Ppk
This set of tests shows how to configure and connect more than two subnets with each other through a VPN tunnel using PPK authentication in different ways.
Test PPK Options
Description
In this test, we will check the different options for PPK authentication (i.e., when it is required or not, when it remains unmatched, etc.).
Scenario
Note
Set default configuration for both DUTs, where PPK is not required and the PPK is the same.
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 10.2.0.0/24 interface dum0 set protocols static route 10.3.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets eap carol encrypted-secret U2FsdGVkX19vf7s+ptyfX9SEmGJVpZkgNYYZYmo7HEI= set vpn ipsec auth-profile AUTH-SA global-secrets eap dave encrypted-secret U2FsdGVkX1+BYO/yt1MG4UhdHS6KqAat6DgN+5NwCGQ= set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap %any type ttls set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 10.1.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets eap carol encrypted-secret U2FsdGVkX1+f4Q7mkdxUy+s0U9NAk/rNMUDdVbyPWR0= set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA local id carol set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.030 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.030/0.030/0.030/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.029 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.029/0.029/0.029/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 151f96505aa453d5_i 4908c5f3b06266a7_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 21030s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3505s, expires in 3960s in ca511074, 0 bytes, 0 packets out c13a993c, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 6: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.405 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.405/0.405/0.405/0.000 ms
Step 7: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.783 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.783/0.783/0.783/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 151f96505aa453d5_i 4908c5f3b06266a7_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 1s ago, rekeying in 21029s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3504s, expires in 3959s in ca511074, 168 bytes, 2 packets, 0s ago out c13a993c, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Note
Delete the PPK from DUT0 and check that the SA falls back to standard authentication.
Step 9: Modify the following configuration lines in DUT0 :
delete vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org
Step 10: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[1] between 80.0.0.1[CN=moon.teldat.org]...80.0.0.2[carol] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[1] [ENC] generating INFORMATIONAL request 0 [ D ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 0 [ ] [IKE] IKE_SA deleted terminate completed successfully [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (120 bytes) [ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID] [IKE] received EAP identity 'carol' [IKE] phase2 method EAP_MD5 selected [IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5] [ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (132 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (132 bytes) [ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5] [IKE] EAP_TTLS phase2 authentication of 'carol' with EAP_MD5 successful [IKE] EAP method EAP_TTLS succeeded, MSK established [ENC] generating IKE_AUTH response 6 [ EAP/SUCC ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (162 bytes) [ENC] parsed IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [CFG] no PPK for 'carol@teldat.org' found, ignored because PPK is not required [IKE] no PPK available, using NO_PPK_AUTH notify [IKE] authentication of 'carol' with EAP successful [IKE] authentication of 'CN=moon.teldat.org' (myself) with EAP [IKE] IKE_SA vpn-peer-PEER[2] established between 80.0.0.1[CN=moon.teldat.org]...80.0.0.2[carol] [IKE] scheduling rekeying in 25466s [IKE] maximum IKE_SA lifetime 25466s [CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ [IKE] CHILD_SA peer-PEER-tunnel-1{2} established with SPIs c2f64117_i cf1ba61a_o and TS 10.1.0.0/24 === 10.2.0.0/24 initiate completed successfully
Step 11: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[2] between 80.0.0.2[carol]...80.0.0.1[CN=moon.teldat.org] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[2] [ENC] generating INFORMATIONAL request 8 [ D ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (65 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 8 [ ] [IKE] IKE_SA deleted terminate completed successfully [IKE] initiating IKE_SA vpn-peer-PEER[3] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{3} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0xD7) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0xC2) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (162 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (181 bytes) [ENC] parsed IKE_AUTH response 7 [ AUTH SA TSi TSr ] [IKE] authentication of 'CN=moon.teldat.org' with EAP successful [CFG] peer didn't use PPK for PPK_ID 'carol@teldat.org' [IKE] IKE_SA vpn-peer-PEER[3] established between 80.0.0.2[carol]...80.0.0.1[CN=moon.teldat.org] [IKE] scheduling rekeying in 15989s [IKE] maximum IKE_SA lifetime 15989s [CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ [IKE] CHILD_SA peer-PEER-tunnel-1{3} established with SPIs cea737c8_i c4c63995_o and TS 10.2.0.0/24 === 10.1.0.0/24 initiate completed successfully
Step 12: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, d5064707e515b25c_i 32f7fd1426e04c3b_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 15504s peer-PEER-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3356s, expires in 3960s in c4c63995, 0 bytes, 0 packets out cea737c8, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 13: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.299 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.299/0.299/0.299/0.000 ms
Step 14: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.315 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.315/0.315/0.315/0.000 ms
Step 15: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #3, ESTABLISHED, IKEv2, d5064707e515b25c_i 32f7fd1426e04c3b_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 15504s peer-PEER-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3356s, expires in 3960s in c4c63995, 168 bytes, 2 packets, 0s ago out cea737c8, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Note
Set the PPK as required in DUT0 and, with DUT1’s corresponding PPK deleted, check that the connection fails.
Step 16: Modify the following configuration lines in DUT0 :
set vpn ipsec auth-profile AUTH-SA remote ppk required
Step 17: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
[IKE] deleting IKE_SA vpn-peer-PEER[3] between 80.0.0.1[CN=moon.teldat.org]...80.0.0.2[carol] [IKE] sending DELETE for IKE_SA vpn-peer-PEER[3] [ENC] generating INFORMATIONAL request 0 [ D ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (57 bytes) [ENC] parsed INFORMATIONAL response 0 [ ] [IKE] IKE_SA deleted terminate completed successfully [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (132 bytes) [ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5] [IKE] EAP_TTLS phase2 authentication of 'carol' with EAP_MD5 successful [IKE] EAP method EAP_TTLS succeeded, MSK established [ENC] generating IKE_AUTH response 6 [ EAP/SUCC ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) [NET] received packet: from 80.0.0.2[500](0) to 80.0.0.1[500](2) (162 bytes) [ENC] parsed IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [CFG] PPK required but no PPK found for 'carol@teldat.org' [ENC] generating IKE_AUTH response 7 [ N(AUTH_FAILED) ] [NET] sending packet: from 80.0.0.1[500](2) to 80.0.0.2[500](0) (65 bytes) initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 18: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] initiating IKE_SA vpn-peer-PEER[5] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{5} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0x45) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0x63) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(NO_PPK) N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (162 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 7 [ N(AUTH_FAILED) ] [IKE] received AUTHENTICATION_FAILED notify error initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 19: Expect a failure in the following command:
Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. --- 10.2.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Note
Set the PPK as required in DUT1 and change the PPK in DUT0 back to not required. Check that the connection is still failing.
Step 20: Modify the following configuration lines in DUT0 :
delete vpn ipsec auth-profile AUTH-SA remote ppk required
Step 21: Modify the following configuration lines in DUT1 :
set vpn ipsec auth-profile AUTH-SA local ppk required
Step 22: Run command vpn ipsec clear peer PEER at DUT0 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] unable to resolve %any, initiate aborted initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 23: Run command vpn ipsec clear peer PEER at DUT1 and expect this output:
Show output
terminate failed: no matching SAs to terminate found [IKE] initiating IKE_SA vpn-peer-PEER[7] to 80.0.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (272 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (305 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 [IKE] received cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] sending cert request for "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [IKE] establishing CHILD_SA peer-PEER-tunnel-1{7} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (247 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1252 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (246 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembled fragmented IKE message (1433 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] [IKE] received end entity cert "CN=moon.teldat.org" [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [IKE] authentication of 'CN=moon.teldat.org' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_TTLS authentication (id 0x13) [TLS] EAP_TTLS version is v0 [ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (279 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (1085 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] [ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (67 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (540 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] [TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [TLS] received TLS server certificate 'CN=moon.teldat.org' [CFG] using certificate "CN=moon.teldat.org" [CFG] using trusted ca certificate "C=ES, ST=Madrid, L=Tres Cantos, O=Teldat S.A., OU=RD, CN=Teldat Root CA" [CFG] reached self-signed root ca with a path length of 0 [CFG] checking certificate status of "CN=moon.teldat.org" [CFG] certificate status is not available [ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (229 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (122 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] [ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (120 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (132 bytes) [ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] [IKE] server requested EAP_MD5 authentication (id 0x78) [IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] [ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (132 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 6 [ EAP/SUCC ] [IKE] EAP method EAP_TTLS succeeded, MSK established [IKE] authentication of 'carol' (myself) with EAP [ENC] generating IKE_AUTH request 7 [ AUTH N(PPK_ID) ] [NET] sending packet: from 80.0.0.2[500](0) to 80.0.0.1[500](0) (122 bytes) [NET] received packet: from 80.0.0.1[500](0) to 80.0.0.2[500](2) (65 bytes) [ENC] parsed IKE_AUTH response 7 [ N(AUTH_FAILED) ] [IKE] received AUTHENTICATION_FAILED notify error initiate failed: establishing CHILD_SA 'peer-PEER-tunnel-1' failed
Step 24: Expect a failure in the following command:
Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. --- 10.2.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test PPK EAP-TTLS STS
Description
Test the site-to-site VPN with PPK authentication and EAP-TTLS
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 10.2.0.0/24 interface dum0 set protocols static route 10.3.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets eap carol encrypted-secret U2FsdGVkX1+ZDioxzdNIKVRw0IUB9UzbxLcnp/IrM8I= set vpn ipsec auth-profile AUTH-SA global-secrets eap dave encrypted-secret U2FsdGVkX180vW7BbnWWgtc9dMwjCTTfDknZHyaYbig= set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth eap %any type ttls set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 10.1.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets eap carol encrypted-secret U2FsdGVkX1/VDKW45Eo0+5uy/0CYRpyNoer+uhrOJ20= set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth eap carol type ttls set vpn ipsec auth-profile AUTH-SA local id carol set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.031 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.031/0.031/0.031/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.031 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.031/0.031/0.031/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets eap dave encrypted-secret U2FsdGVkX1+Nwo8jMXGb1gdHlV5Gqi54HqAQOqcfbTc= set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth eap dave type ttls set vpn ipsec auth-profile AUTH-SA local id dave set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.638 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.638/0.638/0.638/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 32958d5cebfce8a3_i 127bef3b66da077d_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 1s ago, rekeying in 20078s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3241s, expires in 3959s in c4727eb6, 84 bytes, 1 packets, 0s ago out c23f4136, 84 bytes, 1 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 5f1dbb372c474449_i b7451dd92f95d8f9_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 6s ago, rekeying in 20614s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 6s ago, rekeying in 3325s, expires in 3954s in c79d8c87, 0 bytes, 0 packets out cae82c42, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.284 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.284/0.284/0.284/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.312 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.312/0.312/0.312/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 32958d5cebfce8a3_i 127bef3b66da077d_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 20070s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3233s, expires in 3951s in c4727eb6, 84 bytes, 1 packets, 8s ago out c23f4136, 84 bytes, 1 packets, 8s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 5f1dbb372c474449_i b7451dd92f95d8f9_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 14s ago, rekeying in 20606s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 14s ago, rekeying in 3317s, expires in 3946s in c79d8c87, 168 bytes, 2 packets, 0s ago out cae82c42, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 32958d5cebfce8a3_i 127bef3b66da077d_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 20070s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3233s, expires in 3951s in c4727eb6, 84 bytes, 1 packets, 8s ago out c23f4136, 84 bytes, 1 packets, 8s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 5f1dbb372c474449_i b7451dd92f95d8f9_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 14s ago, rekeying in 20606s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 14s ago, rekeying in 3317s, expires in 3946s in c79d8c87, 168 bytes, 2 packets, 0s ago out cae82c42, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.316 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.316/0.316/0.316/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.328 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.328/0.328/0.328/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 32958d5cebfce8a3_i 127bef3b66da077d_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'dave' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 10s ago, rekeying in 20069s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 10s ago, rekeying in 3232s, expires in 3950s in c4727eb6, 252 bytes, 3 packets, 0s ago out c23f4136, 252 bytes, 3 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 5f1dbb372c474449_i b7451dd92f95d8f9_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'carol' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 15s ago, rekeying in 20605s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 15s ago, rekeying in 3316s, expires in 3945s in c79d8c87, 168 bytes, 2 packets, 1s ago out cae82c42, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK PSK STS
Description
Test the site-to-site VPN with PPK authentication and PSK
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 10.2.0.0/24 interface dum0 set protocols static route 10.3.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX18YQQMRD6Rkqzq8fSvN8y3iRQq7GlcNHac= set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 10.1.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX19jIP40fVfeZarE+oLV/spRCKHxPuYtJq8= set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.024 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.030 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.030/0.030/0.030/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX19LcNC3NWERXz7JFCqJMEXNU2KHwuRz+RY= set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.313 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.313/0.313/0.313/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 5c03edd5a52e6291_i b9c3d49a88ecfc3a_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 24759s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3391s, expires in 3960s in c07c82c2, 84 bytes, 1 packets, 0s ago out cfc46298, 84 bytes, 1 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 3e6c3daf4a2f5f62_i 92e232901b0926f6_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 17067s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3240s, expires in 3956s in c5b4daa0, 0 bytes, 0 packets out c092de7d, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.341 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.341/0.341/0.341/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.810 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.810/0.810/0.810/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 5c03edd5a52e6291_i b9c3d49a88ecfc3a_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 24750s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3382s, expires in 3951s in c07c82c2, 84 bytes, 1 packets, 9s ago out cfc46298, 84 bytes, 1 packets, 9s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 3e6c3daf4a2f5f62_i 92e232901b0926f6_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 13s ago, rekeying in 17058s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 13s ago, rekeying in 3231s, expires in 3947s in c5b4daa0, 168 bytes, 2 packets, 0s ago out c092de7d, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 5c03edd5a52e6291_i b9c3d49a88ecfc3a_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 24750s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3382s, expires in 3951s in c07c82c2, 84 bytes, 1 packets, 9s ago out cfc46298, 84 bytes, 1 packets, 9s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 3e6c3daf4a2f5f62_i 92e232901b0926f6_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 13s ago, rekeying in 17058s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 13s ago, rekeying in 3231s, expires in 3947s in c5b4daa0, 168 bytes, 2 packets, 0s ago out c092de7d, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.322 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.322/0.322/0.322/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.356 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.356/0.356/0.356/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 5c03edd5a52e6291_i b9c3d49a88ecfc3a_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 10s ago, rekeying in 24749s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 10s ago, rekeying in 3381s, expires in 3950s in c07c82c2, 252 bytes, 3 packets, 0s ago out cfc46298, 252 bytes, 3 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 3e6c3daf4a2f5f62_i 92e232901b0926f6_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 14s ago, rekeying in 17057s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 14s ago, rekeying in 3230s, expires in 3946s in c5b4daa0, 168 bytes, 2 packets, 1s ago out c092de7d, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK RSA STS
Description
Test the site-to-site VPN with PPK authentication and RSA
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set protocols static route 10.2.0.0/24 interface dum0 set protocols static route 10.3.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 10.1.0.0/24 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local id CN=carol@teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 3: Ping IP address 80.0.0.2 from DUT1:
admin@DUT1$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.025 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.025/0.025/0.025/0.000 ms
Step 4: Ping IP address 80.0.0.1 from DUT0:
admin@DUT0$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.027 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.027/0.027/0.027/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set protocols static route 0.0.0.0/0 interface dum0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local id CN=dave@teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA local ppk id dave@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 6: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.360 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.360/0.360/0.360/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, a27afc89b542a564_i d696c60e36b53e15_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 0s ago, rekeying in 27353s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3315s, expires in 3960s in cc4800d6, 84 bytes, 1 packets, 0s ago out cbbaf558, 84 bytes, 1 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b98b7942b93d4523_i de19f068afd32e5e_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 4s ago, rekeying in 17935s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 4s ago, rekeying in 3247s, expires in 3956s in c87b24ef, 0 bytes, 0 packets out c4e0c3ca, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=1.66 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.655/1.655/1.655/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.376 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.376/0.376/0.376/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.2.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, a27afc89b542a564_i d696c60e36b53e15_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 27344s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3306s, expires in 3951s in cc4800d6, 84 bytes, 1 packets, 9s ago out cbbaf558, 84 bytes, 1 packets, 9s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b98b7942b93d4523_i de19f068afd32e5e_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 13s ago, rekeying in 17926s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 13s ago, rekeying in 3238s, expires in 3947s in c87b24ef, 168 bytes, 2 packets, 0s ago out c4e0c3ca, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, a27afc89b542a564_i d696c60e36b53e15_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 9s ago, rekeying in 27344s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 9s ago, rekeying in 3306s, expires in 3951s in cc4800d6, 84 bytes, 1 packets, 9s ago out cbbaf558, 84 bytes, 1 packets, 9s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b98b7942b93d4523_i de19f068afd32e5e_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 13s ago, rekeying in 17926s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 13s ago, rekeying in 3238s, expires in 3947s in c87b24ef, 168 bytes, 2 packets, 0s ago out c4e0c3ca, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.392 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.392/0.392/0.392/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.342 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.342/0.342/0.342/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+10.3.0.*Show output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, a27afc89b542a564_i d696c60e36b53e15_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 10s ago, rekeying in 27343s peer-PEER-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 10s ago, rekeying in 3305s, expires in 3950s in cc4800d6, 252 bytes, 3 packets, 0s ago out cbbaf558, 252 bytes, 3 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b98b7942b93d4523_i de19f068afd32e5e_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 14s ago, rekeying in 17925s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 14s ago, rekeying in 3237s, expires in 3946s in c87b24ef, 168 bytes, 2 packets, 1s ago out c4e0c3ca, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test PPK PSK DMVPN
Description
Test the DMVPN scenario with PPK authentication and PSK
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set interfaces tunnel tun0 address 10.0.0.2/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.2 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 600 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp nhs 10.0.0.1 nbma 80.0.0.1 set protocols static route 10.1.0.0/24 next-hop 10.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX19BV3E0J0MNz2bR/qKyV6+CixZfGhq+xPQ= set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP mode transport set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces tunnel tun0 address 10.0.0.1/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.1 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 60 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp transport-nat-support set protocols static route 10.2.0.0/24 next-hop 10.0.0.2 set protocols static route 10.3.0.0/24 next-hop 10.0.0.3 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX1+xAEOpnZo4sa+TIrjQCjA9gBgaGuvJ1C8= set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP mode transport set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 3: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.325 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.325/0.325/0.325/0.000 ms
Step 4: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.302 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.302/0.302/0.302/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set interfaces tunnel tun0 address 10.0.0.3/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.3 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 600 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp nhs 10.0.0.1 nbma 80.0.0.1 set protocols static route 10.1.0.0/24 next-hop 10.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX18WIKWPeivJZUVLdYZP/3n6ihQBFMcRBGA= set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP mode transport set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 6: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=1.65 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.653/1.653/1.653/0.000 ms
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+80.0.0.*Show output
IPSEC: #2, ESTABLISHED, IKEv2, 7ad05b6e3a2b34b2_i 47e1fc48001a7bb8_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 1s ago, rekeying in 56122s IPSEC: #2, reqid 2, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 23598s, expires in 28799s in c59745e1, 184 bytes, 2 packets, 0s ago out ca491e2b, 204 bytes, 2 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.3/32[gre] IPSEC: #1, ESTABLISHED, IKEv2, 31ef23b1d1fbcb02_i 46533805c563b431_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 12s ago, rekeying in 54322s IPSEC: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 12s ago, rekeying in 21875s, expires in 28788s in c9940d32, 368 bytes, 4 packets, 11s ago out c5ca97d7, 292 bytes, 3 packets, 11s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.424 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.424/0.424/0.424/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.343 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.343/0.343/0.343/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+80.0.0\.2Show output
IPSEC: #2, ESTABLISHED, IKEv2, 7ad05b6e3a2b34b2_i 47e1fc48001a7bb8_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 1s ago, rekeying in 56122s IPSEC: #2, reqid 2, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 23598s, expires in 28799s in c59745e1, 184 bytes, 2 packets, 0s ago out ca491e2b, 204 bytes, 2 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.3/32[gre] IPSEC: #1, ESTABLISHED, IKEv2, 31ef23b1d1fbcb02_i 46533805c563b431_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 12s ago, rekeying in 54322s IPSEC: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 12s ago, rekeying in 21875s, expires in 28788s in c9940d32, 544 bytes, 6 packets, 0s ago out c5ca97d7, 468 bytes, 5 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+80.0.0.*Show output
IPSEC: #2, ESTABLISHED, IKEv2, 7ad05b6e3a2b34b2_i 47e1fc48001a7bb8_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 2s ago, rekeying in 56121s IPSEC: #2, reqid 2, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 23597s, expires in 28798s in c59745e1, 184 bytes, 2 packets, 1s ago out ca491e2b, 204 bytes, 2 packets, 1s ago local 80.0.0.1/32[gre] remote 80.0.0.3/32[gre] IPSEC: #1, ESTABLISHED, IKEv2, 31ef23b1d1fbcb02_i 46533805c563b431_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 13s ago, rekeying in 54321s IPSEC: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 13s ago, rekeying in 21874s, expires in 28787s in c9940d32, 544 bytes, 6 packets, 1s ago out c5ca97d7, 468 bytes, 5 packets, 1s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.460 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.460/0.460/0.460/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.392 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.392/0.392/0.392/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+80.0.0\.3.*Show output
IPSEC: #2, ESTABLISHED, IKEv2, 7ad05b6e3a2b34b2_i 47e1fc48001a7bb8_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 2s ago, rekeying in 56121s IPSEC: #2, reqid 2, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 23597s, expires in 28798s in c59745e1, 360 bytes, 4 packets, 0s ago out ca491e2b, 380 bytes, 4 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.3/32[gre] IPSEC: #1, ESTABLISHED, IKEv2, 31ef23b1d1fbcb02_i 46533805c563b431_r* local 'test' @ 80.0.0.1[500] remote 'test' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 13s ago, rekeying in 54321s IPSEC: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 13s ago, rekeying in 21874s, expires in 28787s in c9940d32, 544 bytes, 6 packets, 1s ago out c5ca97d7, 468 bytes, 5 packets, 1s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]
Step 15: Run command protocols ip show nhrp at DUT0 and expect this output:
Show output
Iface Type Protocol NBMA Claimed NBMA Expires(s) Flags Identity tun0 local 10.0.0.1 80.0.0.1 80.0.0.1 - - tun0 dynamic 10.0.0.3 80.0.0.3 80.0.0.3 598 UTA test tun0 dynamic 10.0.0.2 80.0.0.2 80.0.0.2 588 UT test
Test PPK RSA DMVPN
Description
Test the DMVPN scenario with PPK authentication and RSA, with same ppk on both remotes.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set interfaces tunnel tun0 address 10.0.0.2/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.2 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 600 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp nhs 10.0.0.1 nbma 80.0.0.1 set protocols static route 10.1.0.0/24 next-hop 10.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local id CN=carol@teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP mode transport set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces tunnel tun0 address 10.0.0.1/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.1 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 60 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp transport-nat-support set protocols static route 10.2.0.0/24 next-hop 10.0.0.2 set protocols static route 10.3.0.0/24 next-hop 10.0.0.3 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA global-secrets ppk dave@teldat.org file 'running://ppk_dave.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://server.crt' set vpn ipsec auth-profile AUTH-SA local id CN=moon.teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://server.priv.pem' set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote ppk id '*@teldat.org' set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP mode transport set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 3: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.344 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.344/0.344/0.344/0.000 ms
Step 4: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.358 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.358/0.358/0.358/0.000 ms
Step 5: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.3/24 set interfaces tunnel tun0 address 10.0.0.3/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-address 80.0.0.3 set interfaces tunnel tun0 local-interface eth0 set interfaces tunnel tun0 mtu 1390 set interfaces tunnel tun0 nhrp holdtime 600 set interfaces tunnel tun0 nhrp ipsec IPSEC set interfaces tunnel tun0 nhrp nhs 10.0.0.1 nbma 80.0.0.1 set protocols static route 10.1.0.0/24 next-hop 10.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ppk carol@teldat.org file 'running://ppk_carol.key' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local id CN=dave@teldat.org set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA local ppk id carol@teldat.org set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA remote id CN=moon.teldat.org set vpn ipsec dmvpn-profile IPSEC auth-profile AUTH-SA set vpn ipsec dmvpn-profile IPSEC esp-group ESP-GROUP set vpn ipsec dmvpn-profile IPSEC ike-group IKE-GROUP set vpn ipsec esp-group ESP-GROUP lifetime 28800 set vpn ipsec esp-group ESP-GROUP mode transport set vpn ipsec esp-group ESP-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec esp-group ESP-GROUP proposal 10 hash sha256 set vpn ipsec esp-group ESP-GROUP proposal 10 pfs dh-group19 set vpn ipsec ike-group IKE-GROUP key-exchange ikev2 set vpn ipsec ike-group IKE-GROUP lifetime 86400 set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group 19 set vpn ipsec ike-group IKE-GROUP proposal 10 encryption aes256gcm128 set vpn ipsec ike-group IKE-GROUP proposal 10 hash sha256 set vpn ipsec logging log-types any log-level 1
Step 6: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.569 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.569/0.569/0.569/0.000 ms
Warning
“Certificates must include the IP address in the SAN field, otherwise the connection will fail.”
Step 7: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+80.0.0.*Show output
IPSEC: #2, ESTABLISHED, IKEv2, 9daf58dd549e85bd_i 4307c98c29d9e85a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 1s ago, rekeying in 80548s IPSEC: #2, reqid 2, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 17502s, expires in 28799s in c9a2175c, 184 bytes, 2 packets, 0s ago out c89f4c7c, 204 bytes, 2 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.3/32[gre] IPSEC: #1, ESTABLISHED, IKEv2, 3ca7908ca3600c02_i 20a0b56c5aab887b_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 14s ago, rekeying in 79119s IPSEC: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 14s ago, rekeying in 17938s, expires in 28786s in ca085fa7, 464 bytes, 5 packets, 11s ago out cacd1ece, 292 bytes, 3 packets, 11s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]
Step 8: Ping IP address 10.2.0.1 from DUT0:
admin@DUT0$ ping 10.2.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.2.0.1 (10.2.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.401 ms --- 10.2.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.401/0.401/0.401/0.000 ms
Step 9: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.2.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.2.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.368 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.368/0.368/0.368/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+80.0.0\.2Show output
IPSEC: #2, ESTABLISHED, IKEv2, 9daf58dd549e85bd_i 4307c98c29d9e85a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 1s ago, rekeying in 80548s IPSEC: #2, reqid 2, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 17502s, expires in 28799s in c9a2175c, 184 bytes, 2 packets, 0s ago out c89f4c7c, 204 bytes, 2 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.3/32[gre] IPSEC: #1, ESTABLISHED, IKEv2, 3ca7908ca3600c02_i 20a0b56c5aab887b_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 14s ago, rekeying in 79119s IPSEC: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 14s ago, rekeying in 17938s, expires in 28786s in ca085fa7, 640 bytes, 7 packets, 0s ago out cacd1ece, 468 bytes, 5 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]
Step 11: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*\s+.*remote\s+80.0.0.*Show output
IPSEC: #2, ESTABLISHED, IKEv2, 9daf58dd549e85bd_i 4307c98c29d9e85a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 1s ago, rekeying in 80548s IPSEC: #2, reqid 2, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 17502s, expires in 28799s in c9a2175c, 184 bytes, 2 packets, 0s ago out c89f4c7c, 204 bytes, 2 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.3/32[gre] IPSEC: #1, ESTABLISHED, IKEv2, 3ca7908ca3600c02_i 20a0b56c5aab887b_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 14s ago, rekeying in 79119s IPSEC: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 14s ago, rekeying in 17938s, expires in 28786s in ca085fa7, 640 bytes, 7 packets, 0s ago out cacd1ece, 468 bytes, 5 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]
Step 12: Ping IP address 10.3.0.1 from DUT0:
admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1Show output
PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.549 ms --- 10.3.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.549/0.549/0.549/0.000 ms
Step 13: Ping IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.330 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.330/0.330/0.330/0.000 ms
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
(?m)\s+.*AES_GCM_16-256\/PRF_HMAC_SHA2_256\/ECP_256\/PPK.*\s+.*\s+.*\s+.*\s+.*[1-9]\d? packets.*\s+.*[1-9]\d? packets.*\s+.*\s+.*remote\s+80.0.0\.3.*Show output
IPSEC: #2, ESTABLISHED, IKEv2, 9daf58dd549e85bd_i 4307c98c29d9e85a_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=dave@teldat.org' @ 80.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 2s ago, rekeying in 80547s IPSEC: #2, reqid 2, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 17501s, expires in 28798s in c9a2175c, 360 bytes, 4 packets, 0s ago out c89f4c7c, 380 bytes, 4 packets, 0s ago local 80.0.0.1/32[gre] remote 80.0.0.3/32[gre] IPSEC: #1, ESTABLISHED, IKEv2, 3ca7908ca3600c02_i 20a0b56c5aab887b_r* local 'CN=moon.teldat.org' @ 80.0.0.1[500] remote 'CN=carol@teldat.org' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256/PPK established 15s ago, rekeying in 79118s IPSEC: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-256 installed 15s ago, rekeying in 17937s, expires in 28785s in ca085fa7, 640 bytes, 7 packets, 1s ago out cacd1ece, 468 bytes, 5 packets, 1s ago local 80.0.0.1/32[gre] remote 80.0.0.2/32[gre]