Xfrm-Interface

Test suite to check IPsec with xfrm interface

Test IPsec With Multipath XFRM Interfaces

Description

DUT0 and DUT1 are connected to each other through multiple IPsec tunnels with the same local and remote prefixes.

In this test case, we will check IPsec tunnels are correctly installing through two peers directly connected to the DUT0 and DUT1 devices.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 30.0.0.1/24
set interfaces ethernet eth0 address 30.0.0.2/24
set interfaces ethernet eth0 vrf WAN_30
set interfaces ethernet eth1 address 10.1.0.1/24
set interfaces ethernet eth1 vrf LAN_101
set interfaces xfrm xfrm301 local-interface eth0
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm301 multipath traffic-steering reverse
set interfaces xfrm xfrm301 vrf LAN_101
set interfaces xfrm xfrm302 local-interface eth0
set interfaces xfrm xfrm302 mtu 1400
set interfaces xfrm xfrm302 multipath traffic-steering reverse
set interfaces xfrm xfrm302 vrf LAN_101
set protocols vrf WAN_30 static route 10.1.0.0/24 next-hop-vrf LAN_101
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN_101
set system vrf WAN_30
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/YLkpLzUGN6XDZz2KQVbhsUnQHvBqIEdI=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type respond
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.1
set vpn ipsec site-to-site peer PEER301 remote-address %any
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type respond
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.2
set vpn ipsec site-to-site peer PEER302 remote-address %any
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.3/24
set interfaces ethernet eth0 address 30.0.0.3/24
set interfaces ethernet eth0 address 30.0.0.4/24
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm302 mtu 1400
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18hG4JLRfZk6yZYrMP7XtN5fRJ+HylhwX8=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type initiate
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.3
set vpn ipsec site-to-site peer PEER301 remote-address 30.0.0.1
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type initiate
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.4
set vpn ipsec site-to-site peer PEER302 remote-address 30.0.0.2
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 10.1.0.5/24
set protocols static route 10.2.0.0/24 next-hop 10.1.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Note

Check that the IPsec tunnels are established and the routes are installed. The routes should be installed in the VRF LAN_101.

Step 4: Run command protocols vrf LAN_101 ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF LAN_101:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:06
C>* 10.1.0.0/24 is directly connected, eth1, weight 1, 00:00:06
L>* 10.1.0.1/32 is directly connected, eth1, weight 1, 00:00:06
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm302, weight 1, 00:00:02
  *                   is directly connected, xfrm301, weight 1, 00:00:02

Note

Check that both IPsec tunnels are established and traffic steering is working as expected. Once the remote client is trying to connect randomly from either of the two tunnels, hub always responds with the same tunnel.

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.7.3

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Mon Apr  6 16:04:46 2026 from 40.0.0.2
admin@osdx$

Step 7: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #4, ESTABLISHED, IKEv2, d91fb80d5e4ee6bd_i b11ea05a0fda2e3c_r*
  local  '30.0.0.1' @ 30.0.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 22902s
  peer-PEER301-tunnel-1: #4, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3287s, expires in 3960s
    in  c5180863 (-|0x0000012e),      0 bytes,     0 packets
    out c35ce2f5 (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #3, ESTABLISHED, IKEv2, 6a660f2bed1d4023_i e526049eb2b65d91_r*
  local  '30.0.0.2' @ 30.0.0.2[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 22524s
  peer-PEER302-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3349s, expires in 3960s
    in  ca932cf6 (-|0x0000012f),   5032 bytes,    24 packets,     1s ago
    out c844cf91 (-|0x0000012f),   4936 bytes,    22 packets,     1s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 8: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 9: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.7.3

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Mon Apr  6 16:27:13 2026 from 10.2.0.3
admin@osdx$

Step 10: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #6, ESTABLISHED, IKEv2, 268c4a2d825d83b6_i 1a1543cf9f591270_r*
  local  '30.0.0.2' @ 30.0.0.2[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 18167s
  peer-PEER302-tunnel-1: #6, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3405s, expires in 3959s
    in  cdb554b8 (-|0x0000012f),   5032 bytes,    24 packets,     0s ago
    out cd7a1b74 (-|0x0000012f),   4952 bytes,    22 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #5, ESTABLISHED, IKEv2, f55c1d9f6c87c460_i b1fa5a3e6fe8af3a_r*
  local  '30.0.0.1' @ 30.0.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 25005s
  peer-PEER301-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3395s, expires in 3959s
    in  c0d4015a (-|0x0000012e),      0 bytes,     0 packets
    out cbd7e2e6 (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Testing the traffic from the hub to the spoke. The difference is that the IPsec tunnel chosen by the hub not always the same as the one chosen by the spoke. So if the spoke responds to the hub through the another tunnel, the hub needs to change the tunnel to the one used by the spoke.

Step 11: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 12: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.7.3

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Mon Apr  6 16:24:45 2026
admin@osdx$

Step 13: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #8, ESTABLISHED, IKEv2, 6827cd34a7f720db_i 0c001ac744713dd6_r*
  local  '30.0.0.1' @ 30.0.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 23464s
  peer-PEER301-tunnel-1: #8, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3359s, expires in 3959s
    in  cc481424 (-|0x0000012e),   4928 bytes,    22 packets,     0s ago
    out cf795617 (-|0x0000012e),   5136 bytes,    26 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #7, ESTABLISHED, IKEv2, e8618db98b19d716_i fa91e03790206fcb_r*
  local  '30.0.0.2' @ 30.0.0.2[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 24896s
  peer-PEER302-tunnel-1: #7, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3259s, expires in 3959s
    in  c4223b11 (-|0x0000012f),      0 bytes,     0 packets
    out ca83947d (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 14: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 15: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.7.3

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Mon Apr  6 16:27:15 2026 from 10.1.0.5
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #10, ESTABLISHED, IKEv2, 0d228374c9316f01_i d23e50d6eb4d8518_r*
  local  '30.0.0.2' @ 30.0.0.2[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 15080s
  peer-PEER302-tunnel-1: #10, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3432s, expires in 3960s
    in  c6ea7554 (-|0x0000012f),   4944 bytes,    22 packets,     0s ago
    out ccf1c5d1 (-|0x0000012f),   5084 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #9, ESTABLISHED, IKEv2, 68894a0a1a374b84_i 10a4e4b70c94bd4a_r*
  local  '30.0.0.1' @ 30.0.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 28508s
  peer-PEER301-tunnel-1: #9, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3281s, expires in 3960s
    in  c87e0319 (-|0x0000012e),      0 bytes,     0 packets
    out c5497396 (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test IPsec With Multipath XFRM Interfaces And VRFs

Description

The difference here is that the hub peer has its addresses behind the VRFs, it is not directly connected like in the previous test case.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum1 address 20.1.0.1/24
set interfaces dummy dum1 vrf SEG_201
set interfaces dummy dum2 address 20.2.0.1/24
set interfaces dummy dum2 vrf SEG_202
set interfaces ethernet eth0 address 30.0.0.1/24
set interfaces ethernet eth0 vrf WAN_30
set interfaces ethernet eth1 address 10.1.0.1/24
set interfaces ethernet eth1 vrf LAN_101
set interfaces xfrm xfrm301 local-interface dum1
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm301 multipath traffic-steering reverse
set interfaces xfrm xfrm301 vrf LAN_101
set interfaces xfrm xfrm302 local-interface dum2
set interfaces xfrm xfrm302 mtu 1400
set interfaces xfrm xfrm302 multipath traffic-steering reverse
set interfaces xfrm xfrm302 vrf LAN_101
set protocols vrf SEG_201 static route 0.0.0.0/0 next-hop-vrf WAN_30
set protocols vrf SEG_201 static route 10.1.0.0/24 next-hop-vrf LAN_101
set protocols vrf SEG_202 static route 0.0.0.0/0 next-hop-vrf WAN_30
set protocols vrf SEG_202 static route 10.1.0.0/24 next-hop-vrf LAN_101
set protocols vrf WAN_30 static route 20.1.0.0/24 next-hop-vrf SEG_201
set protocols vrf WAN_30 static route 20.2.0.0/24 next-hop-vrf SEG_202
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN_101
set system vrf SEG_201
set system vrf SEG_202
set system vrf WAN_30
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19TKEGcC8uagtCO9QqvDEqpwsacOX1jcP0=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type respond
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 20.1.0.1
set vpn ipsec site-to-site peer PEER301 remote-address %any
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type respond
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 20.2.0.1
set vpn ipsec site-to-site peer PEER302 remote-address %any
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.3/24
set interfaces ethernet eth0 address 30.0.0.3/24
set interfaces ethernet eth0 address 30.0.0.4/24
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm302 mtu 1400
set protocols static route 20.1.0.0/24 next-hop 30.0.0.1
set protocols static route 20.2.0.0/24 next-hop 30.0.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/Sy9lIDQ3u1n2jJjoun17FWvL3waXRa+o=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type initiate
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.3
set vpn ipsec site-to-site peer PEER301 remote-address 20.1.0.1
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type initiate
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.4
set vpn ipsec site-to-site peer PEER302 remote-address 20.2.0.1
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 10.1.0.5/24
set protocols static route 10.2.0.0/24 next-hop 10.1.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Note

Check that the IPsec tunnels are established and the routes are installed. The routes should be installed in the VRF LAN_101.

Step 4: Run command protocols vrf LAN_101 ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF LAN_101:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:07
C>* 10.1.0.0/24 is directly connected, eth1, weight 1, 00:00:06
L>* 10.1.0.1/32 is directly connected, eth1, weight 1, 00:00:06
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm302, weight 1, 00:00:01
  *                   is directly connected, xfrm301, weight 1, 00:00:01

Note

Check that both IPsec tunnels are established and traffic steering is working as expected. Once the remote client is trying to connect randomly from either of the two tunnels, hub always responds with the same tunnel.

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.7.3

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Mon Apr  6 16:27:14 2026 from 10.2.0.3
admin@osdx$

Step 7: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #4, ESTABLISHED, IKEv2, 3462449c082604ef_i 3a971bba6f0999b1_r*
  local  '20.1.0.1' @ 20.1.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 25995s
  peer-PEER301-tunnel-1: #4, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3410s, expires in 3960s
    in  c52c41a9 (-|0x0000012e),   5032 bytes,    24 packets,     0s ago
    out c4206971 (-|0x0000012e),   4944 bytes,    22 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #3, ESTABLISHED, IKEv2, 4fe3f1e9e198ff81_i 5378aa93dffd272a_r*
  local  '20.2.0.1' @ 20.2.0.1[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 16256s
  peer-PEER302-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3445s, expires in 3960s
    in  cc28d5e6 (-|0x0000012f),      0 bytes,     0 packets
    out c129d682 (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 8: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 9: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.7.3

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Mon Apr  6 16:27:32 2026 from 10.2.0.3
admin@osdx$

Step 10: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #6, ESTABLISHED, IKEv2, ae26e57d399d05c1_i 6e5e01c520dfab8e_r*
  local  '20.2.0.1' @ 20.2.0.1[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 26744s
  peer-PEER302-tunnel-1: #6, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3428s, expires in 3960s
    in  c5ef513f (-|0x0000012f),   5240 bytes,    28 packets,     0s ago
    out c4603831 (-|0x0000012f),   4944 bytes,    22 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #5, ESTABLISHED, IKEv2, 0e441f49becf0b3c_i 3c6baf4e71c1f981_r*
  local  '20.1.0.1' @ 20.1.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 20664s
  peer-PEER301-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3353s, expires in 3960s
    in  ce6c3f0e (-|0x0000012e),      0 bytes,     0 packets
    out cac314ae (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Testing the traffic from the hub to the spoke. The difference is that the IPsec tunnel chosen by the hub not always the same as the one chosen by the spoke. So if the spoke responds to the hub through the another tunnel, the hub needs to change the tunnel to the one used by the spoke.

Step 11: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 12: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.7.3

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Mon Apr  6 16:27:15 2026 from 10.1.0.5
admin@osdx$

Step 13: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #8, ESTABLISHED, IKEv2, b8b78848c960feae_i d851e017e3ab89b4_r*
  local  '20.1.0.1' @ 20.1.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 19819s
  peer-PEER301-tunnel-1: #8, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3299s, expires in 3959s
    in  c75e1fa2 (-|0x0000012e),      0 bytes,     0 packets
    out ccb8df82 (-|0x0000012e),     60 bytes,     1 packets,     1s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #7, ESTABLISHED, IKEv2, 2696ca5050cd4ddc_i 8bcac41596233e38_r*
  local  '20.2.0.1' @ 20.2.0.1[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 27788s
  peer-PEER302-tunnel-1: #7, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3271s, expires in 3959s
    in  c5a1b616 (-|0x0000012f),   4944 bytes,    22 packets,     1s ago
    out cba753e7 (-|0x0000012f),   5024 bytes,    24 packets,     1s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 14: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 15: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.7.3

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Mon Apr  6 16:27:33 2026 from 10.1.0.5
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #10, ESTABLISHED, IKEv2, 36d3746699fe5024_i 9f917bfbf74097e8_r*
  local  '20.2.0.1' @ 20.2.0.1[500]
  remote '30.0.0.4' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 17732s
  peer-PEER302-tunnel-1: #10, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3313s, expires in 3960s
    in  c071d5f4 (-|0x0000012f),   5200 bytes,    25 packets,     0s ago
    out cf09a603 (-|0x0000012f),   5076 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #9, ESTABLISHED, IKEv2, a18f40f1b7653cd6_i 104bb06a24f3301a_r*
  local  '20.1.0.1' @ 20.1.0.1[500]
  remote '30.0.0.3' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 22649s
  peer-PEER301-tunnel-1: #9, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3473s, expires in 3960s
    in  cd4fd992 (-|0x0000012e),      0 bytes,     0 packets
    out c585b0f9 (-|0x0000012e),     60 bytes,     1 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---