipath routes that the traffic is being balanced between the two tunnels,
we will use ssh connections to verify that it can reach another host through either of the tunnels.

Warning

The traffic steering is not done in the both sides yet, so from responder side we will force the traffic to go through one of the tunnels by adding drop policy to the xfrm interface of the other tunnel, and also in the initiator DUT we will set the default route to the negotiated tunnel instead.

Step 3: Modify the following configuration lines in DUT0 :

set interfaces xfrm xfrm90 traffic policy in POL

Step 4: Modify the following configuration lines in DUT1 :

set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes main

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Run command vpn ipsec clear peer PEER80 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER80[4] between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER80[4]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (65 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER80[6] to 80.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (264 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '80.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER80-tunnel-1{6}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (217 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '80.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER80[6] established between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] scheduling rekeying in 22011s
[IKE] maximum IKE_SA lifetime 24891s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER80-tunnel-1{6} established with SPIs c956a133_i cae62af2_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 7: Run command protocols ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:06
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:06
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90, weight 1, 00:00:00
  *                   is directly connected, xfrm80, weight 1, 00:00:00
C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:06
L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:06
C>* 90.0.0.0/24 is directly connected, eth1, weight 1, 00:00:06
L>* 90.0.0.1/32 is directly connected, eth1, weight 1, 00:00:06

Note

We have installed a multipath route in the kernel and we also have a drop policy in one of the xfrm interfaces, so the below ssh connection only works when kernel decides to establish the connection through the tunnel that is not dropped by the traffic policy.

Step 8: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.6.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue Jun 24 13:26:26 2025
admin@osdx$

Step 9: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER80:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'80\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER80: #6, ESTABLISHED, IKEv2, b118f048e23a34a5_i a7116e5ba0823b40_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 11s ago, rekeying in 27696s
  peer-PEER80-tunnel-1: #6, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 11s ago, rekeying in 3470s, expires in 3949s
    in  cae62af2 (-|0x00000051),   4840 bytes,    21 packets,     0s ago
    out c956a133 (-|0x00000051),   4980 bytes,    23 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER90: #5, ESTABLISHED, IKEv2, 29a7a238a96edee9_i a1a0bec94e2cefd2_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 11s ago, rekeying in 25378s
  peer-PEER90-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 11s ago, rekeying in 3502s, expires in 3949s
    in  c69306fb (-|0x0000005b),      0 bytes,     0 packets
    out c201ee1b (-|0x0000005b),    180 bytes,     3 packets,     8s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Same as above, but now we will check the other tunnel.

Step 10: Modify the following configuration lines in DUT0 :

delete interfaces xfrm xfrm90 traffic
set interfaces xfrm xfrm80 traffic policy in POL

Step 11: Modify the following configuration lines in DUT1 :

delete vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes main

Step 12: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 13: Run command vpn ipsec clear peer PEER90 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER90[9] between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER90[9]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (65 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER90[11] to 90.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (264 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '90.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER90-tunnel-1{11}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (217 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '90.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER90[11] established between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] scheduling rekeying in 22441s
[IKE] maximum IKE_SA lifetime 25321s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER90-tunnel-1{11} established with SPIs c32e129b_i c2cd3d27_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 14: Run command protocols ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:19
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:19
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90, weight 1, 00:00:01
  *                   is directly connected, xfrm80, weight 1, 00:00:01
C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:19
L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:19
C>* 90.0.0.0/24 is directly connected, eth1, weight 1, 00:00:19
L>* 90.0.0.1/32 is directly connected, eth1, weight 1, 00:00:19

Step 15: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.6.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue Jun 24 13:35:11 2025 from 10.1.0.1
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER90:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'90\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER90: #11, ESTABLISHED, IKEv2, ebf62a54689b45ce_i ea4a41f4f8ec1ad6_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 4s ago, rekeying in 16049s
  peer-PEER90-tunnel-1: #11, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 4s ago, rekeying in 3272s, expires in 3956s
    in  c2cd3d27 (-|0x0000005b),   5172 bytes,    25 packets,     0s ago
    out c32e129b (-|0x0000005b),   5188 bytes,    27 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER80: #10, ESTABLISHED, IKEv2, 9e0b331aff7a2f8b_i 88b94a6d646f5fec_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 4s ago, rekeying in 26821s
  peer-PEER80-tunnel-1: #10, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 4s ago, rekeying in 3404s, expires in 3956s
    in  c8e6d726 (-|0x00000051),      0 bytes,     0 packets
    out c7b6781f (-|0x00000051),    120 bytes,     2 packets,     2s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test IPsec With Multipath XFRM Interfaces And VRFs

Description

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces dummy dum0 vrf LAN
set interfaces ethernet eth0 address 80.0.0.1/24
set interfaces ethernet eth0 vrf WAN_A
set interfaces ethernet eth1 address 90.0.0.1/24
set interfaces ethernet eth1 vrf WAN_B
set interfaces xfrm xfrm80 local-interface eth0
set interfaces xfrm xfrm80 mtu 1400
set interfaces xfrm xfrm80 vrf WAN_A
set interfaces xfrm xfrm90 local-interface eth1
set interfaces xfrm xfrm90 mtu 1400
set interfaces xfrm xfrm90 vrf WAN_B
set protocols vrf WAN_A static route 10.1.0.0/24 next-hop-vrf LAN
set protocols vrf WAN_B static route 10.1.0.0/24 next-hop-vrf LAN
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN
set system vrf WAN_A
set system vrf WAN_B
set system vrf main
set traffic policy POL rule 1 selector SEL
set traffic policy POL rule 2 action drop
set traffic selector SEL rule 1 protocol esp
set traffic selector SEL rule 2 protocol icmp
set traffic selector SEL rule 3 protocol udp
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX1+QH5c+tSeMJXJa9k1HbP4Nmovekfyqztw=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type respond
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes LAN
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 xfrm-interface-out xfrm80
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type respond
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes LAN
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 xfrm-interface-out xfrm90

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set interfaces ethernet eth1 address 90.0.0.2/24
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA local auth encrypted-pre-shared-secret U2FsdGVkX182u0cIMDuwXaZeIakryUzK7/GyWoEm06I=
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER80 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER80 connection-type initiate
set vpn ipsec site-to-site peer PEER80 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER80 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER80 local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER80 remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER80 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER80 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER90 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER90 connection-type initiate
set vpn ipsec site-to-site peer PEER90 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER90 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER90 local-address 90.0.0.2
set vpn ipsec site-to-site peer PEER90 remote-address 90.0.0.1
set vpn ipsec site-to-site peer PEER90 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER90 tunnel 1 remote prefix 10.1.0.0/24

Same as above test case, but now we will check with the VRFs.

Step 3: Modify the following configuration lines in DUT0 :

set interfaces xfrm xfrm90 traffic policy in POL

Step 4: Modify the following configuration lines in DUT1 :

set vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes main

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Run command vpn ipsec clear peer PEER80 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER80[4] between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER80[4]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (65 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER80[6] to 80.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (264 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '80.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER80-tunnel-1{6}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (217 bytes)
[NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '80.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER80[6] established between 80.0.0.2[80.0.0.2]...80.0.0.1[80.0.0.1]
[IKE] scheduling rekeying in 22813s
[IKE] maximum IKE_SA lifetime 25693s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER80-tunnel-1{6} established with SPIs c0fdad07_i cad05ee7_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 7: Run command protocols vrf LAN ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF LAN:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:07
C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:07
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:07
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90 (vrf WAN_B), weight 1, 00:00:00
  *                   is directly connected, xfrm80 (vrf WAN_A), weight 1, 00:00:00

Note

We have installed a multipath route in the kernel and we also have a drop policy in one of the xfrm interfaces, so the below ssh connection only works when kernel decides to establish the connection through the tunnel that is not dropped by the traffic policy.

Step 8: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1 vrf LAN

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.6.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue Jun 24 13:35:16 2025 from 10.1.0.1
admin@osdx$

Step 9: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER80:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'80\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x00000051\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER80: #6, ESTABLISHED, IKEv2, a3edc2959ac4a6f7_i e8f1cd6f1732d530_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 27470s
  peer-PEER80-tunnel-1: #6, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3240s, expires in 3960s
    in  cad05ee7 (-|0x00000051),   5112 bytes,    24 packets,     0s ago
    out c0fdad07 (-|0x00000051),   5136 bytes,    26 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER90: #5, ESTABLISHED, IKEv2, c400164a272184d1_i 810e641e7028c35f_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 26811s
  peer-PEER90-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3373s, expires in 3960s
    in  cd35d71a (-|0x0000005b),      0 bytes,     0 packets
    out c4e6b664 (-|0x0000005b),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Same as above, but now we will check the other tunnel.

Step 10: Modify the following configuration lines in DUT0 :

delete interfaces xfrm xfrm90 traffic
set interfaces xfrm xfrm80 traffic policy in POL

Step 11: Modify the following configuration lines in DUT1 :

delete vpn ipsec site-to-site peer PEER80 tunnel 1 install-routes
set vpn ipsec site-to-site peer PEER90 tunnel 1 install-routes main

Step 12: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 13: Run command vpn ipsec clear peer PEER90 at DUT1 and expect this output:

Show output

[IKE] deleting IKE_SA vpn-peer-PEER90[9] between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] sending DELETE for IKE_SA vpn-peer-PEER90[9]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (65 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (57 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
[IKE] initiating IKE_SA vpn-peer-PEER90[11] to 90.0.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (264 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (272 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '90.0.0.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA peer-PEER90-tunnel-1{11}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 90.0.0.2[500](0) to 90.0.0.1[500](0) (217 bytes)
[NET] received packet: from 90.0.0.1[500](0) to 90.0.0.2[500](3) (193 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '90.0.0.1' with pre-shared key successful
[IKE] IKE_SA vpn-peer-PEER90[11] established between 90.0.0.2[90.0.0.2]...90.0.0.1[90.0.0.1]
[IKE] scheduling rekeying in 23368s
[IKE] maximum IKE_SA lifetime 26248s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA peer-PEER90-tunnel-1{11} established with SPIs c2bc5c44_i cc3bd95e_o and TS 10.2.0.0/24 === 10.1.0.0/24
initiate completed successfully

Step 14: Run command protocols vrf LAN ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF LAN:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:09
C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:09
L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:09
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm90 (vrf WAN_B), weight 1, 00:00:00
  *                   is directly connected, xfrm80 (vrf WAN_A), weight 1, 00:00:00

Step 15: Init an SSH connection from DUT0 to IP address 10.2.0.1 with the user admin:

admin@DUT0$ ssh admin@10.2.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.1 vrf LAN

Show output

Warning: Permanently added '10.2.0.1' (ECDSA) to the list of known hosts.
admin@10.2.0.1's password:
Welcome to Teldat OSDx v4.2.6.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue Jun 24 13:35:35 2025 from 10.1.0.1
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

vpn-peer-PEER90:\s*#\d+,\s*ESTABLISHED.*(?=\n\s*local\s*'90\.0\.0\.1')
\s*in\s*\w+\s*\(-\|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets.*(?=\n\s*out\s*\w+\s*\(-|0x0000005b\),\s*\d+\s*bytes,\s*\d+\s*packets)

Show output

vpn-peer-PEER90: #11, ESTABLISHED, IKEv2, 5083f96f7fd9d173_i 9d8fc4186058040d_r*
  local  '90.0.0.1' @ 90.0.0.1[500]
  remote '90.0.0.2' @ 90.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 6s ago, rekeying in 17673s
  peer-PEER90-tunnel-1: #11, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 6s ago, rekeying in 3427s, expires in 3954s
    in  cc3bd95e (-|0x0000005b),   4856 bytes,    21 packets,     0s ago
    out c2bc5c44 (-|0x0000005b),   5084 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER80: #10, ESTABLISHED, IKEv2, c9ac1069d3e38e7f_i 22d6d8e718951740_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 6s ago, rekeying in 20509s
  peer-PEER80-tunnel-1: #10, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 6s ago, rekeying in 3508s, expires in 3954s
    in  c44c1356 (-|0x00000051),      0 bytes,     0 packets
    out c41ae647 (-|0x00000051),    240 bytes,     4 packets,     2s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---