Xfrm-Interface
Test suite to check IPsec with xfrm interface
Test IPsec With Multipath XFRM Interfaces
Description
DUT0 and DUT1 are connected to each other through multiple IPsec tunnels with the same local and remote prefixes.
In this test case, we will check IPsec tunnels are correctly installing through two peers directly connected to the DUT0 and DUT1 devices.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 30.0.0.1/24 set interfaces ethernet eth0 address 30.0.0.2/24 set interfaces ethernet eth0 vrf WAN_30 set interfaces ethernet eth1 address 10.1.0.1/24 set interfaces ethernet eth1 vrf LAN_101 set interfaces xfrm xfrm301 local-interface eth0 set interfaces xfrm xfrm301 mtu 1400 set interfaces xfrm xfrm301 multipath traffic-steering reverse set interfaces xfrm xfrm301 vrf LAN_101 set interfaces xfrm xfrm302 local-interface eth0 set interfaces xfrm xfrm302 mtu 1400 set interfaces xfrm xfrm302 multipath traffic-steering reverse set interfaces xfrm xfrm302 vrf LAN_101 set protocols vrf WAN_30 static route 10.1.0.0/24 next-hop-vrf LAN_101 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf LAN_101 set system vrf WAN_30 set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX1/Mh78t5EICPpty99QL+ScxXqZcVNDoKtk= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER301 connection-type respond set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.1 set vpn ipsec site-to-site peer PEER301 remote-address %any set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes LAN_101 set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301 set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER302 connection-type respond set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.2 set vpn ipsec site-to-site peer PEER302 remote-address %any set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes LAN_101 set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.3/24 set interfaces ethernet eth0 address 30.0.0.3/24 set interfaces ethernet eth0 address 30.0.0.4/24 set interfaces xfrm xfrm301 mtu 1400 set interfaces xfrm xfrm302 mtu 1400 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX19AI0p/rRQzPNQdXSafd2mTb1dz0i1vdGE= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER301 connection-type initiate set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.3 set vpn ipsec site-to-site peer PEER301 remote-address 30.0.0.1 set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301 set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER302 connection-type initiate set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.4 set vpn ipsec site-to-site peer PEER302 remote-address 30.0.0.2 set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth1 address 10.1.0.5/24 set protocols static route 10.2.0.0/24 next-hop 10.1.0.1 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Note
Check that the IPsec tunnels are established and the routes are installed. The routes should be installed in the VRF LAN_101.
Step 4: Run command protocols vrf LAN_101 ip show route at DUT0 and check if output matches the following regular expressions:
K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF LAN_101: K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:07 C>* 10.1.0.0/24 is directly connected, eth1, weight 1, 00:00:06 L>* 10.1.0.1/32 is directly connected, eth1, weight 1, 00:00:06 K>* 10.2.0.0/24 [0/0] is directly connected, xfrm302, weight 1, 00:00:01 * is directly connected, xfrm301, weight 1, 00:00:01
Note
Check that both IPsec tunnels are established and traffic steering is working as expected. Once the remote client is trying to connect randomly from either of the two tunnels, hub always responds with the same tunnel.
Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 2
Step 6: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:
admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3Show output
Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts. admin@10.1.0.5's password: Welcome to Teldat OSDx v4.2.8.5 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Mar 20 08:26:12 2026 admin@osdx$
Step 7: Run command vpn ipsec show sa at DUT0 and expect this output:
Show output
vpn-peer-PEER301: #4, ESTABLISHED, IKEv2, f8173faf42864e5a_i 42844be6972430f2_r* local 'test' @ 30.0.0.1[500] remote 'test' @ 30.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 20736s peer-PEER301-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3330s, expires in 3960s in c5c83a35 (-|0x0000012e), 5032 bytes, 24 packets, 0s ago out c4421ca5 (-|0x0000012e), 4928 bytes, 22 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER302: #3, ESTABLISHED, IKEv2, 5799889b42262000_i 7f31cfb88d5ce3c6_r* local 'test' @ 30.0.0.2[500] remote 'test' @ 30.0.0.4[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 23695s peer-PEER302-tunnel-1: #3, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3273s, expires in 3960s in c9a4f160 (-|0x0000012f), 0 bytes, 0 packets out cb1513a9 (-|0x0000012f), 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Run command vpn ipsec clear sa at DUT0 and expect this output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 2
Step 9: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:
admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3Show output
Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts. admin@10.1.0.5's password: Welcome to Teldat OSDx v4.2.8.5 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Mar 20 08:52:18 2026 from 10.2.0.3 admin@osdx$
Step 10: Run command vpn ipsec show sa at DUT0 and expect this output:
Show output
vpn-peer-PEER302: #6, ESTABLISHED, IKEv2, 97e963f4bf204801_i c73d562a86d46afb_r* local 'test' @ 30.0.0.2[500] remote 'test' @ 30.0.0.4[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 27693s peer-PEER302-tunnel-1: #6, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3441s, expires in 3960s in c8468d63 (-|0x0000012f), 5032 bytes, 24 packets, 0s ago out ca86beb3 (-|0x0000012f), 4944 bytes, 22 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER301: #5, ESTABLISHED, IKEv2, 1e2b2cd821fef27c_i f834e9c4d3a8893e_r* local 'test' @ 30.0.0.1[500] remote 'test' @ 30.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 24628s peer-PEER301-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3352s, expires in 3960s in ca516a85 (-|0x0000012e), 0 bytes, 0 packets out c82186f4 (-|0x0000012e), 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Note
Testing the traffic from the hub to the spoke. The difference is that the IPsec tunnel chosen by the hub not always the same as the one chosen by the spoke. So if the spoke responds to the hub through the another tunnel, the hub needs to change the tunnel to the one used by the spoke.
Step 11: Run command vpn ipsec clear sa at DUT0 and expect this output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 2
Step 12: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:
admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5Show output
Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts. admin@10.2.0.3's password: Welcome to Teldat OSDx v4.2.8.5 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Mar 20 08:20:47 2026 admin@osdx$
Step 13: Run command vpn ipsec show sa at DUT0 and expect this output:
Show output
vpn-peer-PEER302: #7, ESTABLISHED, IKEv2, 01d9d2fecf83ee0b_i e9bbd6a7d0d6c4a2_r* local 'test' @ 30.0.0.2[500] remote 'test' @ 30.0.0.4[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 22727s peer-PEER302-tunnel-1: #7, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3334s, expires in 3959s in cfa16581 (-|0x0000012f), 4920 bytes, 22 packets, 0s ago out c73bae19 (-|0x0000012f), 5024 bytes, 24 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER301: #8, ESTABLISHED, IKEv2, e0058b1700cd9aaa_i 4a908a64e026a661_r* local 'test' @ 30.0.0.1[500] remote 'test' @ 30.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 28100s peer-PEER301-tunnel-1: #8, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3249s, expires in 3959s in c8bfbde5 (-|0x0000012e), 0 bytes, 0 packets out c8a40640 (-|0x0000012e), 60 bytes, 1 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 14: Run command vpn ipsec clear sa at DUT0 and expect this output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 2
Step 15: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:
admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5Show output
Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts. admin@10.2.0.3's password: Welcome to Teldat OSDx v4.2.8.5 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Mar 20 08:52:19 2026 from 10.1.0.5 admin@osdx$
Step 16: Run command vpn ipsec show sa at DUT0 and expect this output:
Show output
vpn-peer-PEER301: #10, ESTABLISHED, IKEv2, aafbc697df98e655_i 46f4d8d129b4c10b_r* local 'test' @ 30.0.0.1[500] remote 'test' @ 30.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 18066s peer-PEER301-tunnel-1: #10, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3306s, expires in 3959s in c178a5bc (-|0x0000012e), 4916 bytes, 22 packets, 0s ago out c1f5d47a (-|0x0000012e), 5076 bytes, 25 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER302: #9, ESTABLISHED, IKEv2, 0d4d5174a55d6c06_i 8dd24d417c3ed23b_r* local 'test' @ 30.0.0.2[500] remote 'test' @ 30.0.0.4[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 15662s peer-PEER302-tunnel-1: #9, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3432s, expires in 3959s in c95d7cd7 (-|0x0000012f), 0 bytes, 0 packets out c585203e (-|0x0000012f), 60 bytes, 1 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Test IPsec With Multipath XFRM Interfaces And VRFs
Description
The difference here is that the hub peer has its addresses behind the VRFs, it is not directly connected like in the previous test case.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces dummy dum1 address 20.1.0.1/24 set interfaces dummy dum1 vrf SEG_201 set interfaces dummy dum2 address 20.2.0.1/24 set interfaces dummy dum2 vrf SEG_202 set interfaces ethernet eth0 address 30.0.0.1/24 set interfaces ethernet eth0 vrf WAN_30 set interfaces ethernet eth1 address 10.1.0.1/24 set interfaces ethernet eth1 vrf LAN_101 set interfaces xfrm xfrm301 local-interface dum1 set interfaces xfrm xfrm301 mtu 1400 set interfaces xfrm xfrm301 multipath traffic-steering reverse set interfaces xfrm xfrm301 vrf LAN_101 set interfaces xfrm xfrm302 local-interface dum2 set interfaces xfrm xfrm302 mtu 1400 set interfaces xfrm xfrm302 multipath traffic-steering reverse set interfaces xfrm xfrm302 vrf LAN_101 set protocols vrf SEG_201 static route 0.0.0.0/0 next-hop-vrf WAN_30 set protocols vrf SEG_201 static route 10.1.0.0/24 next-hop-vrf LAN_101 set protocols vrf SEG_202 static route 0.0.0.0/0 next-hop-vrf WAN_30 set protocols vrf SEG_202 static route 10.1.0.0/24 next-hop-vrf LAN_101 set protocols vrf WAN_30 static route 20.1.0.0/24 next-hop-vrf SEG_201 set protocols vrf WAN_30 static route 20.2.0.0/24 next-hop-vrf SEG_202 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf LAN_101 set system vrf SEG_201 set system vrf SEG_202 set system vrf WAN_30 set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX1/2yighLkJpZLFGJnPVIYPK4GsN6vY+lO0= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER301 connection-type respond set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA set vpn ipsec site-to-site peer PEER301 local-address 20.1.0.1 set vpn ipsec site-to-site peer PEER301 remote-address %any set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes LAN_101 set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301 set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER302 connection-type respond set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA set vpn ipsec site-to-site peer PEER302 local-address 20.2.0.1 set vpn ipsec site-to-site peer PEER302 remote-address %any set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes LAN_101 set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.2.0.3/24 set interfaces ethernet eth0 address 30.0.0.3/24 set interfaces ethernet eth0 address 30.0.0.4/24 set interfaces xfrm xfrm301 mtu 1400 set interfaces xfrm xfrm302 mtu 1400 set protocols static route 20.1.0.0/24 next-hop 30.0.0.1 set protocols static route 20.2.0.0/24 next-hop 30.0.0.1 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX18+RA6U/HvPEFWxUsbst+aYfDnZA0NoZEY= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER301 connection-type initiate set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.3 set vpn ipsec site-to-site peer PEER301 remote-address 20.1.0.1 set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301 set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER302 connection-type initiate set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.4 set vpn ipsec site-to-site peer PEER302 remote-address 20.2.0.1 set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.2.0.0/24 set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth1 address 10.1.0.5/24 set protocols static route 10.2.0.0/24 next-hop 10.1.0.1 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Note
Check that the IPsec tunnels are established and the routes are installed. The routes should be installed in the VRF LAN_101.
Step 4: Run command protocols vrf LAN_101 ip show route at DUT0 and check if output matches the following regular expressions:
K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF LAN_101: K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:07 C>* 10.1.0.0/24 is directly connected, eth1, weight 1, 00:00:06 L>* 10.1.0.1/32 is directly connected, eth1, weight 1, 00:00:06 K>* 10.2.0.0/24 [0/0] is directly connected, xfrm302, weight 1, 00:00:01 * is directly connected, xfrm301, weight 1, 00:00:01
Note
Check that both IPsec tunnels are established and traffic steering is working as expected. Once the remote client is trying to connect randomly from either of the two tunnels, hub always responds with the same tunnel.
Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 2
Step 6: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:
admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3Show output
Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts. admin@10.1.0.5's password: Welcome to Teldat OSDx v4.2.8.5 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Mar 20 08:52:18 2026 from 10.2.0.3 admin@osdx$
Step 7: Run command vpn ipsec show sa at DUT0 and expect this output:
Show output
vpn-peer-PEER301: #3, ESTABLISHED, IKEv2, f2157c6f27155d8e_i 632666c3ec4737da_r* local 'test' @ 20.1.0.1[500] remote 'test' @ 30.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 17756s peer-PEER301-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3570s, expires in 3959s in c044de20 (-|0x0000012e), 5032 bytes, 24 packets, 0s ago out c05df5cb (-|0x0000012e), 4864 bytes, 21 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER302: #4, ESTABLISHED, IKEv2, 3fba61a7899abbb9_i 74734761b78192c0_r* local 'test' @ 20.2.0.1[500] remote 'test' @ 30.0.0.4[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 28357s peer-PEER302-tunnel-1: #4, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3247s, expires in 3959s in c3200f1e (-|0x0000012f), 0 bytes, 0 packets out c01dab94 (-|0x0000012f), 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Step 8: Run command vpn ipsec clear sa at DUT0 and expect this output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 2
Step 9: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:
admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3Show output
Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts. admin@10.1.0.5's password: Welcome to Teldat OSDx v4.2.8.5 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Mar 20 08:52:39 2026 from 10.2.0.3 admin@osdx$
Step 10: Run command vpn ipsec show sa at DUT0 and expect this output:
Show output
vpn-peer-PEER301: #5, ESTABLISHED, IKEv2, d992391b0059770c_i c1f05a38c160ed46_r* local 'test' @ 20.1.0.1[500] remote 'test' @ 30.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 19151s peer-PEER301-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3303s, expires in 3959s in cee501c6 (-|0x0000012e), 5032 bytes, 24 packets, 0s ago out c9940fe5 (-|0x0000012e), 4944 bytes, 22 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER302: #6, ESTABLISHED, IKEv2, 8edb120aa7951535_i cda8deb1f90059af_r* local 'test' @ 20.2.0.1[500] remote 'test' @ 30.0.0.4[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 16455s peer-PEER302-tunnel-1: #6, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3291s, expires in 3959s in caef8895 (-|0x0000012f), 0 bytes, 0 packets out ceeeddef (-|0x0000012f), 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24
Note
Testing the traffic from the hub to the spoke. The difference is that the IPsec tunnel chosen by the hub not always the same as the one chosen by the spoke. So if the spoke responds to the hub through the another tunnel, the hub needs to change the tunnel to the one used by the spoke.
Step 11: Run command vpn ipsec clear sa at DUT0 and expect this output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 2
Step 12: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:
admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5Show output
Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts. admin@10.2.0.3's password: Welcome to Teldat OSDx v4.2.8.5 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Mar 20 08:52:20 2026 from 10.1.0.5 admin@osdx$
Step 13: Run command vpn ipsec show sa at DUT0 and expect this output:
Show output
vpn-peer-PEER302: #8, ESTABLISHED, IKEv2, 44586365c5442b7e_i 93f95fe3dda57a98_r* local 'test' @ 20.2.0.1[500] remote 'test' @ 30.0.0.4[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 23350s peer-PEER302-tunnel-1: #8, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3319s, expires in 3960s in cff34c3e (-|0x0000012f), 4944 bytes, 22 packets, 0s ago out cca358b7 (-|0x0000012f), 5024 bytes, 24 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER301: #7, ESTABLISHED, IKEv2, 414446ab3b878bc2_i 1d1ec000526f9563_r* local 'test' @ 20.1.0.1[500] remote 'test' @ 30.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 17606s peer-PEER301-tunnel-1: #7, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3251s, expires in 3960s in c2727058 (-|0x0000012e), 0 bytes, 0 packets out c0943acd (-|0x0000012e), 60 bytes, 1 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24
Step 14: Run command vpn ipsec clear sa at DUT0 and expect this output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 2
Step 15: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:
admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5Show output
Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts. admin@10.2.0.3's password: Welcome to Teldat OSDx v4.2.8.5 This system includes free software. Contact Teldat for licenses information and source code. Last login: Fri Mar 20 08:52:41 2026 from 10.1.0.5 admin@osdx$
Step 16: Run command vpn ipsec show sa at DUT0 and expect this output:
Show output
vpn-peer-PEER301: #10, ESTABLISHED, IKEv2, 8805c25140c44ba3_i a5b4e1ec98f98159_r* local 'test' @ 20.1.0.1[500] remote 'test' @ 30.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 15892s peer-PEER301-tunnel-1: #10, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3242s, expires in 3959s in c1a8d69d (-|0x0000012e), 0 bytes, 0 packets out c3e42d64 (-|0x0000012e), 0 bytes, 0 packets local 10.1.0.0/24 remote 10.2.0.0/24 vpn-peer-PEER302: #9, ESTABLISHED, IKEv2, 8f199d842786de92_i fe5643835cc0aae2_r* local 'test' @ 20.2.0.1[500] remote 'test' @ 30.0.0.4[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 16461s peer-PEER302-tunnel-1: #9, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3422s, expires in 3959s in c27942d2 (-|0x0000012f), 4944 bytes, 22 packets, 0s ago out c53e62d5 (-|0x0000012f), 5084 bytes, 25 packets, 0s ago local 10.1.0.0/24 remote 10.2.0.0/24