Cnm

IPSEC tunnel authentication using CNM credentials (physical device)

IPSEC tunnel using cnm credentials

Description

Establish a IPSEC tunnel using CNM credentials as authentication mode.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.100/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service cnm log-level debug
set service cnm poll-interval 8
set service cnm role router
set service cnm url qa.networkcloudmanager.com
set service dns resolver name-server 192.168.212.3
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.215.168.101/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service cnm alternate-id OSDX_TESTING_VM1_YFgmMaTE
set service cnm log-level debug
set service cnm poll-interval 8
set service cnm role router
set service cnm url qa.networkcloudmanager.com
set service dns resolver name-server 192.168.212.3
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Ping IP address qa.networkcloudmanager.com from DUT0:

admin@DUT0$ ping qa.networkcloudmanager.com count 1 size 56 timeout 1

Show output

PING cnmproxyqa.networkcloudmanager.com (35.236.212.112) 56(84) bytes of data.
64 bytes from 112.212.236.35.bc.googleusercontent.com (35.236.212.112): icmp_seq=1 ttl=104 time=94.3 ms

--- cnmproxyqa.networkcloudmanager.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 94.257/94.257/94.257/0.000 ms

Step 4: Ping IP address qa.networkcloudmanager.com from DUT1:

admin@DUT1$ ping qa.networkcloudmanager.com count 1 size 56 timeout 1

Show output

PING cnmproxyqa.networkcloudmanager.com (35.236.212.112) 56(84) bytes of data.
ping: Warning: time of day goes back (-296588us), taking countermeasures
ping: Warning: time of day goes back (-295910us), taking countermeasures
64 bytes from 112.212.236.35.bc.googleusercontent.com (35.236.212.112): icmp_seq=1 ttl=97 time=0.000 ms

--- cnmproxyqa.networkcloudmanager.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.000/0.000/0.000/0.000 ms

Step 5: Run command service cnm show | grep "CNM State Machine State" at DUT0 and check if output matches the following regular expressions:

CNM State Machine State:\s+CONNECTED

Show output

CNM State Machine State:        CONNECTED

Step 6: Run command service cnm show | grep "CNM State Machine State" at DUT1 and check if output matches the following regular expressions:

CNM State Machine State:\s+CONNECTED

Show output

CNM State Machine State:        CONNECTED

Step 7: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces ethernet eth0 address 10.215.168.100/24
set interfaces ethernet eth0 address 80.0.0.1/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set protocols static route 10.2.0.0/24 interface dum0
set protocols static route 10.3.0.0/24 interface dum0
set service cnm log-level debug
set service cnm poll-interval 8
set service cnm role router
set service cnm url qa.networkcloudmanager.com
set service dns resolver name-server 192.168.212.3
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA local cnm-certs
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0

Step 8: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.1/24
set interfaces ethernet eth0 address 10.215.168.101/24
set interfaces ethernet eth0 address 80.0.0.2/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set protocols static route 10.1.0.0/24 interface dum0
set service cnm alternate-id OSDX_TESTING_VM1_YFgmMaTE
set service cnm log-level debug
set service cnm poll-interval 8
set service cnm role router
set service cnm url qa.networkcloudmanager.com
set service dns resolver name-server 192.168.212.3
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA local cnm-certs
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec logging log-types any log-level 1
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type initiate
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER local-address 80.0.0.2
set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24

Step 9: Ping IP address 80.0.0.2 from DUT1:

admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1

Show output

PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.025 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.025/0.025/0.025/0.000 ms

Step 10: Ping IP address 80.0.0.1 from DUT0:

admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1

Show output

PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data.
64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.032 ms

--- 80.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.032/0.032/0.032/0.000 ms

Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

peer-PEER-tunnel-\d+.+INSTALLED

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 58f0026fdb00226d_i 779963cae51ea06c_r*
  local  'CN=1 ROUTER 597df5b8-d6eb-5170-a562-e1321aded49e, O=Teldat S.A., C=ES' @ 80.0.0.1[500]
  remote 'CN=1 ROUTER eed96456-dd2d-5db0-931b-0f8cc8d6bd0a, O=Teldat S.A., C=ES' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 18412s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3275s, expires in 3960s
    in  cce892b9,      0 bytes,     0 packets
    out ce0b0243,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 12: Ping IP address 10.2.0.1 from DUT0:

admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1

Show output

PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.372 ms

--- 10.2.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.372/0.372/0.372/0.000 ms

Step 13: Ping IP address 10.1.0.1 from DUT1:

admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1

Show output

PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.560 ms

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.560/0.560/0.560/0.000 ms

Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 58f0026fdb00226d_i 779963cae51ea06c_r*
  local  'CN=1 ROUTER 597df5b8-d6eb-5170-a562-e1321aded49e, O=Teldat S.A., C=ES' @ 80.0.0.1[500]
  remote 'CN=1 ROUTER eed96456-dd2d-5db0-931b-0f8cc8d6bd0a, O=Teldat S.A., C=ES' @ 80.0.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 2s ago, rekeying in 18410s
  peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 2s ago, rekeying in 3273s, expires in 3958s
    in  cce892b9,    168 bytes,     2 packets,     0s ago
    out ce0b0243,    252 bytes,     3 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---