Roadwarrior
This scenario shows different ways to setup a roadwarrior VPN connection; in which, instead of using a N2N (network to network) connection, a single machine (e.g., a host) is able to connect to a remote private network.
On the one hand, DUT2 and DUT0 represent a remote branch
office. On the other hand, DUT1 is a roadwarrior that can
establish a connection to DUT2 using different virtual IPs.
Note that security associations (SAs) have to be manually
flushed with the command clear vpn ipsec sa. Depending on
the configuration parameter connection-type, the new tunnel
connections will be created or not.
Test VPN Roadwarrior Connection With VTI
Description
In this scenario, DUT0 uses a VTI
interface to encapsulate the VPN traffic.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.1.0.2/24 set protocols static route 0.0.0.0/0 next-hop 10.1.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces ethernet eth1 address 10.1.0.1/24 set interfaces vti vti0 ipsec PEER set interfaces vti vti0 local-address 80.0.0.1 set interfaces vti vti0 remote-address 0.0.0.0 set protocols static route 10.3.0.0/24 interface vti0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19duh/7YnnjiUnpgFW/+QNofyzV+ccqIqk= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER vti local prefix 10.1.0.0/24
Step 3: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 10.1.0.0/24 interface eth0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+Qe1+30MmY9pKr7FB2hX1Tyvt7WoXuBeY= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 4: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.647 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.647/0.647/0.647/0.000 ms
Step 5: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.258 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.258/0.258/0.258/0.000 ms
Step 6: Ping IP address 10.1.0.2 from DUT0:
admin@DUT0$ ping 10.1.0.2 count 1 size 56 timeout 1Show output
PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data. 64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=0.404 ms --- 10.1.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.404/0.404/0.404/0.000 ms
Step 7: Run command interfaces dummy dum0 show at DUT1 and expect this output:
Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- dum0 10.3.0.1/24 up up fe80::589f:75ff:fec2:f151/64
Step 8: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.308 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.308/0.308/0.308/0.000 ms
Step 9: Ping IP address 10.1.0.2 from DUT1:
admin@DUT1$ ping 10.1.0.2 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.2 (10.1.0.2) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.2: icmp_seq=1 ttl=63 time=0.538 ms --- 10.1.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.538/0.538/0.538/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 47611de901d7595d_i e6b923ba96962216_r* local '80.0.0.1' @ 80.0.0.1[4500] remote '80.0.0.2' @ 80.0.0.2[4500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 25866s peer-PEER-tunnel-VTI: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3539s, expires in 3960s in c48f9bc4 (0x90000000), 168 bytes, 2 packets, 0s ago out c073c9f0 (0x90000000), 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 0.0.0.0/0
Step 11: Run command vpn ipsec clear sa at DUT1 and expect this output:
Show output
Deleting IPSec SAs... 100.0% Closed tunnels: 1
Step 12: Modify the following configuration lines in DUT1 :
delete interfaces dummy dum0 address 10.3.0.1/24 set interfaces dummy dum0 address 10.3.0.2/24
Step 13: Run command vpn ipsec initiate peer PEER at DUT1 and expect this output:
Show output
Initiating IPSec SAs... 0.0% Initiated tunnels: 1
Step 14: Run command interfaces dummy dum0 show at DUT1 and expect this output:
Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- dum0 10.3.0.2/24 up up fe80::589f:75ff:fec2:f151/64
Step 15: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.2 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.2 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.385 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.385/0.385/0.385/0.000 ms
Step 16: Ping IP address 10.1.0.2 from DUT1:
admin@DUT1$ ping 10.1.0.2 local-address 10.3.0.2 count 1 size 56 timeout 1Show output
PING 10.1.0.2 (10.1.0.2) from 10.3.0.2 : 56(84) bytes of data. 64 bytes from 10.1.0.2: icmp_seq=1 ttl=63 time=0.721 ms --- 10.1.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.721/0.721/0.721/0.000 ms
Step 17: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 73d3eaa11113e698_i 6075e4f2cd770b39_r* local '80.0.0.1' @ 80.0.0.1[4500] remote '80.0.0.2' @ 80.0.0.2[4500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 14758s peer-PEER-tunnel-VTI: #2, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3359s, expires in 3959s in c968ca34 (0x90000000), 168 bytes, 2 packets, 1s ago out cef34f1f (0x90000000), 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 0.0.0.0/0
Test VPN Roadwarrior Connection With Global Policies
Description
In this scenario, DUT0 uses global VPN
policies (or selectors) to encapsulate traffic.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.1.0.2/24 set protocols static route 0.0.0.0/0 next-hop 10.1.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces ethernet eth1 address 10.1.0.1/24 set protocols static route 10.3.0.0/24 interface eth0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18k+tg4iRAV9wZVWkYTJF+I3fa22/B42u8= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 3: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 10.1.0.0/24 interface eth0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19hSZPJhEEPfWO5fhG7SIG40RJU09v7Iso= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 4: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.420 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.420/0.420/0.420/0.000 ms
Step 5: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.302 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.302/0.302/0.302/0.000 ms
Step 6: Ping IP address 10.1.0.2 from DUT0:
admin@DUT0$ ping 10.1.0.2 count 1 size 56 timeout 1Show output
PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data. 64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=1.71 ms --- 10.1.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.712/1.712/1.712/0.000 ms
Step 7: Run command interfaces dummy dum0 show at DUT1 and expect this output:
Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- dum0 10.3.0.1/24 up up fe80::609d:24ff:fe66:7cf7/64
Step 8: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.324 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.324/0.324/0.324/0.000 ms
Step 9: Ping IP address 10.1.0.2 from DUT1:
admin@DUT1$ ping 10.1.0.2 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.2 (10.1.0.2) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.2: icmp_seq=1 ttl=63 time=0.850 ms --- 10.1.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.850/0.850/0.850/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, d550b4a173c2600a_i ae8896581244a217_r* local '80.0.0.1' @ 80.0.0.1[4500] remote '80.0.0.2' @ 80.0.0.2[4500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 21553s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3350s, expires in 3959s in c5bd80ae, 168 bytes, 2 packets, 1s ago out c51fd813, 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.3.0.0/24
Step 11: Run command vpn ipsec clear sa at DUT1 and expect this output:
Show output
Deleting IPSec SAs... 100.0% Closed tunnels: 1
Step 12: Modify the following configuration lines in DUT1 :
delete interfaces dummy dum0 address 10.3.0.1/24 set interfaces dummy dum0 address 10.3.0.2/24
Step 13: Run command vpn ipsec initiate peer PEER at DUT1 and expect this output:
Show output
Initiating IPSec SAs... 0.0% Initiated tunnels: 1
Step 14: Run command interfaces dummy dum0 show at DUT1 and expect this output:
Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- dum0 10.3.0.2/24 up up fe80::609d:24ff:fe66:7cf7/64
Step 15: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.2 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.2 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.345 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.345/0.345/0.345/0.000 ms
Step 16: Ping IP address 10.1.0.2 from DUT1:
admin@DUT1$ ping 10.1.0.2 local-address 10.3.0.2 count 1 size 56 timeout 1Show output
PING 10.1.0.2 (10.1.0.2) from 10.3.0.2 : 56(84) bytes of data. 64 bytes from 10.1.0.2: icmp_seq=1 ttl=63 time=2.70 ms --- 10.1.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.702/2.702/2.702/0.000 ms
Step 17: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 312e080c13e3d5c4_i 44ca9b9783206ec1_r* local '80.0.0.1' @ 80.0.0.1[4500] remote '80.0.0.2' @ 80.0.0.2[4500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 26412s peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3310s, expires in 3959s in c627d643, 168 bytes, 2 packets, 0s ago out c89dd05d, 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Test VPN Roadwarrior Connection With VTI And VIPs Pool
Description
In this scenario, DUT0 uses a VTI
interface to encapsulate the VPN traffic.
DUT1 requests a virtual IP address from
DUT0 and it installed in dum0. Routes are
also automatically installed taking into
account the negotiated selectors.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.1.0.2/24 set protocols static route 0.0.0.0/0 next-hop 10.1.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces ethernet eth1 address 10.1.0.1/24 set interfaces vti vti0 ipsec PEER set interfaces vti vti0 local-address 80.0.0.1 set interfaces vti vti0 remote-address 0.0.0.0 set protocols static route 10.3.0.0/24 interface vti0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1/D1avkege9JsIVw8HR6AQHNR0Cv+hyUXM= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec pool POOL prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER pool POOL set vpn ipsec site-to-site peer PEER vti local prefix 10.1.0.0/24
Step 3: Set the following configuration in DUT1 :
set interfaces dummy dum0 set interfaces ethernet eth0 address 80.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX189mwe8kLRE+Uq/CT/bUZOHydmEHaR4wxY= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER install-vips interface dum0 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 4: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.401 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.401/0.401/0.401/0.000 ms
Step 5: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.318 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.318/0.318/0.318/0.000 ms
Step 6: Ping IP address 10.1.0.2 from DUT0:
admin@DUT0$ ping 10.1.0.2 count 1 size 56 timeout 1Show output
PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data. 64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=0.933 ms --- 10.1.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.933/0.933/0.933/0.000 ms
Step 7: Run command interfaces dummy dum0 show at DUT1 and expect this output:
Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- dum0 10.3.0.1/32 up up fe80::e445:28ff:fea9:f0bb/64
Step 8: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.343 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.343/0.343/0.343/0.000 ms
Step 9: Ping IP address 10.1.0.2 from DUT1:
admin@DUT1$ ping 10.1.0.2 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.2 (10.1.0.2) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.2: icmp_seq=1 ttl=63 time=0.552 ms --- 10.1.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.552/0.552/0.552/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 2a3b141a25fc3a02_i 0e4a0cbcb7e0f6e1_r* local '80.0.0.1' @ 80.0.0.1[4500] remote '80.0.0.2' @ 80.0.0.2[4500] [10.3.0.1] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 28302s peer-PEER-tunnel-VTI: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3431s, expires in 3959s in cd14deb8 (0x90000000), 168 bytes, 2 packets, 1s ago out c90b2417 (0x90000000), 168 bytes, 2 packets, 1s ago local 10.1.0.0/24 remote 10.3.0.1/32
Test VPN Roadwarrior Connection With Global Policies And VIPs Pool
Description
In this scenario, DUT0 uses global VPN
policies (or selectors) to encapsulate traffic.
DUT1 requests a virtual IP address from
DUT0 and it installed in dum0. Routes are
also automatically installed taking into
account the negotiated selectors.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.1.0.2/24 set protocols static route 0.0.0.0/0 next-hop 10.1.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces ethernet eth1 address 10.1.0.1/24 set interfaces vti vti0 ipsec PEER set interfaces vti vti0 local-address 80.0.0.1 set interfaces vti vti0 remote-address 0.0.0.0 set protocols static route 10.3.0.0/24 interface vti0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX182TEIDQm8AVo4BVsDHrHfmxVgTxjOIG2c= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec pool POOL prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER pool POOL set vpn ipsec site-to-site peer PEER vti local prefix 10.1.0.0/24
Step 3: Set the following configuration in DUT1 :
set interfaces dummy dum0 set interfaces ethernet eth0 address 80.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19jnuAdyvvQMy7KziqRmKKS7yZfybeut20= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER install-vips interface dum0 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 4: Ping IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.302 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.302/0.302/0.302/0.000 ms
Step 5: Ping IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.271 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.271/0.271/0.271/0.000 ms
Step 6: Ping IP address 10.1.0.2 from DUT0:
admin@DUT0$ ping 10.1.0.2 count 1 size 56 timeout 1Show output
PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data. 64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=0.524 ms --- 10.1.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.524/0.524/0.524/0.000 ms
Step 7: Run command interfaces dummy dum0 show at DUT1 and expect this output:
Show output
---------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ---------------------------------------------------------------- dum0 10.3.0.1/32 up up fe80::1474:eff:feb9:5986/64
Step 8: Ping IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.813 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.813/0.813/0.813/0.000 ms
Step 9: Ping IP address 10.1.0.2 from DUT1:
admin@DUT1$ ping 10.1.0.2 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.2 (10.1.0.2) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.2: icmp_seq=1 ttl=63 time=0.577 ms --- 10.1.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.577/0.577/0.577/0.000 ms
Step 10: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 427c24ce6d43fdec_i b055558fd4d79312_r* local '80.0.0.1' @ 80.0.0.1[4500] remote '80.0.0.2' @ 80.0.0.2[4500] [10.3.0.1] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 25976s peer-PEER-tunnel-VTI: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3343s, expires in 3959s in c4349d4d (0x90000000), 168 bytes, 2 packets, 0s ago out c45b5729 (0x90000000), 168 bytes, 2 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.1/32