Xfrm-Interface

Test suite to check IPsec with xfrm interface

Test IPsec With Multipath XFRM Interfaces

Description

DUT0 and DUT1 are connected to each other through multiple IPsec tunnels with the same local and remote prefixes.

In this test case, we will check IPsec tunnels are correctly installing through two peers directly connected to the DUT0 and DUT1 devices.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 30.0.0.1/24
set interfaces ethernet eth0 address 30.0.0.2/24
set interfaces ethernet eth0 vrf WAN_30
set interfaces ethernet eth1 address 10.1.0.1/24
set interfaces ethernet eth1 vrf LAN_101
set interfaces xfrm xfrm301 local-interface eth0
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm301 multipath traffic-steering reverse
set interfaces xfrm xfrm301 vrf LAN_101
set interfaces xfrm xfrm302 local-interface eth0
set interfaces xfrm xfrm302 mtu 1400
set interfaces xfrm xfrm302 multipath traffic-steering reverse
set interfaces xfrm xfrm302 vrf LAN_101
set protocols vrf WAN_30 static route 10.1.0.0/24 next-hop-vrf LAN_101
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN_101
set system vrf WAN_30
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX182Bq20mm0nnEYeXGat3DkCJstjvyyG62s=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type respond
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.1
set vpn ipsec site-to-site peer PEER301 remote-address %any
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type respond
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.2
set vpn ipsec site-to-site peer PEER302 remote-address %any
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.3/24
set interfaces ethernet eth0 address 30.0.0.3/24
set interfaces ethernet eth0 address 30.0.0.4/24
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm302 mtu 1400
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18Oa+P77QtK/f6UpBCEbAZT7X5wPP7dvHQ=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type initiate
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.3
set vpn ipsec site-to-site peer PEER301 remote-address 30.0.0.1
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type initiate
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.4
set vpn ipsec site-to-site peer PEER302 remote-address 30.0.0.2
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 10.1.0.5/24
set protocols static route 10.2.0.0/24 next-hop 10.1.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Note

Check that the IPsec tunnels are established and the routes are installed. The routes should be installed in the VRF LAN_101.

Step 4: Run command protocols vrf LAN_101 ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF LAN_101:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:06
C>* 10.1.0.0/24 is directly connected, eth1, weight 1, 00:00:06
L>* 10.1.0.1/32 is directly connected, eth1, weight 1, 00:00:06
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm302, weight 1, 00:00:01
  *                   is directly connected, xfrm301, weight 1, 00:00:01

Note

Check that both IPsec tunnels are established and traffic steering is working as expected. Once the remote client is trying to connect randomly from either of the two tunnels, hub always responds with the same tunnel.

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.7.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Wed Nov 12 10:28:56 2025
admin@osdx$

Step 7: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #4, ESTABLISHED, IKEv2, d52bcf1608dbe61a_i 8b8cc07a02a3ea3a_r*
  local  '30.0.0.1' @ 30.0.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 27839s
  peer-PEER301-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3374s, expires in 3959s
    in  c2543545 (-|0x0000012e),      0 bytes,     0 packets
    out ceab6300 (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #3, ESTABLISHED, IKEv2, e2c34de87844d15b_i 4931a627959397fc_r*
  local  '30.0.0.2' @ 30.0.0.2[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 23295s
  peer-PEER302-tunnel-1: #3, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3295s, expires in 3959s
    in  caa4f3af (-|0x0000012f),   4980 bytes,    23 packets,     0s ago
    out ce185441 (-|0x0000012f),   4840 bytes,    21 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 8: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 9: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.7.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Wed Nov 12 11:17:14 2025 from 10.2.0.3
admin@osdx$

Step 10: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #6, ESTABLISHED, IKEv2, c5d6770129b053bc_i 982327dac58363f2_r*
  local  '30.0.0.2' @ 30.0.0.2[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 22978s
  peer-PEER302-tunnel-1: #6, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3239s, expires in 3960s
    in  c8195951 (-|0x0000012f),      0 bytes,     0 packets
    out c1416ce3 (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #5, ESTABLISHED, IKEv2, 8e5f2fd1890bba40_i 97c6d1d32704c4ae_r*
  local  '30.0.0.1' @ 30.0.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 23699s
  peer-PEER301-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3573s, expires in 3960s
    in  cbc6703d (-|0x0000012e),   5032 bytes,    24 packets,     0s ago
    out c447bb6b (-|0x0000012e),   4936 bytes,    22 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Testing the traffic from the hub to the spoke. The difference is that the IPsec tunnel chosen by the hub not always the same as the one chosen by the spoke. So if the spoke responds to the hub through the another tunnel, the hub needs to change the tunnel to the one used by the spoke.

Step 11: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 12: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.7.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Wed Nov 12 10:52:41 2025
admin@osdx$

Step 13: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #8, ESTABLISHED, IKEv2, 51fd23c670907467_i 37b44ae7804d5387_r*
  local  '30.0.0.1' @ 30.0.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 24541s
  peer-PEER301-tunnel-1: #8, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3464s, expires in 3960s
    in  c73326bd (-|0x0000012e),      0 bytes,     0 packets
    out c9f2b732 (-|0x0000012e),     60 bytes,     1 packets,     1s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #7, ESTABLISHED, IKEv2, 644aa7bbccd6fd29_i 08ea4bb412ca95be_r*
  local  '30.0.0.2' @ 30.0.0.2[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 17762s
  peer-PEER302-tunnel-1: #7, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3300s, expires in 3960s
    in  c5a1949d (-|0x0000012f),   4920 bytes,    22 packets,     1s ago
    out c33ce5df (-|0x0000012f),   5024 bytes,    24 packets,     1s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 14: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 15: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.7.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Wed Nov 12 11:17:14 2025 from 10.1.0.5
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #10, ESTABLISHED, IKEv2, dc0d763b95ce656b_i 5e4d606a97a3ed70_r*
  local  '30.0.0.2' @ 30.0.0.2[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 25004s
  peer-PEER302-tunnel-1: #10, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3519s, expires in 3959s
    in  c9f98ba9 (-|0x0000012f),      0 bytes,     0 packets
    out c0ee32e0 (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #9, ESTABLISHED, IKEv2, 38257695b5a7ced5_i 047ebb35381e6384_r*
  local  '30.0.0.1' @ 30.0.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 23958s
  peer-PEER301-tunnel-1: #9, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3245s, expires in 3959s
    in  c44140c3 (-|0x0000012e),   4856 bytes,    21 packets,     0s ago
    out cbfb6f92 (-|0x0000012e),   5084 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test IPsec With Multipath XFRM Interfaces And VRFs

Description

The difference here is that the hub peer has its addresses behind the VRFs, it is not directly connected like in the previous test case.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum1 address 20.1.0.1/24
set interfaces dummy dum1 vrf SEG_201
set interfaces dummy dum2 address 20.2.0.1/24
set interfaces dummy dum2 vrf SEG_202
set interfaces ethernet eth0 address 30.0.0.1/24
set interfaces ethernet eth0 vrf WAN_30
set interfaces ethernet eth1 address 10.1.0.1/24
set interfaces ethernet eth1 vrf LAN_101
set interfaces xfrm xfrm301 local-interface dum1
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm301 multipath traffic-steering reverse
set interfaces xfrm xfrm301 vrf LAN_101
set interfaces xfrm xfrm302 local-interface dum2
set interfaces xfrm xfrm302 mtu 1400
set interfaces xfrm xfrm302 multipath traffic-steering reverse
set interfaces xfrm xfrm302 vrf LAN_101
set protocols vrf SEG_201 static route 0.0.0.0/0 next-hop-vrf WAN_30
set protocols vrf SEG_201 static route 10.1.0.0/24 next-hop-vrf LAN_101
set protocols vrf SEG_202 static route 0.0.0.0/0 next-hop-vrf WAN_30
set protocols vrf SEG_202 static route 10.1.0.0/24 next-hop-vrf LAN_101
set protocols vrf WAN_30 static route 20.1.0.0/24 next-hop-vrf SEG_201
set protocols vrf WAN_30 static route 20.2.0.0/24 next-hop-vrf SEG_202
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN_101
set system vrf SEG_201
set system vrf SEG_202
set system vrf WAN_30
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+kXEPoi2CmriIyDFMJYJg6KIgS5emBaxs=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type respond
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 20.1.0.1
set vpn ipsec site-to-site peer PEER301 remote-address %any
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type respond
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 20.2.0.1
set vpn ipsec site-to-site peer PEER302 remote-address %any
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.3/24
set interfaces ethernet eth0 address 30.0.0.3/24
set interfaces ethernet eth0 address 30.0.0.4/24
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm302 mtu 1400
set protocols static route 20.1.0.0/24 next-hop 30.0.0.1
set protocols static route 20.2.0.0/24 next-hop 30.0.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+Nh10DMIQ/7Dpzh8yVlf/h1NXmPs6WEVs=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type initiate
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.3
set vpn ipsec site-to-site peer PEER301 remote-address 20.1.0.1
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type initiate
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.4
set vpn ipsec site-to-site peer PEER302 remote-address 20.2.0.1
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 10.1.0.5/24
set protocols static route 10.2.0.0/24 next-hop 10.1.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Note

Check that the IPsec tunnels are established and the routes are installed. The routes should be installed in the VRF LAN_101.

Step 4: Run command protocols vrf LAN_101 ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF LAN_101:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:07
C>* 10.1.0.0/24 is directly connected, eth1, weight 1, 00:00:07
L>* 10.1.0.1/32 is directly connected, eth1, weight 1, 00:00:07
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm302, weight 1, 00:00:01
  *                   is directly connected, xfrm301, weight 1, 00:00:01

Note

Check that both IPsec tunnels are established and traffic steering is working as expected. Once the remote client is trying to connect randomly from either of the two tunnels, hub always responds with the same tunnel.

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.7.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Wed Nov 12 11:17:14 2025 from 10.2.0.3
admin@osdx$

Step 7: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #4, ESTABLISHED, IKEv2, 50107fa9f9390fc2_i bfe08976cac5da6e_r*
  local  '20.1.0.1' @ 20.1.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 17300s
  peer-PEER301-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3360s, expires in 3960s
    in  c84d4223 (-|0x0000012e),   5032 bytes,    24 packets,     0s ago
    out cf42cc9f (-|0x0000012e),   4936 bytes,    22 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #3, ESTABLISHED, IKEv2, 6b3d2335675c00b2_i cc9d6b663675f800_r*
  local  '20.2.0.1' @ 20.2.0.1[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 20357s
  peer-PEER302-tunnel-1: #3, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3384s, expires in 3960s
    in  c907ae9f (-|0x0000012f),      0 bytes,     0 packets
    out c1cb347c (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 8: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 9: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.7.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Wed Nov 12 11:17:34 2025 from 10.2.0.3
admin@osdx$

Step 10: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #6, ESTABLISHED, IKEv2, 5719385eb2cce1d8_i 914714b334631003_r*
  local  '20.2.0.1' @ 20.2.0.1[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 20640s
  peer-PEER302-tunnel-1: #6, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3243s, expires in 3960s
    in  cdc43e47 (-|0x0000012f),      0 bytes,     0 packets
    out cc2e0f51 (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #5, ESTABLISHED, IKEv2, 60ed0a8204da4951_i 7b8f82f0014ba229_r*
  local  '20.1.0.1' @ 20.1.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 22158s
  peer-PEER301-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3416s, expires in 3960s
    in  c05fc934 (-|0x0000012e),   5084 bytes,    25 packets,     0s ago
    out c26d7c68 (-|0x0000012e),   5024 bytes,    23 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Testing the traffic from the hub to the spoke. The difference is that the IPsec tunnel chosen by the hub not always the same as the one chosen by the spoke. So if the spoke responds to the hub through the another tunnel, the hub needs to change the tunnel to the one used by the spoke.

Step 11: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 12: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.7.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Wed Nov 12 11:17:15 2025 from 10.1.0.5
admin@osdx$

Step 13: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #8, ESTABLISHED, IKEv2, 6704ad3bf9b5db97_i e2b7cd786e9aca0c_r*
  local  '20.1.0.1' @ 20.1.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 21455s
  peer-PEER301-tunnel-1: #8, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3406s, expires in 3959s
    in  c0bba8e1 (-|0x0000012e),      0 bytes,     0 packets
    out c65e37c8 (-|0x0000012e),     60 bytes,     1 packets,     1s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #7, ESTABLISHED, IKEv2, 3f01085f1696de52_i 3f37f79556266f0d_r*
  local  '20.2.0.1' @ 20.2.0.1[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 18831s
  peer-PEER302-tunnel-1: #7, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3467s, expires in 3959s
    in  cd18364d (-|0x0000012f),   4848 bytes,    21 packets,     1s ago
    out c185a960 (-|0x0000012f),   5024 bytes,    24 packets,     1s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 14: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 15: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.7.1

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Wed Nov 12 11:17:35 2025 from 10.1.0.5
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #10, ESTABLISHED, IKEv2, bf2cdbc9bd8e8e30_i 3ce29fe3eed0e265_r*
  local  '20.2.0.1' @ 20.2.0.1[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 17549s
  peer-PEER302-tunnel-1: #10, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3241s, expires in 3959s
    in  c619f68b (-|0x0000012f),   4936 bytes,    22 packets,     0s ago
    out c81bca6d (-|0x0000012f),   5084 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #9, ESTABLISHED, IKEv2, 8d83a8a831dd835c_i 33559e7e1977d735_r*
  local  '20.1.0.1' @ 20.1.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 15593s
  peer-PEER301-tunnel-1: #9, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3265s, expires in 3959s
    in  c7ce5167 (-|0x0000012e),      0 bytes,     0 packets
    out cdc9e233 (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

---