Xfrm-Interface

Test suite to check IPsec with xfrm interface

Test IPsec With Multipath XFRM Interfaces

Description

DUT0 and DUT1 are connected to each other through multiple IPsec tunnels with the same local and remote prefixes.

In this test case, we will check IPsec tunnels are correctly installing through two peers directly connected to the DUT0 and DUT1 devices.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 30.0.0.1/24
set interfaces ethernet eth0 address 30.0.0.2/24
set interfaces ethernet eth0 vrf WAN_30
set interfaces ethernet eth1 address 10.1.0.1/24
set interfaces ethernet eth1 vrf LAN_101
set interfaces xfrm xfrm301 local-interface eth0
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm301 multipath traffic-steering reverse
set interfaces xfrm xfrm301 vrf LAN_101
set interfaces xfrm xfrm302 local-interface eth0
set interfaces xfrm xfrm302 mtu 1400
set interfaces xfrm xfrm302 multipath traffic-steering reverse
set interfaces xfrm xfrm302 vrf LAN_101
set protocols vrf WAN_30 static route 10.1.0.0/24 next-hop-vrf LAN_101
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN_101
set system vrf WAN_30
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX1/TgwC4TyW0eN/wK0hEbTQ98Wv+9wcjJ04=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type respond
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.1
set vpn ipsec site-to-site peer PEER301 remote-address %any
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type respond
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.2
set vpn ipsec site-to-site peer PEER302 remote-address %any
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.3/24
set interfaces ethernet eth0 address 30.0.0.3/24
set interfaces ethernet eth0 address 30.0.0.4/24
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm302 mtu 1400
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX1/8quK7HZeB7Wq4ksP7eesBm/iFzzSBJ4k=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type initiate
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.3
set vpn ipsec site-to-site peer PEER301 remote-address 30.0.0.1
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type initiate
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.4
set vpn ipsec site-to-site peer PEER302 remote-address 30.0.0.2
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 10.1.0.5/24
set protocols static route 10.2.0.0/24 next-hop 10.1.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Note

Check that the IPsec tunnels are established and the routes are installed. The routes should be installed in the VRF LAN_101.

Step 4: Run command protocols vrf LAN_101 ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF LAN_101:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:06
C>* 10.1.0.0/24 is directly connected, eth1, weight 1, 00:00:06
L>* 10.1.0.1/32 is directly connected, eth1, weight 1, 00:00:06
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm302, weight 1, 00:00:01
  *                   is directly connected, xfrm301, weight 1, 00:00:01
K>* 127.0.0.0/8 [0/0] is directly connected, LAN_101, weight 1, 00:00:06

Note

Check that both IPsec tunnels are established and traffic steering is working as expected. Once the remote client is trying to connect randomly from either of the two tunnels, hub always responds with the same tunnel.

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 6: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.9.4

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Jun  4 11:59:35 2026
admin@osdx$

Step 7: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #3, ESTABLISHED, IKEv2, 63df0a71fa10cdb3_i 1658196b272f8c2d_r*
  local  'test' @ 30.0.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 13760s
  peer-PEER301-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3311s, expires in 3959s
    in  ca1d6830 (-|0x0000012e),      0 bytes,     0 packets
    out cf802bfb (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #4, ESTABLISHED, IKEv2, 53242d60a4d2a8a1_i d67f15e634abbfc7_r*
  local  'test' @ 30.0.0.2[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 19818s
  peer-PEER302-tunnel-1: #4, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3515s, expires in 3959s
    in  cf515ffd (-|0x0000012f),   5059 bytes,    24 packets,     0s ago
    out ceb4f0d9 (-|0x0000012f),   4867 bytes,    21 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 8: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 9: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.9.4

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Jun  4 15:15:13 2026 from 10.2.0.3
admin@osdx$

Step 10: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #6, ESTABLISHED, IKEv2, 4f36d79b1caad0d0_i 940dfa6715b38ee7_r*
  local  'test' @ 30.0.0.2[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 13651s
  peer-PEER302-tunnel-1: #6, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3493s, expires in 3960s
    in  ce501c98 (-|0x0000012f),   5111 bytes,    25 packets,     0s ago
    out cf54056d (-|0x0000012f),   4979 bytes,    22 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #5, ESTABLISHED, IKEv2, 98c6a55e2145410d_i 0cd5eb4093740fd2_r*
  local  'test' @ 30.0.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 18345s
  peer-PEER301-tunnel-1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3346s, expires in 3960s
    in  cda685cf (-|0x0000012e),      0 bytes,     0 packets
    out c781c86c (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Testing the traffic from the hub to the spoke. The difference is that the IPsec tunnel chosen by the hub not always the same as the one chosen by the spoke. So if the spoke responds to the hub through the another tunnel, the hub needs to change the tunnel to the one used by the spoke.

Step 11: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 12: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.9.4

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Jun  4 11:59:33 2026
admin@osdx$

Step 13: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #7, ESTABLISHED, IKEv2, 7dbd8c6a0b6167ec_i 46e8f193ff731de4_r*
  local  'test' @ 30.0.0.2[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 15545s
  peer-PEER302-tunnel-1: #7, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3370s, expires in 3959s
    in  c2f6d0a5 (-|0x0000012f),   4771 bytes,    20 packets,     0s ago
    out c7c03c46 (-|0x0000012f),   5111 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #8, ESTABLISHED, IKEv2, 1fc196ec42e5e49f_i 2a0ea3cd28e67229_r*
  local  'test' @ 30.0.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 17740s
  peer-PEER301-tunnel-1: #8, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3363s, expires in 3959s
    in  c90dd356 (-|0x0000012e),      0 bytes,     0 packets
    out c7f55ea6 (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 14: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 15: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.9.4

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Jun  4 15:15:14 2026 from 10.1.0.5
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #9, ESTABLISHED, IKEv2, 4919d212c94deba5_i 245d3f0190218052_r*
  local  'test' @ 30.0.0.2[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 22004s
  peer-PEER302-tunnel-1: #9, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3269s, expires in 3959s
    in  c22407c9 (-|0x0000012f),   4787 bytes,    20 packets,     0s ago
    out cf96bda4 (-|0x0000012f),   5111 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #10, ESTABLISHED, IKEv2, 286c7c02056a5aa4_i 646fa63ac1f6918e_r*
  local  'test' @ 30.0.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 24608s
  peer-PEER301-tunnel-1: #10, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3391s, expires in 3959s
    in  c065ed70 (-|0x0000012e),      0 bytes,     0 packets
    out c02a0d26 (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

---

Test IPsec With Multipath XFRM Interfaces And VRFs

Description

The difference here is that the hub peer has its addresses behind the VRFs, it is not directly connected like in the previous test case.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces dummy dum1 address 20.1.0.1/24
set interfaces dummy dum1 vrf SEG_201
set interfaces dummy dum2 address 20.2.0.1/24
set interfaces dummy dum2 vrf SEG_202
set interfaces ethernet eth0 address 30.0.0.1/24
set interfaces ethernet eth0 vrf WAN_30
set interfaces ethernet eth1 address 10.1.0.1/24
set interfaces ethernet eth1 vrf LAN_101
set interfaces xfrm xfrm301 local-interface dum1
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm301 multipath traffic-steering reverse
set interfaces xfrm xfrm301 vrf LAN_101
set interfaces xfrm xfrm302 local-interface dum2
set interfaces xfrm xfrm302 mtu 1400
set interfaces xfrm xfrm302 multipath traffic-steering reverse
set interfaces xfrm xfrm302 vrf LAN_101
set protocols vrf SEG_201 static route 0.0.0.0/0 next-hop-vrf WAN_30
set protocols vrf SEG_201 static route 10.1.0.0/24 next-hop-vrf LAN_101
set protocols vrf SEG_202 static route 0.0.0.0/0 next-hop-vrf WAN_30
set protocols vrf SEG_202 static route 10.1.0.0/24 next-hop-vrf LAN_101
set protocols vrf WAN_30 static route 20.1.0.0/24 next-hop-vrf SEG_201
set protocols vrf WAN_30 static route 20.2.0.0/24 next-hop-vrf SEG_202
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf LAN_101
set system vrf SEG_201
set system vrf SEG_202
set system vrf WAN_30
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX1/ikPKcRDC6TVAcQXqHD03Aj9Ow7uTIjGM=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type respond
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 20.1.0.1
set vpn ipsec site-to-site peer PEER301 remote-address %any
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type respond
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 20.2.0.1
set vpn ipsec site-to-site peer PEER302 remote-address %any
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes LAN_101
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 0.0.0.0/0
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 10.2.0.3/24
set interfaces ethernet eth0 address 30.0.0.3/24
set interfaces ethernet eth0 address 30.0.0.4/24
set interfaces xfrm xfrm301 mtu 1400
set interfaces xfrm xfrm302 mtu 1400
set protocols static route 20.1.0.0/24 next-hop 30.0.0.1
set protocols static route 20.2.0.0/24 next-hop 30.0.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf main
set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk test encrypted-secret U2FsdGVkX18Ykr7mEkt2ikLcXkiGA8MUaG8lumPCZUc=
set vpn ipsec auth-profile AUTH-SA local auth ike-psk id test
set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any
set vpn ipsec esp-group CHILD-SA mode tunnel
set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128
set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19
set vpn ipsec ike-group IKE-SA key-exchange ikev2
set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19
set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128
set vpn ipsec ike-group IKE-SA proposal 1 hash sha256
set vpn ipsec site-to-site peer PEER301 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER301 connection-type initiate
set vpn ipsec site-to-site peer PEER301 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER301 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER301 local-address 30.0.0.3
set vpn ipsec site-to-site peer PEER301 remote-address 20.1.0.1
set vpn ipsec site-to-site peer PEER301 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER301 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER301 tunnel 1 xfrm-interface-out xfrm301
set vpn ipsec site-to-site peer PEER302 auth-profile AUTH-SA
set vpn ipsec site-to-site peer PEER302 connection-type initiate
set vpn ipsec site-to-site peer PEER302 default-esp-group CHILD-SA
set vpn ipsec site-to-site peer PEER302 ike-group IKE-SA
set vpn ipsec site-to-site peer PEER302 local-address 30.0.0.4
set vpn ipsec site-to-site peer PEER302 remote-address 20.2.0.1
set vpn ipsec site-to-site peer PEER302 tunnel 1 install-routes main
set vpn ipsec site-to-site peer PEER302 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 remote prefix 10.1.0.0/24
set vpn ipsec site-to-site peer PEER302 tunnel 1 xfrm-interface-out xfrm302

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 10.1.0.5/24
set protocols static route 10.2.0.0/24 next-hop 10.1.0.1
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Note

Check that the IPsec tunnels are established and the routes are installed. The routes should be installed in the VRF LAN_101.

Step 4: Run command protocols vrf LAN_101 ip show route at DUT0 and check if output matches the following regular expressions:

K>\* 10\.2\.0\.0/24 \[0\/0\] is directly connected.*xfrm\d+.*\n.*xfrm\d+

Show output

Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF LAN_101:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:07
C>* 10.1.0.0/24 is directly connected, eth1, weight 1, 00:00:06
L>* 10.1.0.1/32 is directly connected, eth1, weight 1, 00:00:06
K>* 10.2.0.0/24 [0/0] is directly connected, xfrm302, weight 1, 00:00:01
  *                   is directly connected, xfrm301, weight 1, 00:00:01
K>* 127.0.0.0/8 [0/0] is directly connected, LAN_101, weight 1, 00:00:07

Note

Check that both IPsec tunnels are established and traffic steering is working as expected. Once the remote client is trying to connect randomly from either of the two tunnels, hub always responds with the same tunnel.

Step 5: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 6: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.9.4

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Jun  4 15:15:14 2026 from 10.2.0.3
admin@osdx$

Step 7: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #3, ESTABLISHED, IKEv2, af883b8baa449427_i 021395e149295a57_r*
  local  'test' @ 20.2.0.1[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 18889s
  peer-PEER302-tunnel-1: #3, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3293s, expires in 3960s
    in  c195d491 (-|0x0000012f),   5059 bytes,    24 packets,     1s ago
    out c1344dd9 (-|0x0000012f),   4795 bytes,    20 packets,     1s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #4, ESTABLISHED, IKEv2, 9b07369292fe3a46_i 089813868c384708_r*
  local  'test' @ 20.1.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 24659s
  peer-PEER301-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3245s, expires in 3960s
    in  c9bb329a (-|0x0000012e),      0 bytes,     0 packets
    out ce3cd28d (-|0x0000012e),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 8: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 9: Init an SSH connection from DUT1 to IP address 10.1.0.5 with the user admin:

admin@DUT1$ ssh admin@10.1.0.5 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.2.0.3

Show output

Warning: Permanently added '10.1.0.5' (ECDSA) to the list of known hosts.
admin@10.1.0.5's password:
Welcome to Teldat OSDx v4.2.9.4

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Jun  4 15:15:33 2026 from 10.2.0.3
admin@osdx$

Step 10: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #5, ESTABLISHED, IKEv2, e55438ba4cc04d03_i e2c0cc74164f436b_r*
  local  'test' @ 20.2.0.1[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 13949s
  peer-PEER302-tunnel-1: #5, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3241s, expires in 3960s
    in  c298bfc2 (-|0x0000012f),      0 bytes,     0 packets
    out c701ba69 (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #6, ESTABLISHED, IKEv2, 684d3ba3eb376971_i c840b744234749c2_r*
  local  'test' @ 20.1.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 19183s
  peer-PEER301-tunnel-1: #6, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3292s, expires in 3960s
    in  cbc5ac84 (-|0x0000012e),   5059 bytes,    24 packets,     0s ago
    out cd1f98ef (-|0x0000012e),   4795 bytes,    20 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

Note

Testing the traffic from the hub to the spoke. The difference is that the IPsec tunnel chosen by the hub not always the same as the one chosen by the spoke. So if the spoke responds to the hub through the another tunnel, the hub needs to change the tunnel to the one used by the spoke.

Step 11: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 12: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.9.4

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Jun  4 15:15:15 2026 from 10.1.0.5
admin@osdx$

Step 13: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER301: #8, ESTABLISHED, IKEv2, e2d54976da6ec42a_i 279f56870a7881e2_r*
  local  'test' @ 20.1.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 14251s
  peer-PEER301-tunnel-1: #8, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3272s, expires in 3959s
    in  c52408df (-|0x0000012e),   4787 bytes,    20 packets,     0s ago
    out ce0b46e4 (-|0x0000012e),   5111 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER302: #7, ESTABLISHED, IKEv2, 7f33b6b3bb94f416_i 5a46c8cd6c3bbdde_r*
  local  'test' @ 20.2.0.1[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 1s ago, rekeying in 15977s
  peer-PEER302-tunnel-1: #7, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 1s ago, rekeying in 3288s, expires in 3959s
    in  c49f9d2a (-|0x0000012f),      0 bytes,     0 packets
    out c28da069 (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24

Step 14: Run command vpn ipsec clear sa at DUT0 and expect this output:

Show output

Deleting IPSec SAs... 100.00%
Closed tunnels: 2

Step 15: Init an SSH connection from DUT2 to IP address 10.2.0.3 with the user admin:

admin@DUT2$ ssh admin@10.2.0.3 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null local-address 10.1.0.5

Show output

Warning: Permanently added '10.2.0.3' (ECDSA) to the list of known hosts.
admin@10.2.0.3's password:
Welcome to Teldat OSDx v4.2.9.4

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Jun  4 15:15:34 2026 from 10.1.0.5
admin@osdx$

Step 16: Run command vpn ipsec show sa at DUT0 and expect this output:

Show output

vpn-peer-PEER302: #10, ESTABLISHED, IKEv2, ef617c93e551d013_i e4577cfdaf23ea68_r*
  local  'test' @ 20.2.0.1[500]
  remote 'test' @ 30.0.0.4[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 21442s
  peer-PEER302-tunnel-1: #10, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3393s, expires in 3960s
    in  cc6ae731 (-|0x0000012f),      0 bytes,     0 packets
    out c63b82f3 (-|0x0000012f),      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
vpn-peer-PEER301: #9, ESTABLISHED, IKEv2, 179b68055e6525d5_i d58474d66868a642_r*
  local  'test' @ 20.1.0.1[500]
  remote 'test' @ 30.0.0.3[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 0s ago, rekeying in 25464s
  peer-PEER301-tunnel-1: #9, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 0s ago, rekeying in 3420s, expires in 3960s
    in  c5165748 (-|0x0000012e),   4919 bytes,    21 packets,     0s ago
    out c6da6c77 (-|0x0000012e),   5111 bytes,    25 packets,     0s ago
    local  10.1.0.0/24
    remote 10.2.0.0/24

---