Eap

Contents

This scenario shows how to configure and connect two subnets with each other through a VPN tunnel using different eap methods

Test MD5 Method

Description

Simple VPN site-to-site configuration with md5 authentication for DUT1 (client) and pre shared secret for DUT0 (server)

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces ethernet eth0 address 80.0.0.1/24
set protocols static route 10.2.0.0/24 interface dum0
set protocols static route 10.3.0.0/24 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX19huSkAb+FMF5SWetjbZhIJS2O+zB9xjwI=
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19wSyTINHPqd1x7emQlmqqTMB5GRquS9mw=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 type md5
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set protocols static route 10.1.0.0/24 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX19cK+YId3ycWxeVwpcdn8jVAbBmFAJZiHs=
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/bo6FSFi98PrvxLGCQ6+bLvlyHuffAytQ=
set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type md5
set vpn ipsec auth-profile AUTH-SA local id dut0
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24

Step 3: Ping IP address 80.0.0.2 from DUT1:

admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1

Show output

PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.024 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms

Step 4: Ping IP address 80.0.0.1 from DUT0:

admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1

Show output

PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data.
64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.024 ms

--- 80.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms

Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 9f884fcff9146541_i 0a4cc35bd44e2401_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote 'dut0' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 19846s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3466s, expires in 3960s
    in  c4d13a10,      0 bytes,     0 packets
    out cd3482bb,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 6: Ping IP address 10.2.0.1 from DUT0:

admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1

Show output

PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.259 ms

--- 10.2.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.259/0.259/0.259/0.000 ms

Step 7: Ping IP address 10.1.0.1 from DUT1:

admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1

Show output

PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.255 ms

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.255/0.255/0.255/0.000 ms

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 9f884fcff9146541_i 0a4cc35bd44e2401_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote 'dut0' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 19846s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3466s, expires in 3960s
    in  c4d13a10,    168 bytes,     2 packets,     0s ago
    out cd3482bb,    168 bytes,     2 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test TLS Method

Description

Simple VPN site-to-site configuration with tls authentication in both sides

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces ethernet eth0 address 80.0.0.1/24
set protocols static route 10.2.0.0/24 interface dum0
set protocols static route 10.3.0.0/24 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA local auth eap dut1 type tls
set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt'
set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem'
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 type tls
set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt'
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set protocols static route 10.1.0.0/24 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type tls
set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt'
set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem'
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote auth eap dut1 type tls
set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt'
set vpn ipsec auth-profile AUTH-SA remote id CN=Server
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24

Step 3: Ping IP address 80.0.0.2 from DUT1:

admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1

Show output

PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.026 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms

Step 4: Ping IP address 80.0.0.1 from DUT0:

admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1

Show output

PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data.
64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.023 ms

--- 80.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.023/0.023/0.023/0.000 ms

Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 4303a2a432838c4f_i 99f8e7694b69a73f_r*
  local  'CN=Server' @ 80.0.0.1[500]
  remote 'CN=Client' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 23021s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3294s, expires in 3960s
    in  ce622a93,      0 bytes,     0 packets
    out c6a5d254,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 6: Ping IP address 10.2.0.1 from DUT0:

admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1

Show output

PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.255 ms

--- 10.2.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.255/0.255/0.255/0.000 ms

Step 7: Ping IP address 10.1.0.1 from DUT1:

admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1

Show output

PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.331 ms

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.331/0.331/0.331/0.000 ms

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 4303a2a432838c4f_i 99f8e7694b69a73f_r*
  local  'CN=Server' @ 80.0.0.1[500]
  remote 'CN=Client' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 23021s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3294s, expires in 3960s
    in  ce622a93,    168 bytes,     2 packets,     0s ago
    out c6a5d254,    168 bytes,     2 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test MSCHAPV2 Method

Description

Simple VPN site-to-site configuration with mschapv2 authentication for DUT1 (client) and X.509 certificate for DUT0 (server)

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces ethernet eth0 address 80.0.0.1/24
set protocols static route 10.2.0.0/24 interface dum0
set protocols static route 10.3.0.0/24 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA global-secrets eap %any encrypted-secret U2FsdGVkX1+2so4IaOteYH4eC4stqVWi++4/QbWq5h0=
set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt'
set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem'
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote auth eap %any type mschapv2
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set protocols static route 10.1.0.0/24 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX18Ojp/lB8vz6Pfyx2tN6pLBmkQ6MBAXPVE=
set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type mschapv2
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt'
set vpn ipsec auth-profile AUTH-SA remote id CN=Server
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24

Step 3: Ping IP address 80.0.0.2 from DUT1:

admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1

Show output

PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.024 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms

Step 4: Ping IP address 80.0.0.1 from DUT0:

admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1

Show output

PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data.
64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.030 ms

--- 80.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.030/0.030/0.030/0.000 ms

Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 91e15f648dfa5549_i 390336f48b5cb15a_r*
  local  'CN=Server' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500] EAP: 'dut0'
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 27576s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3407s, expires in 3960s
    in  ca784a9e,      0 bytes,     0 packets
    out c656cb31,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 6: Ping IP address 10.2.0.1 from DUT0:

admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1

Show output

PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.282 ms

--- 10.2.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.282/0.282/0.282/0.000 ms

Step 7: Ping IP address 10.1.0.1 from DUT1:

admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1

Show output

PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.269 ms

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.269/0.269/0.269/0.000 ms

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 91e15f648dfa5549_i 390336f48b5cb15a_r*
  local  'CN=Server' @ 80.0.0.1[500]
  remote '80.0.0.2' @ 80.0.0.2[500] EAP: 'dut0'
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 27575s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3406s, expires in 3959s
    in  ca784a9e,    168 bytes,     2 packets,     0s ago
    out c656cb31,    168 bytes,     2 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test TTLS Method

Description

Simple VPN site-to-site configuration with ttls authentication in both sides, but DUT1 (client) using a secret password and DUT0 (server) a X.509 certificate

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces ethernet eth0 address 80.0.0.1/24
set protocols static route 10.2.0.0/24 interface dum0
set protocols static route 10.3.0.0/24 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX19Mi4lCSPRT5k19cb5daASqjamrd+8/2Nk=
set vpn ipsec auth-profile AUTH-SA local auth eap dut1 type ttls
set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt'
set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem'
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote auth eap dut0 type ttls
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set protocols static route 10.1.0.0/24 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX1/6RKGZsISCCvh/y1EP7+o1GylQjSvSHIo=
set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type ttls
set vpn ipsec auth-profile AUTH-SA local id dut0
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote auth eap dut1 type ttls
set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt'
set vpn ipsec auth-profile AUTH-SA remote id CN=Server
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24

Step 3: Ping IP address 80.0.0.2 from DUT1:

admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1

Show output

PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.025 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.025/0.025/0.025/0.000 ms

Step 4: Ping IP address 80.0.0.1 from DUT0:

admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1

Show output

PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data.
64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.024 ms

--- 80.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms

Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 2a5fbcde58a5b11b_i 1988766ac4cf3b5c_r*
  local  'CN=Server' @ 80.0.0.1[500]
  remote 'dut0' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 16966s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3260s, expires in 3959s
    in  cc37e4e6,      0 bytes,     0 packets
    out c83117ea,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 6: Ping IP address 10.2.0.1 from DUT0:

admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1

Show output

PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.289 ms

--- 10.2.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.289/0.289/0.289/0.000 ms

Step 7: Ping IP address 10.1.0.1 from DUT1:

admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1

Show output

PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.268 ms

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.268/0.268/0.268/0.000 ms

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 2a5fbcde58a5b11b_i 1988766ac4cf3b5c_r*
  local  'CN=Server' @ 80.0.0.1[500]
  remote 'dut0' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 16966s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3260s, expires in 3959s
    in  cc37e4e6,    168 bytes,     2 packets,     0s ago
    out c83117ea,    168 bytes,     2 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test EAP With Multiple Remotes

Description

Test with multiple remotes using the same EAP method and different secrets.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces ethernet eth0 address 80.0.0.1/24
set protocols static route 10.2.0.0/24 interface dum0
set protocols static route 10.3.0.0/24 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX1+XUjL07bwpWYlHWdGZu2aS1VFCoAdj/js=
set vpn ipsec auth-profile AUTH-SA global-secrets eap dut1 encrypted-secret U2FsdGVkX19ON+LwKF2Q6abU1W/RW+YESJ3eKi9KeRA=
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+GCGyaEwKOREtX5wIjeP+hUXEE75jTw4Y=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote auth eap %any type md5
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set protocols static route 10.1.0.0/24 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA global-secrets eap dut0 encrypted-secret U2FsdGVkX1+dXKLdLWk5+08kU2/Fotj4dyx66SkwU7Y=
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/euUisknCVidQrHUxC+y9vTP9o28DO8ns=
set vpn ipsec auth-profile AUTH-SA local auth eap dut0 type md5
set vpn ipsec auth-profile AUTH-SA local id dut0
set vpn ipsec auth-profile AUTH-SA mirror-config false
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24

Step 3: Ping IP address 80.0.0.2 from DUT1:

admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1

Show output

PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.029 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.029/0.029/0.029/0.000 ms

Step 4: Ping IP address 80.0.0.1 from DUT0:

admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1

Show output

PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data.
64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.032 ms

--- 80.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.032/0.032/0.032/0.000 ms

Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 392d3cf54a2b5da0_i a8090fc8db59c3fb_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote 'dut0' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 27612s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3302s, expires in 3959s
    in  ca2988b2,      0 bytes,     0 packets
    out cb5d47e9,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 6: Ping IP address 10.2.0.1 from DUT0:

admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1

Show output

PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.324 ms

--- 10.2.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.324/0.324/0.324/0.000 ms

Step 7: Ping IP address 10.1.0.1 from DUT1:

admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1

Show output

PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.297 ms

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.297/0.297/0.297/0.000 ms

Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 392d3cf54a2b5da0_i a8090fc8db59c3fb_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote 'dut0' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 27612s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3302s, expires in 3959s
    in  ca2988b2,    168 bytes,     2 packets,     0s ago
    out cb5d47e9,    168 bytes,     2 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 9: Modify the following configuration lines in DUT1 :

delete vpn ipsec auth-profile AUTH-SA global-secrets eap dut0
delete vpn ipsec auth-profile AUTH-SA local auth eap dut0
set vpn ipsec auth-profile AUTH-SA global-secrets eap dut1 encrypted-secret U2FsdGVkX19Ts/g/X3UD+OFRe/oIHnYS+8rE3ZIpTXA=
set vpn ipsec auth-profile AUTH-SA local auth eap dut1 type md5
set vpn ipsec auth-profile AUTH-SA local id dut1

Step 10: Run command vpn ipsec clear sa at DUT1 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 1

Step 11: Run command vpn ipsec initiate peer PEER at DUT1 and expect this output:

Show output

Initiating IPSec SAs... 0.0%
Initiated tunnels: 1

Step 12: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED

Show output

vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 91b3af29982414d8_i dd7c54de4d245019_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote 'dut1' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 27829s
  peer-PEER-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3528s, expires in 3960s
    in  c4b25c56,      0 bytes,     0 packets
    out c70c9497,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 13: Ping IP address 10.2.0.1 from DUT0:

admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1

Show output

PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.276 ms

--- 10.2.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.276/0.276/0.276/0.000 ms

Step 14: Ping IP address 10.1.0.1 from DUT1:

admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1

Show output

PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.310 ms

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.310/0.310/0.310/0.000 ms

Step 15: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 91b3af29982414d8_i dd7c54de4d245019_r*
  local  '80.0.0.1' @ 80.0.0.1[500]
  remote 'dut1' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 27829s
  peer-PEER-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3528s, expires in 3960s
    in  c4b25c56,    168 bytes,     2 packets,     0s ago
    out c70c9497,    168 bytes,     2 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---