Xfrm-Interface

Test suite to check IPsec with xfrm interface

Test IPsec With Multipath XFRM Interfaces

Description

DUT0 and DUT1 are connected to each other through multiple IPsec tunnels with the same local and remote prefixes.

In this test case, we will check IPsec tunnels are correctly installing through two peers directly connected to the DUT0 and DUT1 devices.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 30.0.0.1/24
set interfaces ethernet eth0 address 30.0.0.2/24
set interfaces ethernet eth0 vrf WAN_30
set interfaces ethernet eth1 address 10.1.0.1/24
set interfaces ethernet eth1 vrf LAN_101
set interfaces xfrm xfrm301 local-interface eth0
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm301 multipath traffic-steering reverse
set interfaces xfrm xfrm301 vrf LAN_101
set interfaces xfrm xfrm302 local-interface eth0
set interfaces xfrm xfrm302 mtu 1400
set interfaces xfrm xfrm302 multipath traffic-steering reverse
set interfaces xfrm xfrm302 vrf LAN_101
set protocols vrf WAN_30 static route 10.1.0.0/24 next-hop-vrf LAN_101
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN_101
set system vrf WAN_30
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX1/qeZz7qspB1Hz+GkB7lMoSPOWZgCVh1Go=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type respond
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.1
set vpn ipsec site-to-site peer PEER301 remote-address %any
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type respond
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.2
set vpn ipsec site-to-site peer PEER302 remote-address %any
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.3/24
set interfaces ethernet eth0 address 30.0.0.3/24
set interfaces ethernet eth0 address 30.0.0.4/24
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm302 mtu 1400
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX19O3zUWcsqKmTBTcEO5N7LKkqF+L7wWr3U=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type initiate
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.3
set vpn ipsec site-to-site peer PEER301 remote-address 30.0.0.1
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type initiate
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.4
set vpn ipsec site-to-site peer PEER302 remote-address 30.0.0.2
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 10.1.0.5/24
set protocols static route 10.2.0.0/24 next-hop 10.1.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Note

Check that the IPsec tunnels are established and the routes are installed. The routes should be installed in the VRF LAN_101.

Step 4: Run command protocols vrf LAN_101 ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF LAN_101:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:07
C>* 10.1.0.0/24 is directly connected, eth1, weight 1, 00:00:07
L>* 10.1.0.1/32 is directly connected, eth1, weight 1, 00:00:07
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm302, weight 1, 00:00:01
  *                   is directly connected, xfrm301, weight 1, 00:00:01

Note

Check that both IPsec tunnels are established and traffic steering is working as expected. Once the remote client is trying to connect randomly from either of the two tunnels, hub always responds with the same tunnel.

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.8.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue Jan 27 10:10:59 2026
admin@osdx$

Step 7: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #4, ESTABLISHED, IKEv2, 5b587d3a90cafe1e_i bd653da159412664_r*
  local  'test' @ 30.0.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 27064s
  peer-PEER301-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3242s, expires in 3959s
    in  cd5f1ab9 (-|0x0000012e),      0 bytes,     0 packets
    out ccba3fae (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #3, ESTABLISHED, IKEv2, 2300f4f757749717_i 7fb8fb28368a2072_r*
  local  'test' @ 30.0.0.2[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 22424s
  peer-PEER302-tunnel-1: #3, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3294s, expires in 3959s
    in  ccf015df (-|0x0000012f),   5188 bytes,    27 packets,     0s ago
    out c5406e43 (-|0x0000012f),   4840 bytes,    21 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 8: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 9: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.8.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue Jan 27 10:34:49 2026 from 10.2.0.3
admin@osdx$

Step 10: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #6, ESTABLISHED, IKEv2, 0a955c427eb92a7e_i e246cc59178c9714_r*
  local  'test' @ 30.0.0.2[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 18572s
  peer-PEER302-tunnel-1: #6, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3455s, expires in 3960s
    in  c8bc82c3 (-|0x0000012f),      0 bytes,     0 packets
    out cf1b7b71 (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #5, ESTABLISHED, IKEv2, 712cf531f06350bf_i 5ed5e97165719c4e_r*
  local  'test' @ 30.0.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 24338s
  peer-PEER301-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3409s, expires in 3960s
    in  c2aeca41 (-|0x0000012e),   5084 bytes,    25 packets,     0s ago
    out c911d370 (-|0x0000012e),   5032 bytes,    23 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Testing the traffic from the hub to the spoke. The difference is that the IPsec tunnel chosen by the hub not always the same as the one chosen by the spoke. So if the spoke responds to the hub through the another tunnel, the hub needs to change the tunnel to the one used by the spoke.

Step 11: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 12: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.8.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue Jan 27 10:03:48 2026
admin@osdx$

Step 13: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #8, ESTABLISHED, IKEv2, b2d2131aee7679db_i 3d06d06a03f660a0_r*
  local  'test' @ 30.0.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 28265s
  peer-PEER301-tunnel-1: #8, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3248s, expires in 3959s
    in  c7c76604 (-|0x0000012e),      0 bytes,     0 packets
    out ce77bf9c (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #7, ESTABLISHED, IKEv2, 9f1e06ce59cde564_i 2a8c009e0c7164f2_r*
  local  'test' @ 30.0.0.2[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 21818s
  peer-PEER302-tunnel-1: #7, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3514s, expires in 3959s
    in  c9d4e699 (-|0x0000012f),   4920 bytes,    22 packets,     0s ago
    out c9893371 (-|0x0000012f),   5396 bytes,    31 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 14: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 15: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.8.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue Jan 27 10:34:51 2026 from 10.1.0.5
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #10, ESTABLISHED, IKEv2, ab90fd3dc17bf17a_i fcb85c741dc37e21_r*
  local  'test' @ 30.0.0.2[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 26928s
  peer-PEER302-tunnel-1: #10, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3310s, expires in 3959s
    in  cd60b27d (-|0x0000012f),      0 bytes,     0 packets
    out c6c013bf (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #9, ESTABLISHED, IKEv2, 02c6023faa8b6fe4_i ef482c7c7cde92c7_r*
  local  'test' @ 30.0.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 27590s
  peer-PEER301-tunnel-1: #9, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3392s, expires in 3959s
    in  c3f312a9 (-|0x0000012e),   4864 bytes,    21 packets,     0s ago
    out c10884be (-|0x0000012e),   5240 bytes,    28 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test IPsec With Multipath XFRM Interfaces And VRFs

Description

The difference here is that the hub peer has its addresses behind the VRFs, it is not directly connected like in the previous test case.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum1 address 20.1.0.1/24
set interfaces dummy dum1 vrf SEG_201
set interfaces dummy dum2 address 20.2.0.1/24
set interfaces dummy dum2 vrf SEG_202
set interfaces ethernet eth0 address 30.0.0.1/24
set interfaces ethernet eth0 vrf WAN_30
set interfaces ethernet eth1 address 10.1.0.1/24
set interfaces ethernet eth1 vrf LAN_101
set interfaces xfrm xfrm301 local-interface dum1
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm301 multipath traffic-steering reverse
set interfaces xfrm xfrm301 vrf LAN_101
set interfaces xfrm xfrm302 local-interface dum2
set interfaces xfrm xfrm302 mtu 1400
set interfaces xfrm xfrm302 multipath traffic-steering reverse
set interfaces xfrm xfrm302 vrf LAN_101
set protocols vrf SEG_201 static route 0.0.0.0/0 next-hop-vrf WAN_30
set protocols vrf SEG_201 static route 10.1.0.0/24 next-hop-vrf LAN_101
set protocols vrf SEG_202 static route 0.0.0.0/0 next-hop-vrf WAN_30
set protocols vrf SEG_202 static route 10.1.0.0/24 next-hop-vrf LAN_101
set protocols vrf WAN_30 static route 20.1.0.0/24 next-hop-vrf SEG_201
set protocols vrf WAN_30 static route 20.2.0.0/24 next-hop-vrf SEG_202
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN_101
set system vrf SEG_201
set system vrf SEG_202
set system vrf WAN_30
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX1+ZFdr0xTxNc6KHTaCPKWfoDpFphKlHDh8=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type respond
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 20.1.0.1
set vpn ipsec site-to-site peer PEER301 remote-address %any
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type respond
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 20.2.0.1
set vpn ipsec site-to-site peer PEER302 remote-address %any
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.3/24
set interfaces ethernet eth0 address 30.0.0.3/24
set interfaces ethernet eth0 address 30.0.0.4/24
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm302 mtu 1400
set protocols static route 20.1.0.0/24 next-hop 30.0.0.1
set protocols static route 20.2.0.0/24 next-hop 30.0.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX1+A+FIp1la8zruj7yFyJVVjcJg1pQB0maY=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type initiate
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.3
set vpn ipsec site-to-site peer PEER301 remote-address 20.1.0.1
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type initiate
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.4
set vpn ipsec site-to-site peer PEER302 remote-address 20.2.0.1
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 10.1.0.5/24
set protocols static route 10.2.0.0/24 next-hop 10.1.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Note

Check that the IPsec tunnels are established and the routes are installed. The routes should be installed in the VRF LAN_101.

Step 4: Run command protocols vrf LAN_101 ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF LAN_101:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:07
C>* 10.1.0.0/24 is directly connected, eth1, weight 1, 00:00:07
L>* 10.1.0.1/32 is directly connected, eth1, weight 1, 00:00:07
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm302, weight 1, 00:00:01
  *                   is directly connected, xfrm301, weight 1, 00:00:01

Note

Check that both IPsec tunnels are established and traffic steering is working as expected. Once the remote client is trying to connect randomly from either of the two tunnels, hub always responds with the same tunnel.

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 6: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.8.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue Jan 27 10:34:50 2026 from 10.2.0.3
admin@osdx$

Step 7: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #4, ESTABLISHED, IKEv2, 10c13de5edaf4bac_i a48f3d33639648c4_r*
  local  'test' @ 20.1.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 20306s
  peer-PEER301-tunnel-1: #4, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3296s, expires in 3959s
    in  c0445c45 (-|0x0000012e),   5136 bytes,    26 packets,     0s ago
    out ca0e5492 (-|0x0000012e),   4768 bytes,    20 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #3, ESTABLISHED, IKEv2, 2c4bd0adc510595f_i 7ff9c2f70a2d673c_r*
  local  'test' @ 20.2.0.1[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 15061s
  peer-PEER302-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3376s, expires in 3959s
    in  cecdc202 (-|0x0000012f),      0 bytes,     0 packets
    out c8d43fbe (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 8: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 9: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.8.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue Jan 27 10:35:14 2026 from 10.2.0.3
admin@osdx$

Step 10: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #6, ESTABLISHED, IKEv2, 0801450b2c04854f_i 6b65a202280da70c_r*
  local  'test' @ 20.2.0.1[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 22350s
  peer-PEER302-tunnel-1: #6, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3387s, expires in 3959s
    in  c25764f9 (-|0x0000012f),   5096 bytes,    25 packets,     1s ago
    out c43f4696 (-|0x0000012f),   5268 bytes,    23 packets,     1s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #5, ESTABLISHED, IKEv2, 55b7e5ae24f3d677_i 8de2dce6d6cc8b44_r*
  local  'test' @ 20.1.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 21088s
  peer-PEER301-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3499s, expires in 3959s
    in  cce24451 (-|0x0000012e),      0 bytes,     0 packets
    out c33658eb (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Testing the traffic from the hub to the spoke. The difference is that the IPsec tunnel chosen by the hub not always the same as the one chosen by the spoke. So if the spoke responds to the hub through the another tunnel, the hub needs to change the tunnel to the one used by the spoke.

Step 11: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 12: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.8.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue Jan 27 10:34:51 2026 from 10.1.0.5
admin@osdx$

Step 13: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #8, ESTABLISHED, IKEv2, d1cd42d13841960b_i 5c8791f28d428a75_r*
  local  'test' @ 20.1.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 25130s
  peer-PEER301-tunnel-1: #8, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3317s, expires in 3959s
    in  c09679e0 (-|0x0000012e),      0 bytes,     0 packets
    out ca0b18c6 (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #7, ESTABLISHED, IKEv2, a3765293b75a5b8a_i 95a1c63c9bcf9952_r*
  local  'test' @ 20.2.0.1[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 26245s
  peer-PEER302-tunnel-1: #7, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3247s, expires in 3959s
    in  cdbc7cfd (-|0x0000012f),   4988 bytes,    23 packets,     1s ago
    out c5c140da (-|0x0000012f),   5084 bytes,    25 packets,     1s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 14: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.0%
Closed tunnels: 2

Step 15: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.8.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Tue Jan 27 10:35:15 2026 from 10.1.0.5
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #10, ESTABLISHED, IKEv2, 75a54100d79a606e_i 60a5c199bc595852_r*
  local  'test' @ 20.2.0.1[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 24812s
  peer-PEER302-tunnel-1: #10, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3361s, expires in 3959s
    in  cd2e0c9e (-|0x0000012f),   4916 bytes,    22 packets,     0s ago
    out c3127da2 (-|0x0000012f),   5180 bytes,    27 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #9, ESTABLISHED, IKEv2, a49809d265e40147_i 317d1845ab779655_r*
  local  'test' @ 20.1.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 19059s
  peer-PEER301-tunnel-1: #9, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3456s, expires in 3959s
    in  c7ea86c3 (-|0x0000012e),      0 bytes,     0 packets
    out cc8dd716 (-|0x0000012e),     60 bytes,     1 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---