Site-To-Site
This scenario shows how to configure and connect two subnets
with each other through a VPN tunnel and automatically configure
the negotiated remote prefixes as routes. DUT0 acts as a
responder and DUT1 as a initiator.
Test Site-To-Site With Basic Route Installation
Description
In this scenario, both devices install routes
for the VPN traffic in the main table.
Scenario
Step 1: Run command protocols ip show route at DUT0 and check if output does not contain the following tokens:
K>* 10.3.0.0/24
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19c1H3HKbhbiEjkx5n+VsMx+wZJF4fCMus= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 3: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19c7RCJekqOg2TtKa5VOg7ujLCKIacKYd0= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 4: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.239 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.239/0.239/0.239/0.000 ms
Step 5: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.240 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.240/0.240/0.240/0.000 ms
Step 6: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, d38404034dee18cc_i 86f2ab78c8c37509_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 23666s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3363s, expires in 3960s in c0d385b9, 0 bytes, 0 packets out c647a0be, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 7: Run command protocols ip show route at DUT0 and check if output contains the following tokens:
K>* 10.3.0.0/24Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF default: C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:06 L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:06 K>* 10.3.0.0/24 [0/0] via 80.0.0.2, eth0, weight 1, 00:00:00 C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:06 K * 80.0.0.0/24 [0/0] is directly connected, eth0, weight 1, 00:00:06 L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:06
Step 8: Run command vpn ipsec clear sa at DUT1 and expect this output:
Show output
Deleting IPSec SAs... 100.0% Closed tunnels: 1
Step 9: Run command vpn ipsec initiate peer PEER at DUT1 and expect this output:
Show output
Initiating IPSec SAs... 0.0% Initiated tunnels: 1
Step 10: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.353 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.353/0.353/0.353/0.000 ms
Step 11: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.1.0.1 8080 tcp local-address 10.3.0.1
Step 12: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 311fa45362380a17_i cb928635ed10ecc2_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 3s ago, rekeying in 28030s peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 3s ago, rekeying in 3409s, expires in 3957s in ce523bd6, 764 bytes, 12 packets, 0s ago out c59a3d3d, 660 bytes, 10 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Test Site-To-Site With VRF Route Installation
Description
In this scenario, DUT0 install reoutes
in a separate VRF called LAN.
Scenario
Step 1: Run command protocols vrf LAN ip show route at DUT0 and check if output does not contain the following tokens:
K>* 10.3.0.0/24Show output
% VRF LAN not found
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces dummy dum0 vrf LAN set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces ethernet eth0 vrf WAN set protocols vrf WAN static route 10.1.0.0/24 next-hop-vrf LAN set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf LAN set system vrf WAN set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18uLsR1PaAs/cB0rWvZaFu04mnBbTgYgLI= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes LAN set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 3: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18GTx3r+2w/RFypkjgyeQtzVmFHaG/c+O8= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 4: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.272 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.272/0.272/0.272/0.000 ms
Step 5: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 vrf WAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: WAN PING 80.0.0.2 (80.0.0.2) from 80.0.0.1 WAN: 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.266 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.266/0.266/0.266/0.000 ms
Step 6: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 769966df3629433a_i 6aec98d4c467e66a_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 28687s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3365s, expires in 3960s in c7d434a9, 0 bytes, 0 packets out c1433427, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 7: Run command protocols vrf LAN ip show route at DUT0 and check if output contains the following tokens:
K>* 10.3.0.0/24Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF LAN: K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:06 C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:06 L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:06 K>* 10.3.0.0/24 [0/0] via 80.0.0.2, eth0 (vrf WAN), weight 1, 00:00:00
Step 8: Run command vpn ipsec clear sa at DUT1 and expect this output:
Show output
Deleting IPSec SAs... 100.0% Closed tunnels: 1
Step 9: Run command vpn ipsec initiate peer PEER at DUT1 and expect this output:
Show output
Initiating IPSec SAs... 0.0% Initiated tunnels: 1
Step 10: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.325 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.325/0.325/0.325/0.000 ms
Step 11: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp vrf LAN admin@DUT1$ monitor test connection client 10.1.0.1 8080 tcp local-address 10.3.0.1
Step 12: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, ed085e68b9fc2c09_i 5a4a29827a9af86b_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 3s ago, rekeying in 21916s peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 3s ago, rekeying in 3458s, expires in 3957s in c7860ccf, 764 bytes, 12 packets, 0s ago out c05a3107, 712 bytes, 11 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Test Site-To-Site With Route Installation And Metrics
Description
In this scenario, DUT0 installs routes with
differents metrics for both IPsec peers. The point is
to check if the routes are installed correctly and most
importantly, whenever the prioritized route is down, the
backup route is used.
Scenario
Step 1: Run command protocols ip show route at DUT0 and check if output does not contain the following tokens:
K>* 10.3.0.0/24
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces ethernet eth1 address 90.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+XNWu8r86OMje+1XhHNvzu0MHro/30Kn0= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 2 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 route-priority 10 set vpn ipsec site-to-site peer PEER1 auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER1 connection-type respond set vpn ipsec site-to-site peer PEER1 default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER1 ike-group IKE-SA set vpn ipsec site-to-site peer PEER1 local-address 90.0.0.1 set vpn ipsec site-to-site peer PEER1 remote-address 90.0.0.3 set vpn ipsec site-to-site peer PEER1 tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER1 tunnel 1 route-priority 100
Step 3: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/6ONtGu5WiE9eMhWjOooCRdykQ4y3wrHU= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 4: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth1 address 90.0.0.3/24 set protocols static route 0.0.0.0/0 next-hop 90.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX182oOuIwvWzGxAfQHh5YfvUx8b+PhKEXLU= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 90.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 90.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 5: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.278 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.278/0.278/0.278/0.000 ms
Step 6: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.235 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.235/0.235/0.235/0.000 ms
Step 7: Ping IP address 90.0.0.3 from DUT2:
admin@DUT2$ ping 90.0.0.3 count 1 size 56 timeout 1Show output
PING 90.0.0.3 (90.0.0.3) 56(84) bytes of data. 64 bytes from 90.0.0.3: icmp_seq=1 ttl=64 time=0.031 ms --- 90.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.031/0.031/0.031/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER1: #2, ESTABLISHED, IKEv2, a4ab832fd5cd1278_i 90aa11f455100c3b_r* local '90.0.0.1' @ 90.0.0.1[500] remote '90.0.0.3' @ 90.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 20421s peer-PEER1-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3374s, expires in 3960s in c5630cd2, 0 bytes, 0 packets out cadff049, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 87cd32b00223dbe6_i 32cd688b2378fc53_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 28053s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3289s, expires in 3955s in cadf24b7, 0 bytes, 0 packets out c4b58d12, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 9: Run command protocols ip show route at DUT0 and check if output contains the following tokens:
K>* 10.3.0.0/24Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF default: C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:10 K * 10.1.0.0/24 [0/0] is directly connected, dum0, weight 1, 00:00:10 L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:10 K * 10.3.0.0/24 [0/100] via 90.0.0.3, eth1, weight 1, 00:00:00 K>* 10.3.0.0/24 [0/10] via 80.0.0.2, eth0, weight 1, 00:00:05 C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:10 K * 80.0.0.0/24 [0/0] is directly connected, eth0, weight 1, 00:00:10 L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:10 C>* 90.0.0.0/24 is directly connected, eth1, weight 1, 00:00:10 K * 90.0.0.0/24 [0/0] is directly connected, eth1, weight 1, 00:00:10 L>* 90.0.0.1/32 is directly connected, eth1, weight 1, 00:00:10
Step 10: Run command show system route ip at DUT0 and check if output contains the following tokens:
10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100 10.3.0.0/24 via 80.0.0.2 dev eth0 proto static metric 10Show output
10.1.0.0/24 dev dum0 proto kernel scope link src 10.1.0.1 10.3.0.0/24 via 80.0.0.2 dev eth0 proto static metric 10 10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100 80.0.0.0/24 dev eth0 proto kernel scope link src 80.0.0.1 90.0.0.0/24 dev eth1 proto kernel scope link src 90.0.0.1
Note
The tunnel with the lowest metric configured in the route-priority parameter should be the one used to route the traffic.
Step 11: Run command vpn ipsec clear sa at DUT1 and expect this output:
Show output
Deleting IPSec SAs... 100.0% Closed tunnels: 1
Step 12: Run command vpn ipsec initiate peer PEER at DUT1 and expect this output:
Show output
Initiating IPSec SAs... 0.0% Initiated tunnels: 1
Step 13: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.367 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.367/0.367/0.367/0.000 ms
Step 14: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.1.0.1 8080 tcp local-address 10.3.0.1
Step 15: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, d58096a01d97cf72_i 0e2437316d1a9921_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 3s ago, rekeying in 25153s peer-PEER-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 3s ago, rekeying in 3388s, expires in 3957s in cccf99cb, 712 bytes, 11 packets, 0s ago out c7e6e444, 816 bytes, 13 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER1: #2, ESTABLISHED, IKEv2, a4ab832fd5cd1278_i 90aa11f455100c3b_r* local '90.0.0.1' @ 90.0.0.1[500] remote '90.0.0.3' @ 90.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 3s ago, rekeying in 20418s peer-PEER1-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 3s ago, rekeying in 3371s, expires in 3957s in c5630cd2, 0 bytes, 0 packets out cadff049, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Note
Now we will shutdown the tunnel with the lowest metric from DUT1 and check if the traffic is routed through the backup tunnel.
Step 16: Run command vpn ipsec clear sa at DUT1 and expect this output:
Show output
Deleting IPSec SAs... 100.0% Closed tunnels: 1
Step 17: Run command vpn ipsec clear sa at DUT2 and expect this output:
Show output
Deleting IPSec SAs... 100.0% Closed tunnels: 1
Step 18: Run command vpn ipsec initiate peer PEER at DUT2 and expect this output:
Show output
Initiating IPSec SAs... 0.0% Initiated tunnels: 1
Step 19: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.300 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.300/0.300/0.300/0.000 ms
Step 20: Initiate a tcp connection from DUT2 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT2$ monitor test connection client 10.1.0.1 8080 tcp local-address 10.3.0.1
Step 21: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER1: #4, ESTABLISHED, IKEv2, d35b3701edfe212e_i 7a8921601f3c5869_r* local '90.0.0.1' @ 90.0.0.1[500] remote '90.0.0.3' @ 90.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 2s ago, rekeying in 23510s peer-PEER1-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 3251s, expires in 3958s in c3e70302, 764 bytes, 12 packets, 0s ago out c65ce208, 660 bytes, 10 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Step 22: Run command show system route ip at DUT0 and check if output contains the following tokens:
10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100Show output
10.1.0.0/24 dev dum0 proto kernel scope link src 10.1.0.1 10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100 80.0.0.0/24 dev eth0 proto kernel scope link src 80.0.0.1 90.0.0.0/24 dev eth1 proto kernel scope link src 90.0.0.1
Step 23: Run command show system route ip at DUT0 and check if output does not contain the following tokens:
10.3.0.0/24 via 80.0.0.2 dev eth0 proto static metric 10Show output
10.1.0.0/24 dev dum0 proto kernel scope link src 10.1.0.1 10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100 80.0.0.0/24 dev eth0 proto kernel scope link src 80.0.0.1 90.0.0.0/24 dev eth1 proto kernel scope link src 90.0.0.1