Xfrm-Interface

Test suite to check IPsec with xfrm interface

Test IPsec With Multipath XFRM Interfaces

Description

DUT0 and DUT1 are connected to each other through multiple IPsec tunnels with the same local and remote prefixes.

In this test case, we will check IPsec tunnels are correctly installing through two peers directly connected to the DUT0 and DUT1 devices.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 30.0.0.1/24
set interfaces ethernet eth0 address 30.0.0.2/24
set interfaces ethernet eth0 vrf WAN_30
set interfaces ethernet eth1 address 10.1.0.1/24
set interfaces ethernet eth1 vrf LAN_101
set interfaces xfrm xfrm301 local-interface eth0
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm301 multipath traffic-steering reverse
set interfaces xfrm xfrm301 vrf LAN_101
set interfaces xfrm xfrm302 local-interface eth0
set interfaces xfrm xfrm302 mtu 1400
set interfaces xfrm xfrm302 multipath traffic-steering reverse
set interfaces xfrm xfrm302 vrf LAN_101
set protocols vrf WAN_30 static route 10.1.0.0/24 next-hop-vrf LAN_101
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN_101
set system vrf WAN_30
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX18WhJJZctXLRIVZbA0G2XYEKGm4yZxx6YA=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type respond
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.1
set vpn ipsec site-to-site peer PEER301 remote-address %any
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type respond
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.2
set vpn ipsec site-to-site peer PEER302 remote-address %any
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.3/24
set interfaces ethernet eth0 address 30.0.0.3/24
set interfaces ethernet eth0 address 30.0.0.4/24
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm302 mtu 1400
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX18rLA6MqQXGsCgyFqY9fQeHiWOQ6wptpPk=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type initiate
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.3
set vpn ipsec site-to-site peer PEER301 remote-address 30.0.0.1
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type initiate
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.4
set vpn ipsec site-to-site peer PEER302 remote-address 30.0.0.2
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 10.1.0.5/24
set protocols static route 10.2.0.0/24 next-hop 10.1.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Note

Check that the IPsec tunnels are established and the routes are installed. The routes should be installed in the VRF LAN_101.

Step 4: Run command protocols vrf LAN_101 ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF LAN_101:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:08
C>* 10.1.0.0/24 is directly connected, eth1, weight 1, 00:00:07
L>* 10.1.0.1/32 is directly connected, eth1, weight 1, 00:00:07
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm302, weight 1, 00:00:02
  *                   is directly connected, xfrm301, weight 1, 00:00:02
K>* 127.0.0.0/8 [0/0] is directly connected, LAN_101, weight 1, 00:00:08

Note

Check that both IPsec tunnels are established and traffic steering is working as expected. Once the remote client is trying to connect randomly from either of the two tunnels, hub always responds with the same tunnel.

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 6: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.9.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Apr 16 21:34:09 2026 from 40.0.0.2
admin@osdx$

Step 7: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #3, ESTABLISHED, IKEv2, cc580d7a44dd4a50_i b04cc184f2f8ec14_r*
  local  'test' @ 30.0.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 17686s
  peer-PEER301-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3401s, expires in 3960s
    in  c3423b51 (-|0x0000012e),   5032 bytes,    24 packets,     0s ago
    out cc6f7fa5 (-|0x0000012e),   4768 bytes,    20 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #4, ESTABLISHED, IKEv2, 0a234cded8d3c0ff_i 488cf65dba910b1e_r*
  local  'test' @ 30.0.0.2[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 20261s
  peer-PEER302-tunnel-1: #4, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3329s, expires in 3960s
    in  c8469223 (-|0x0000012f),      0 bytes,     0 packets
    out cff18067 (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 8: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 9: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.9.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Apr 16 22:59:16 2026 from 10.2.0.3
admin@osdx$

Step 10: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #6, ESTABLISHED, IKEv2, 0066a111abee0115_i a507de30fabe5294_r*
  local  'test' @ 30.0.0.2[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 18350s
  peer-PEER302-tunnel-1: #6, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3464s, expires in 3960s
    in  c357fa0a (-|0x0000012f),      0 bytes,     0 packets
    out ca981333 (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #5, ESTABLISHED, IKEv2, 6e08de277c9d057a_i 5bce425dac094cdc_r*
  local  'test' @ 30.0.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 15445s
  peer-PEER301-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3502s, expires in 3960s
    in  cb6dbd48 (-|0x0000012e),   5032 bytes,    24 packets,     0s ago
    out c5a96007 (-|0x0000012e),   4856 bytes,    21 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Testing the traffic from the hub to the spoke. The difference is that the IPsec tunnel chosen by the hub not always the same as the one chosen by the spoke. So if the spoke responds to the hub through the another tunnel, the hub needs to change the tunnel to the one used by the spoke.

Step 11: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 12: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.9.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Apr 16 22:51:05 2026
admin@osdx$

Step 13: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #8, ESTABLISHED, IKEv2, f3761d3f9c6f7ed9_i 38c97ee1e975e112_r*
  local  'test' @ 30.0.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 22955s
  peer-PEER301-tunnel-1: #8, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3398s, expires in 3959s
    in  ca2a7009 (-|0x0000012e),      0 bytes,     0 packets
    out c0802e6d (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #7, ESTABLISHED, IKEv2, 96dbb511b1264919_i bb6189c9396fc3bc_r*
  local  'test' @ 30.0.0.2[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 16110s
  peer-PEER302-tunnel-1: #7, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3402s, expires in 3959s
    in  c3739c36 (-|0x0000012f),   4816 bytes,    21 packets,     1s ago
    out c9444005 (-|0x0000012f),   5348 bytes,    26 packets,     1s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 14: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 15: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.9.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Apr 16 22:59:17 2026 from 10.1.0.5
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #10, ESTABLISHED, IKEv2, 7f6bacdaa5bf6fe3_i c0ae2538e3c9badc_r*
  local  'test' @ 30.0.0.2[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 20487s
  peer-PEER302-tunnel-1: #10, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3272s, expires in 3959s
    in  cf044bfb (-|0x0000012f),   4760 bytes,    20 packets,     0s ago
    out c32578c8 (-|0x0000012f),   5024 bytes,    24 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #9, ESTABLISHED, IKEv2, bc2e322548d8b3f3_i 3835d0748ff0a02a_r*
  local  'test' @ 30.0.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 19325s
  peer-PEER301-tunnel-1: #9, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3417s, expires in 3959s
    in  cc60c999 (-|0x0000012e),      0 bytes,     0 packets
    out cad6a0f7 (-|0x0000012e),     60 bytes,     1 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test IPsec With Multipath XFRM Interfaces And VRFs

Description

The difference here is that the hub peer has its addresses behind the VRFs, it is not directly connected like in the previous test case.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum1 address 20.1.0.1/24
set interfaces dummy dum1 vrf SEG_201
set interfaces dummy dum2 address 20.2.0.1/24
set interfaces dummy dum2 vrf SEG_202
set interfaces ethernet eth0 address 30.0.0.1/24
set interfaces ethernet eth0 vrf WAN_30
set interfaces ethernet eth1 address 10.1.0.1/24
set interfaces ethernet eth1 vrf LAN_101
set interfaces xfrm xfrm301 local-interface dum1
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm301 multipath traffic-steering reverse
set interfaces xfrm xfrm301 vrf LAN_101
set interfaces xfrm xfrm302 local-interface dum2
set interfaces xfrm xfrm302 mtu 1400
set interfaces xfrm xfrm302 multipath traffic-steering reverse
set interfaces xfrm xfrm302 vrf LAN_101
set protocols vrf SEG_201 static route 0.0.0.0/0 next-hop-vrf WAN_30
set protocols vrf SEG_201 static route 10.1.0.0/24 next-hop-vrf LAN_101
set protocols vrf SEG_202 static route 0.0.0.0/0 next-hop-vrf WAN_30
set protocols vrf SEG_202 static route 10.1.0.0/24 next-hop-vrf LAN_101
set protocols vrf WAN_30 static route 20.1.0.0/24 next-hop-vrf SEG_201
set protocols vrf WAN_30 static route 20.2.0.0/24 next-hop-vrf SEG_202
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN_101
set system vrf SEG_201
set system vrf SEG_202
set system vrf WAN_30
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX1+DFKJPL8ohKaB1QzZmjIVY1iTg4sZL8yg=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type respond
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 20.1.0.1
set vpn ipsec site-to-site peer PEER301 remote-address %any
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type respond
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 20.2.0.1
set vpn ipsec site-to-site peer PEER302 remote-address %any
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.3/24
set interfaces ethernet eth0 address 30.0.0.3/24
set interfaces ethernet eth0 address 30.0.0.4/24
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm302 mtu 1400
set protocols static route 20.1.0.0/24 next-hop 30.0.0.1
set protocols static route 20.2.0.0/24 next-hop 30.0.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX19QipK6A4akMHbK9KVDEwLhp8XO5xJ6EAY=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type initiate
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.3
set vpn ipsec site-to-site peer PEER301 remote-address 20.1.0.1
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type initiate
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.4
set vpn ipsec site-to-site peer PEER302 remote-address 20.2.0.1
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 10.1.0.5/24
set protocols static route 10.2.0.0/24 next-hop 10.1.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Note

Check that the IPsec tunnels are established and the routes are installed. The routes should be installed in the VRF LAN_101.

Step 4: Run command protocols vrf LAN_101 ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF LAN_101:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:08
C>* 10.1.0.0/24 is directly connected, eth1, weight 1, 00:00:07
L>* 10.1.0.1/32 is directly connected, eth1, weight 1, 00:00:07
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm302, weight 1, 00:00:01
  *                   is directly connected, xfrm301, weight 1, 00:00:01
K>* 127.0.0.0/8 [0/0] is directly connected, LAN_101, weight 1, 00:00:08

Note

Check that both IPsec tunnels are established and traffic steering is working as expected. Once the remote client is trying to connect randomly from either of the two tunnels, hub always responds with the same tunnel.

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 6: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.9.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Apr 16 22:59:16 2026 from 10.2.0.3
admin@osdx$

Step 7: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #3, ESTABLISHED, IKEv2, 7cc8f971c3647457_i 27a79c158eea1320_r*
  local  'test' @ 20.2.0.1[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 22688s
  peer-PEER302-tunnel-1: #3, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3468s, expires in 3959s
    in  c43bb981 (-|0x0000012f),   5032 bytes,    24 packets,     1s ago
    out c7f77bc6 (-|0x0000012f),   4768 bytes,    20 packets,     1s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #4, ESTABLISHED, IKEv2, 6f4462531967ae0e_i 59f09602332b8daf_r*
  local  'test' @ 20.1.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 23461s
  peer-PEER301-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3334s, expires in 3959s
    in  cef27ba6 (-|0x0000012e),      0 bytes,     0 packets
    out c31d6c03 (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 8: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 9: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.9.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Apr 16 22:59:38 2026 from 10.2.0.3
admin@osdx$

Step 10: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #6, ESTABLISHED, IKEv2, bc919bbb4cd5d21c_i 433971c167b47b07_r*
  local  'test' @ 20.1.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 22663s
  peer-PEER301-tunnel-1: #6, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3277s, expires in 3959s
    in  c951dfe4 (-|0x0000012e),      0 bytes,     0 packets
    out cdd43bdf (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #5, ESTABLISHED, IKEv2, 27bec74c4b6f35ca_i 08219a45d597c629_r*
  local  'test' @ 20.2.0.1[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 24827s
  peer-PEER302-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3266s, expires in 3959s
    in  cced26c8 (-|0x0000012f),   5032 bytes,    24 packets,     0s ago
    out c0547779 (-|0x0000012f),   4864 bytes,    21 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Testing the traffic from the hub to the spoke. The difference is that the IPsec tunnel chosen by the hub not always the same as the one chosen by the spoke. So if the spoke responds to the hub through the another tunnel, the hub needs to change the tunnel to the one used by the spoke.

Step 11: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 12: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.9.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Apr 16 22:59:18 2026 from 10.1.0.5
admin@osdx$

Step 13: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #7, ESTABLISHED, IKEv2, 3d32628b359b5b01_i 4f7b942af0215e16_r*
  local  'test' @ 20.1.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 16354s
  peer-PEER301-tunnel-1: #7, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3303s, expires in 3960s
    in  c5a8b151 (-|0x0000012e),      0 bytes,     0 packets
    out c2027789 (-|0x0000012e),     60 bytes,     1 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #8, ESTABLISHED, IKEv2, 650f9c688c3c2be7_i 7f77bada9590c919_r*
  local  'test' @ 20.2.0.1[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 18779s
  peer-PEER302-tunnel-1: #8, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3519s, expires in 3960s
    in  cec8b67c (-|0x0000012f),   4952 bytes,    22 packets,     0s ago
    out cdc3f42e (-|0x0000012f),   5232 bytes,    28 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 14: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 15: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.9.2

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Apr 16 22:59:40 2026 from 10.1.0.5
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #9, ESTABLISHED, IKEv2, d1dd63049a3f89d8_i 2292eebb74ac4061_r*
  local  'test' @ 20.1.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 17930s
  peer-PEER301-tunnel-1: #9, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3471s, expires in 3959s
    in  c29b554d (-|0x0000012e),   4856 bytes,    21 packets,     0s ago
    out c06c4881 (-|0x0000012e),   5084 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #10, ESTABLISHED, IKEv2, ac6fb79d6dfc069e_i b5df469c69c2f735_r*
  local  'test' @ 20.2.0.1[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 22889s
  peer-PEER302-tunnel-1: #10, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3529s, expires in 3959s
    in  c11cffb4 (-|0x0000012f),      0 bytes,     0 packets
    out c1aececc (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

---