X509
These scenarios show how to establish a VPN IPsec site-to-site connection between two end-points using X.509 certificates.
Test Local And Remote Auth With X509 Files
Description
In this scenario, both devices use pre-installed X.509 certificate files for local and remote authentication.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 8.0.0.1/24 set interfaces ethernet eth1 address 9.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 192.168.2.1/24 set interfaces ethernet eth0 address 9.0.0.2/24 set interfaces ethernet eth1 address 10.215.168.66/24 set protocols static route 0.0.0.0/0 next-hop 9.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH local ca-cert-file 'running://ca.pem' set vpn ipsec auth-profile AUTH local ca-cert-file 'running://root.pem' set vpn ipsec auth-profile AUTH local cert-file 'running://dut2.pem' set vpn ipsec auth-profile AUTH local key file 'running://dut2.key' set vpn ipsec auth-profile AUTH mirror-config false set vpn ipsec auth-profile AUTH mode x509 set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://ca.pem' set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://root.pem' set vpn ipsec esp-group ESP-POLICY lifetime 28800 set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY set vpn ipsec site-to-site peer PEER local-address 9.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 8.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.2.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.1.0/24
Step 3: Ping IP address 9.0.0.1 from DUT2:
admin@DUT2$ ping 9.0.0.1 count 1 size 56 timeout 1Show output
PING 9.0.0.1 (9.0.0.1) 56(84) bytes of data. 64 bytes from 9.0.0.1: icmp_seq=1 ttl=64 time=0.324 ms --- 9.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.324/0.324/0.324/0.000 ms
Step 4: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 192.168.1.1/24 set interfaces ethernet eth0 address 8.0.0.2/24 set interfaces ethernet eth1 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 8.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH local ca-cert-file 'running://ca.pem' set vpn ipsec auth-profile AUTH local ca-cert-file 'running://root.pem' set vpn ipsec auth-profile AUTH local cert-file 'running://dut0.pem' set vpn ipsec auth-profile AUTH local key file 'running://dut0.key' set vpn ipsec auth-profile AUTH mirror-config false set vpn ipsec auth-profile AUTH mode x509 set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://ca.pem' set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://root.pem' set vpn ipsec esp-group ESP-POLICY lifetime 28800 set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH set vpn ipsec site-to-site peer PEER connection-type on-demand set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY set vpn ipsec site-to-site peer PEER local-address 8.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 9.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.1.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.2.0/24
Step 5: Ping IP address 8.0.0.1 from DUT0:
admin@DUT0$ ping 8.0.0.1 count 1 size 56 timeout 1Show output
PING 8.0.0.1 (8.0.0.1) 56(84) bytes of data. 64 bytes from 8.0.0.1: icmp_seq=1 ttl=64 time=0.317 ms --- 8.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.317/0.317/0.317/0.000 ms
Step 6: Ping IP address 192.168.2.1 from DUT0:
admin@DUT0$ ping 192.168.2.1 local-address 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data. 64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=16.4 ms --- 192.168.2.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 16.388/16.388/16.388/0.000 ms
Step 7: Ping IP address 192.168.1.1 from DUT2:
admin@DUT2$ ping 192.168.1.1 local-address 192.168.2.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) from 192.168.2.1 : 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.472 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.472/0.472/0.472/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
vpn-peer-PEER: \#\d, ESTABLISHED, IKEv2 [1-9]\d* packets,Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b1557175e9ef3fba_i* 74f228dd685862f5_r local 'C=ES, O=Teldat, CN=DUT0' @ 8.0.0.2[500] remote 'C=ES, O=Teldat, CN=DUT2' @ 9.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 2s ago, rekeying in 14873s peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96 installed 2s ago, rekeying in 26926s, expires in 31678s in c2f45cc2, 168 bytes, 2 packets, 0s ago out c8b46126, 168 bytes, 2 packets, 0s ago local 192.168.1.0/24 remote 192.168.2.0/24
Test Local Auth With SCEP And Remote Auth With X509 Files
Description
In this scenario, DUT0 uses SCEP for local authentication, while the remote peer is authenticated using X.509 certificate files.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 8.0.0.1/24 set interfaces ethernet eth1 address 9.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 192.168.2.1/24 set interfaces ethernet eth0 address 9.0.0.2/24 set interfaces ethernet eth1 address 10.215.168.66/24 set protocols static route 0.0.0.0/0 next-hop 9.0.0.1 set system certificate scep csr CSR cgi-path /scep set system certificate scep csr CSR cipher aes set system certificate scep csr CSR distinguished-names CN=DUT2 set system certificate scep csr CSR encrypted-password U2FsdGVkX1+Aj+2zIL1DnqoRlKCzh4YNhsuOcW8//qo= set system certificate scep csr CSR port 8080 set system certificate scep csr CSR url 'http://10.215.168.1' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH local ca-cert-file 'running://ca.pem' set vpn ipsec auth-profile AUTH local ca-cert-file 'running://root.pem' set vpn ipsec auth-profile AUTH local cert-file 'running://dut2.pem' set vpn ipsec auth-profile AUTH local key file 'running://dut2.key' set vpn ipsec auth-profile AUTH mirror-config false set vpn ipsec auth-profile AUTH mode x509 set vpn ipsec auth-profile AUTH remote csr CSR set vpn ipsec esp-group ESP-POLICY lifetime 28800 set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY set vpn ipsec site-to-site peer PEER local-address 9.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 8.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.2.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.1.0/24
Step 3: Ping IP address 9.0.0.1 from DUT2:
admin@DUT2$ ping 9.0.0.1 count 1 size 56 timeout 1Show output
PING 9.0.0.1 (9.0.0.1) 56(84) bytes of data. 64 bytes from 9.0.0.1: icmp_seq=1 ttl=64 time=0.309 ms --- 9.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.309/0.309/0.309/0.000 ms
Step 4: Run command pki scep show CSR at DUT2 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------------------- ca Valid Encipherment & Signature Apr 16 09:19:39 2025 GMT Apr 11 09:19:39 2045 GMT usercert Valid - Oct 10 23:23:28 2025 GMT Oct 10 23:23:28 2026 GMT
Step 5: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 192.168.1.1/24 set interfaces ethernet eth0 address 8.0.0.2/24 set interfaces ethernet eth1 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 8.0.0.1 set system certificate scep csr CSR cgi-path /scep set system certificate scep csr CSR cipher aes set system certificate scep csr CSR distinguished-names CN=DUT0 set system certificate scep csr CSR encrypted-password U2FsdGVkX1/uWwHj0x4I2+pwNOGG70rC86Xxf0H+yPg= set system certificate scep csr CSR port 8080 set system certificate scep csr CSR url 'http://10.215.168.1' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH local csr CSR set vpn ipsec auth-profile AUTH mirror-config false set vpn ipsec auth-profile AUTH mode x509 set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://ca.pem' set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://root.pem' set vpn ipsec esp-group ESP-POLICY lifetime 28800 set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH set vpn ipsec site-to-site peer PEER connection-type on-demand set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY set vpn ipsec site-to-site peer PEER local-address 8.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 9.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.1.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.2.0/24
Step 6: Ping IP address 8.0.0.1 from DUT0:
admin@DUT0$ ping 8.0.0.1 count 1 size 56 timeout 1Show output
PING 8.0.0.1 (8.0.0.1) 56(84) bytes of data. 64 bytes from 8.0.0.1: icmp_seq=1 ttl=64 time=0.338 ms --- 8.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.338/0.338/0.338/0.000 ms
Step 7: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------------------- ca Valid Encipherment & Signature Apr 16 09:19:39 2025 GMT Apr 11 09:19:39 2045 GMT usercert Valid - Oct 10 23:24:08 2025 GMT Oct 10 23:24:08 2026 GMT
Step 8: Ping IP address 192.168.2.1 from DUT0:
admin@DUT0$ ping 192.168.2.1 local-address 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data. 64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=1.49 ms --- 192.168.2.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.493/1.493/1.493/0.000 ms
Step 9: Ping IP address 192.168.1.1 from DUT2:
admin@DUT2$ ping 192.168.1.1 local-address 192.168.2.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) from 192.168.2.1 : 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.37 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.369/1.369/1.369/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
vpn-peer-PEER: \#\d, ESTABLISHED, IKEv2 [1-9]\d* packets,Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 252a3945659013fa_i* bc3d7f05dc9784d1_r local 'CN=DUT0' @ 8.0.0.2[500] remote 'C=ES, O=Teldat, CN=DUT2' @ 9.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 23203s peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96 installed 1s ago, rekeying in 20124s, expires in 31679s in c025e0b0, 168 bytes, 2 packets, 0s ago out cdd1d6d4, 168 bytes, 2 packets, 0s ago local 192.168.1.0/24 remote 192.168.2.0/24
Test Local Auth With X509 Files And Remote Auth With SCEP
Description
In this scenario, DUT0 uses SCEP for remote authentication, while local authentication relies on X.509 certificate files.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 8.0.0.1/24 set interfaces ethernet eth1 address 9.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 192.168.2.1/24 set interfaces ethernet eth0 address 9.0.0.2/24 set interfaces ethernet eth1 address 10.215.168.66/24 set protocols static route 0.0.0.0/0 next-hop 9.0.0.1 set system certificate scep csr CSR cgi-path /scep set system certificate scep csr CSR cipher aes set system certificate scep csr CSR distinguished-names CN=DUT2 set system certificate scep csr CSR encrypted-password U2FsdGVkX1+/GX1GNUkQFRHKHwVnJx6+txRC/qSqbKM= set system certificate scep csr CSR port 8080 set system certificate scep csr CSR url 'http://10.215.168.1' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH local csr CSR set vpn ipsec auth-profile AUTH mirror-config false set vpn ipsec auth-profile AUTH mode x509 set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://ca.pem' set vpn ipsec auth-profile AUTH remote ca-cert-file 'running://root.pem' set vpn ipsec esp-group ESP-POLICY lifetime 28800 set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY set vpn ipsec site-to-site peer PEER local-address 9.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 8.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.2.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.1.0/24
Step 3: Ping IP address 9.0.0.1 from DUT2:
admin@DUT2$ ping 9.0.0.1 count 1 size 56 timeout 1Show output
PING 9.0.0.1 (9.0.0.1) 56(84) bytes of data. 64 bytes from 9.0.0.1: icmp_seq=1 ttl=64 time=13.2 ms --- 9.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 13.224/13.224/13.224/0.000 ms
Step 4: Run command pki scep show CSR at DUT2 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------------------- ca Valid Encipherment & Signature Apr 16 09:19:39 2025 GMT Apr 11 09:19:39 2045 GMT usercert Valid - Oct 10 23:25:00 2025 GMT Oct 10 23:25:00 2026 GMT
Step 5: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 192.168.1.1/24 set interfaces ethernet eth0 address 8.0.0.2/24 set interfaces ethernet eth1 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 8.0.0.1 set system certificate scep csr CSR cgi-path /scep set system certificate scep csr CSR cipher aes set system certificate scep csr CSR distinguished-names CN=DUT0 set system certificate scep csr CSR encrypted-password U2FsdGVkX1/xceZ77Nk2gu2yt59DnIuGXB+jCc1fi2s= set system certificate scep csr CSR port 8080 set system certificate scep csr CSR url 'http://10.215.168.1' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH local ca-cert-file 'running://ca.pem' set vpn ipsec auth-profile AUTH local ca-cert-file 'running://root.pem' set vpn ipsec auth-profile AUTH local cert-file 'running://dut0.pem' set vpn ipsec auth-profile AUTH local key file 'running://dut0.key' set vpn ipsec auth-profile AUTH mirror-config false set vpn ipsec auth-profile AUTH mode x509 set vpn ipsec auth-profile AUTH remote csr CSR set vpn ipsec esp-group ESP-POLICY lifetime 28800 set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH set vpn ipsec site-to-site peer PEER connection-type on-demand set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY set vpn ipsec site-to-site peer PEER local-address 8.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 9.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.1.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.2.0/24
Step 6: Ping IP address 8.0.0.1 from DUT0:
admin@DUT0$ ping 8.0.0.1 count 1 size 56 timeout 1Show output
PING 8.0.0.1 (8.0.0.1) 56(84) bytes of data. 64 bytes from 8.0.0.1: icmp_seq=1 ttl=64 time=0.483 ms --- 8.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.483/0.483/0.483/0.000 ms
Step 7: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------------------- ca Valid Encipherment & Signature Apr 16 09:19:39 2025 GMT Apr 11 09:19:39 2045 GMT usercert Valid - Oct 10 23:25:39 2025 GMT Oct 10 23:25:39 2026 GMT
Step 8: Ping IP address 192.168.2.1 from DUT0:
admin@DUT0$ ping 192.168.2.1 local-address 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data. 64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.428 ms --- 192.168.2.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.428/0.428/0.428/0.000 ms
Step 9: Ping IP address 192.168.1.1 from DUT2:
admin@DUT2$ ping 192.168.1.1 local-address 192.168.2.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) from 192.168.2.1 : 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.413 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.413/0.413/0.413/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
vpn-peer-PEER: \#\d, ESTABLISHED, IKEv2 [1-9]\d* packets,Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 18148a5ecd0f3c92_i* 021b130dd37cf575_r local 'C=ES, O=Teldat, CN=DUT0' @ 8.0.0.2[500] remote 'CN=DUT2' @ 9.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 18938s peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96 installed 1s ago, rekeying in 26571s, expires in 31679s in c385e8c5, 168 bytes, 2 packets, 0s ago out c9dde4c7, 168 bytes, 2 packets, 0s ago local 192.168.1.0/24 remote 192.168.2.0/24
Test Local And Remote Auth With SCEP
Description
In this scenario, both devices use SCEP for local and remote authentication.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 8.0.0.1/24 set interfaces ethernet eth1 address 9.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 192.168.2.1/24 set interfaces ethernet eth0 address 9.0.0.2/24 set interfaces ethernet eth1 address 10.215.168.66/24 set protocols static route 0.0.0.0/0 next-hop 9.0.0.1 set system certificate scep csr CSR cgi-path /scep set system certificate scep csr CSR cipher aes set system certificate scep csr CSR distinguished-names CN=DUT2 set system certificate scep csr CSR encrypted-password U2FsdGVkX1/5WGEPConJmDX4WWIAlY5ife0eVFrGl8g= set system certificate scep csr CSR port 8080 set system certificate scep csr CSR url 'http://10.215.168.1' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH local csr CSR set vpn ipsec auth-profile AUTH mirror-config false set vpn ipsec auth-profile AUTH mode x509 set vpn ipsec auth-profile AUTH remote csr CSR set vpn ipsec esp-group ESP-POLICY lifetime 28800 set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY set vpn ipsec site-to-site peer PEER local-address 9.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 8.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.2.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.1.0/24
Step 3: Ping IP address 9.0.0.1 from DUT2:
admin@DUT2$ ping 9.0.0.1 count 1 size 56 timeout 1Show output
PING 9.0.0.1 (9.0.0.1) 56(84) bytes of data. 64 bytes from 9.0.0.1: icmp_seq=1 ttl=64 time=0.321 ms --- 9.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.321/0.321/0.321/0.000 ms
Step 4: Run command pki scep show CSR at DUT2 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------------------- ca Valid Encipherment & Signature Apr 16 09:19:39 2025 GMT Apr 11 09:19:39 2045 GMT usercert Valid - Oct 10 23:26:26 2025 GMT Oct 10 23:26:26 2026 GMT
Step 5: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 192.168.1.1/24 set interfaces ethernet eth0 address 8.0.0.2/24 set interfaces ethernet eth1 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 8.0.0.1 set system certificate scep csr CSR cgi-path /scep set system certificate scep csr CSR cipher aes set system certificate scep csr CSR distinguished-names CN=DUT0 set system certificate scep csr CSR encrypted-password U2FsdGVkX1+2vzJsuJrrryrfcUCTWWCq8gHqgAljUYM= set system certificate scep csr CSR port 8080 set system certificate scep csr CSR url 'http://10.215.168.1' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH local csr CSR set vpn ipsec auth-profile AUTH mirror-config false set vpn ipsec auth-profile AUTH mode x509 set vpn ipsec auth-profile AUTH remote csr CSR set vpn ipsec esp-group ESP-POLICY lifetime 28800 set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH set vpn ipsec site-to-site peer PEER connection-type on-demand set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY set vpn ipsec site-to-site peer PEER local-address 8.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 9.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.1.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.2.0/24
Step 6: Ping IP address 8.0.0.1 from DUT0:
admin@DUT0$ ping 8.0.0.1 count 1 size 56 timeout 1Show output
PING 8.0.0.1 (8.0.0.1) 56(84) bytes of data. 64 bytes from 8.0.0.1: icmp_seq=1 ttl=64 time=0.310 ms --- 8.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.310/0.310/0.310/0.000 ms
Step 7: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------------------- ca Valid Encipherment & Signature Apr 16 09:19:39 2025 GMT Apr 11 09:19:39 2045 GMT usercert Valid - Oct 10 23:27:05 2025 GMT Oct 10 23:27:05 2026 GMT
Step 8: Ping IP address 192.168.2.1 from DUT0:
admin@DUT0$ ping 192.168.2.1 local-address 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data. 64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.390 ms --- 192.168.2.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.390/0.390/0.390/0.000 ms
Step 9: Ping IP address 192.168.1.1 from DUT2:
admin@DUT2$ ping 192.168.1.1 local-address 192.168.2.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) from 192.168.2.1 : 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.398 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.398/0.398/0.398/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
vpn-peer-PEER: \#\d, ESTABLISHED, IKEv2 [1-9]\d* packets,Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b4125f750866b1dd_i* abda2d5bc15f8498_r local 'CN=DUT0' @ 8.0.0.2[500] remote 'CN=DUT2' @ 9.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 19127s peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96 installed 1s ago, rekeying in 18991s, expires in 31679s in c94ede95, 168 bytes, 2 packets, 0s ago out c3c83f17, 168 bytes, 2 packets, 0s ago local 192.168.1.0/24 remote 192.168.2.0/24