Backup-Tunnel

This scenario shows how to configure two VPN IPsec tunnels in a OSDx device. One of them acts as the main tunnel and the other one as a backup tunnel. As soon as the device detects the main tunnel is not reachable, it starts sending traffic trough the backup one.

Test Site-To-Site With Backup Tunnel

Description

VPN site-to-site configuration to create a backup tunnel that is activated when the main one is not reachable.

Scenario

Attention

This scenario uses the packet mark to select the VPN tunnel. The packet mark is assigned using a traffic policy that depends on an advisor status.

Show output

set system alarm MAIN_OFF
set system advisor MAIN_NOT_REACHABLE test MAIN_OFF
set service nsm operation BACKUP_PROBE alarm MAIN_OFF activate loss 80
set service nsm operation BACKUP_PROBE destination-address 80.0.0.2
set service nsm operation BACKUP_PROBE interval 3
set service nsm operation BACKUP_PROBE type icmp
set traffic policy PBR rule 1 set mark 4321
set traffic policy PBR rule 1 advisor MAIN_NOT_REACHABLE
set traffic policy PBR rule 2 set mark 1234
set interfaces dum0 traffic policy local-out PBR

Step 1: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.3.0.1/24
set interfaces ethernet eth0 address 80.0.0.2/24
set protocols static route 0.0.0.0/0 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18iQE9mtIOP7SUBzHUtQfUhjgYCNwlQ3gE=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24

Step 2: Set the following configuration in DUT2 :

set interfaces dummy dum0 address 10.3.0.1/24
set interfaces ethernet eth0 address 80.0.0.3/24
set protocols static route 0.0.0.0/0 interface dum0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18fZoegdKXa7IwHsMkYXKhUe/25ZoudLkU=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER connection-type respond
set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER ike-group IKE-SA
set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24
set vpn ipsec site-to-site peer PEER tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24

Step 3: Set the following configuration in DUT0 :

set interfaces dummy dum0 address 10.1.0.1/24
set interfaces dummy dum0 traffic policy local-out PBR
set interfaces ethernet eth0 address 80.0.0.1/24
set protocols static route 0.0.0.0/0 interface dum0
set service nsm operation BACKUP_PROBE alarm MAIN_OFF activate loss 80
set service nsm operation BACKUP_PROBE destination-address 80.0.0.2
set service nsm operation BACKUP_PROBE interval 3
set service nsm operation BACKUP_PROBE type icmp
set system advisor MAIN_NOT_REACHABLE test MAIN_OFF
set system alarm MAIN_OFF
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy PBR rule 1 advisor MAIN_NOT_REACHABLE
set traffic policy PBR rule 1 set mark 4321
set traffic policy PBR rule 2 set mark 1234
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX199e28UEor86Q3PtpZ3z7bB62c5uzarpPk=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-BACKUP mark-in 4321
set vpn ipsec esp-group CHILD-BACKUP mark-out 4321
set vpn ipsec esp-group CHILD-BACKUP proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-BACKUP proposal 1 pfs dh-group19
set vpn ipsec esp-group CHILD-MAIN mark-in 1234
set vpn ipsec esp-group CHILD-MAIN mark-out 1234
set vpn ipsec esp-group CHILD-MAIN proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-MAIN proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer BACKUP auth-profile AUTH-SA
set vpn ipsec site-to-site peer BACKUP connection-type initiate
set vpn ipsec site-to-site peer BACKUP default-esp-group CHILD-BACKUP
set vpn ipsec site-to-site peer BACKUP ike-group IKE-SA
set vpn ipsec site-to-site peer BACKUP remote-address 80.0.0.3
set vpn ipsec site-to-site peer BACKUP tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer BACKUP tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer BACKUP tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer MAIN auth-profile AUTH-SA
set vpn ipsec site-to-site peer MAIN connection-type initiate
set vpn ipsec site-to-site peer MAIN default-esp-group CHILD-MAIN
set vpn ipsec site-to-site peer MAIN ike-group IKE-SA
set vpn ipsec site-to-site peer MAIN remote-address 80.0.0.2
set vpn ipsec site-to-site peer MAIN tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer MAIN tunnel 1 local-interface dum0
set vpn ipsec site-to-site peer MAIN tunnel 1 remote prefix 0.0.0.0/0

Step 4: Ping IP address 80.0.0.2 from DUT0:

admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1

Show output

PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data.
64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.282 ms

--- 80.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.282/0.282/0.282/0.000 ms

Step 5: Ping IP address 80.0.0.3 from DUT0:

admin@DUT0$ ping 80.0.0.3 count 1 size 56 timeout 1

Show output

PING 80.0.0.3 (80.0.0.3) 56(84) bytes of data.
64 bytes from 80.0.0.3: icmp_seq=1 ttl=64 time=0.316 ms

--- 80.0.0.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.316/0.316/0.316/0.000 ms

Step 6: Run command vpn ipsec show sa at DUT0 and check if output contains the following tokens:

80.0.0.2
80.0.0.3

Show output

vpn-peer-MAIN: #2, ESTABLISHED, IKEv2, dcb907a4e382162c_i* 400fab141636efb3_r
  local  '80.0.0.1' @ 80.0.0.1[4500]
  remote '80.0.0.2' @ 80.0.0.2[4500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 20844s
  peer-MAIN-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3264s, expires in 3959s
    in  c260cac2 (0x000004d2),      0 bytes,     0 packets
    out c9947ce2 (0x000004d2),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.3.0.0/24
vpn-peer-BACKUP: #1, ESTABLISHED, IKEv2, 0079f223e73e706c_i* 98d84f3f882c2c1b_r
  local  '80.0.0.1' @ 80.0.0.1[4500]
  remote '80.0.0.3' @ 80.0.0.3[4500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 14583s
  peer-BACKUP-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3307s, expires in 3959s
    in  c49a8f03 (0x000010e1),      0 bytes,     0 packets
    out c30343e4 (0x000010e1),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.3.0.0/24

Step 7: Ping IP address 10.3.0.1 from DUT0:

admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1

Show output

PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.377 ms

--- 10.3.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.377/0.377/0.377/0.000 ms

Step 8: Run command vpn ipsec show sa remote 80.0.0.2 at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-MAIN: #2, ESTABLISHED, IKEv2, dcb907a4e382162c_i* 400fab141636efb3_r
  local  '80.0.0.1' @ 80.0.0.1[4500]
  remote '80.0.0.2' @ 80.0.0.2[4500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 20844s
  peer-MAIN-tunnel-1: #2, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3264s, expires in 3959s
    in  c260cac2 (0x000004d2),     84 bytes,     1 packets,     0s ago
    out c9947ce2 (0x000004d2),     84 bytes,     1 packets,     0s ago
    local  10.1.0.0/24
    remote 10.3.0.0/24

Step 9: Modify the following configuration lines in DUT1 :

set interfaces ethernet eth0 disable

Step 10: Ping IP address 10.3.0.1 from DUT0:

admin@DUT0$ ping 10.3.0.1 local-address 10.1.0.1 count 1 size 56 timeout 1

Show output

PING 10.3.0.1 (10.3.0.1) from 10.1.0.1 : 56(84) bytes of data.
64 bytes from 10.3.0.1: icmp_seq=1 ttl=64 time=0.275 ms

--- 10.3.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.275/0.275/0.275/0.000 ms

Step 11: Run command vpn ipsec show sa remote 80.0.0.3 at DUT0 and check if output matches the following regular expressions:

[1-9]\d? packets

Show output

vpn-peer-BACKUP: #1, ESTABLISHED, IKEv2, 0079f223e73e706c_i* 98d84f3f882c2c1b_r
  local  '80.0.0.1' @ 80.0.0.1[4500]
  remote '80.0.0.3' @ 80.0.0.3[4500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 8s ago, rekeying in 14576s
  peer-BACKUP-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256
    installed 8s ago, rekeying in 3300s, expires in 3952s
    in  c49a8f03 (0x000010e1),     84 bytes,     1 packets,     0s ago
    out c30343e4 (0x000010e1),     84 bytes,     1 packets,     0s ago
    local  10.1.0.0/24
    remote 10.3.0.0/24

---