VPN Lab
Various VPN Lab scenarios are discussed below:
ScreenOS Site to Site VPN
Policy Based VPN
- Steps Required
- Set Gateway
- Set Autokey IKE
- Set Policies with Action = Tunnel & select the tunnel name from drop-down.
- Lab
| FW1 (Responder) | FW2 (Initiator) |
|---|---|
| debug ike detail | debug ike detail |
| get config | get config |
| get sa | get sa |
| get ike cookie | get ike cookie |
| get vpn | get vpn |
Packet Capture: 
Route Based VPN
- Steps Required for Route Based VPN in ScreenOS
- Create unnumbered tunnel interface
- Set Gateway
- Set Autokey IKE
- Set Proxy-ID(Tunnel interface will come up now)
- Set Policies
- Create static route pointing to the tunnel
- Lab
 This section is under construction.
|
SRX Site to Site VPN
Dialup VPN
- Steps Required
- Create Dial User Account
- Create Dial Up VPN Group
- Create the Phase 1 IKE Negotiation
- Select Dialup User Group
- Choose Mode (Initiator): Aggressive
- Enable NAT Traversal
- Create the Phase 2 IKE Negotiation
- Create Dial Up VPN Policy from Untrust to Trust with Source Address = Dial-Up VPN
- Place policy Position at Top
- NCP-e Client configuration steps
- NCP Secure Entry Client Configuration
- Click on “Configuration” > “Add Profile” > “Link to Corporate Network Using IPSec”
- Enter Profile Name
- Choose “LAN (Over IP)”
- Give the “Gateway” IP and “XAuth” Username and Password
- XAuth can be unchecked as well depending on the XAuth Settings on the Firewall.
- Select the Mode as “Aggressive” and select the PFS Group
- Enter “Pre Shared Key” and the IKE identity. If you are using Email as the identity then select “Fully Qualified Username”
- Specify the IP that will be used as the Source IP by the Client. (If an IPPool is chosen in the XAuth on the firewall, an IP from the IPPool is taken). Otherwise, you can define it Manually on the client using the dropdown. If you choose “Local IP Address”, and no IP Pool is defined on the Firewall XAuth settings, then the PC’s IP is taken as the Source IP. The profile is now created.
- By default the NCP client takes the Remote side private IPs as 0.0.0.0/0 which means all traffic from the client will go to the firewall.
- Changing it affects the Untrust to Trust policy that we will have to configure at the firewall. If we have to define specific subnets to which we have to reach, we have to define split tunneling.
- Click on Edit on the profile and go to “Split Tunneling” & Add a Network
- The Proposals can be chosen/modified in the “IPSec General Settings” when we edit the profile.
- Click on “Policy Editor” Edit the IKE (Phase 1) and IPSec (Phase 2) proposals. One can also make new proposals.
- Lab
| SSG1 | |
|---|---|
| NCP Profile | debug ike detail |
| get sa | get config |
| get ike cookie | get event |
| get vpn | get sa id |
| Packet Capture | |
Dialup VPN with Xauth IP Pool
- Steps Required
| This section is under construction.
|
- NCP-e Client configuration steps
| This section is under construction.
|
- Lab
| SSG1 | |
|---|---|
| NCP Profile | debug ike detail |
| get sa | get config |
| get ike cookie | get event |
| get vpn | get sa id |
| Packet Capture | |
Dialup VPN with Xauth User
- Steps Required
| This section is under construction.
|
- NCP-e Client configuration steps
| This section is under construction.
|
- Lab
| SSG1 | |
|---|---|
| NCP Profile | debug ike detail |
| get sa | get config |
| get ike cookie | get xauth active |
| get vpn | get sa id |
| Packet Capture | |
Cisco VPN Configuration
NAT-Traversal
Source:m00nie.com
GNS3 was used to replicate this scenario.
- Scenario
- PC1
ip 10.1.1.2 10.1.1.1 24
- PC2
ip 20.1.1.2 20.1.1.1 24
- R1
crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600 crypto isakmp key SuperS3cure address 1.1.1.2 crypto isakmp keepalive 10 periodic crypto ipsec transform-set MYTSETNAME esp-aes 256 esp-sha-hmac crypto map LEFTY 10 ipsec-isakmp set peer 1.1.1.2 set transform-set MYTSETNAME match address 101 interface Ethernet0/0 ip address 192.168.1.2 255.255.255.0 crypto map LEFTY interface Ethernet0/3 ip address 10.1.1.1 255.255.255.0 ip route 0.0.0.0 0.0.0.0 192.168.1.1 access-list 101 permit ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255
- R2
interface Ethernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly interface Ethernet0/1 ip address 1.1.1.1 255.255.255.0 ip nat outside ip virtual-reassembly ip route 10.1.1.0 255.255.255.0 192.168.1.2 ip route 20.1.1.0 255.255.255.0 1.1.1.2 ip nat inside source static 192.168.1.2 1.1.1.10
- R3
crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600 crypto isakmp key SuperS3cure address 1.1.1.10 crypto isakmp keepalive 10 periodic crypto ipsec transform-set MYTSETNAME esp-aes 256 esp-sha-hmac crypto map LEFTY 10 ipsec-isakmp set peer 1.1.1.10 set transform-set MYTSETNAME match address 101 interface Ethernet0/1 ip address 1.1.1.2 255.255.255.0 crypto map LEFTY interface Ethernet0/3 ip address 20.1.1.1 255.255.255.0 ip route 0.0.0.0 0.0.0.0 1.1.1.1 access-list 101 permit ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
- Verify
R3#sh crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 1 Ethernet0/1 1.1.1.2 set HMAC_SHA+AES_256_C 0 0 2001 Ethernet0/1 1.1.1.2 set AES256+SHA 0 10 2002 Ethernet0/1 1.1.1.2 set AES256+SHA 9 0
Debug: NAT Traversal
PCAP: Nat Traversal PCAP
Dynamic Multipoint VPN with IPsec
| This section is under construction.
|
Hub and Spoke VPN
Policy based Hub and Spoke VPN
- Steps
| This section is under construction.
|
- On the HUB
set interface "ethernet0/2" zone "Untrust" set interface "ethernet0/1" zone "Trust" set interface ethernet0/2 ip 1.1.1.1/28 set interface ethernet0/2 route set interface ethernet0/1 ip 192.168.1.1/24 set interface ethernet0/1 nat set ike gateway "To_Spoke1" address 2.2.2.1 Main outgoing-interface "ethernet0/2" preshare "fjSqyy68N8azlRs6agCvZZSAnQnu7+kfxA==" sec-level standard set ike gateway "To_Spoke2" address 3.3.3.1 Main outgoing-interface "ethernet0/2" preshare "rQBrqF8+NHPrEgsq/6Cwv/a1W6nR0fi1xw==" sec-level standard set vpn "To_Spoke1" gateway "To_Spoke1" no-replay tunnel idletime 0 sec-level standard set vpn "To_Spoke2" gateway "To_Spoke2" no-replay tunnel idletime 0 sec-level standard set route 192.168.2.1/24 interface ethernet0/2 gateway 1.1.1.2 set route 192.168.3.1/24 interface ethernet0/2 gateway 1.1.1.2
- For SPOKE2 to SPOKE1 connectivity
set policy id 16 from "Untrust" to "Trust" "192.168.3.0/24" "192.168.2.0/24" "ANY" tunnel vpn "To_Spoke2" log set policy id 12 from "Trust" to "Untrust" "192.168.3.0/24" "192.168.2.0/24" "ANY" tunnel vpn "To_Spoke1" log
- For SPOKE1 to SPOKE2 connectivity
set policy id 13 from "Untrust" to "Trust" "192.168.2.0/24" "192.168.3.0/24" "ANY" tunnel vpn "To_Spoke1" log set policy id 17 from "Trust" to "Untrust" "192.168.2.0/24" "192.168.3.0/24" "ANY" tunnel vpn "To_Spoke2" log
- For SPOKE1 to HUB connectivity
set policy id 7 from "Trust" to "Untrust" "192.168.1.0/24" "192.168.2.0/24" "ANY" tunnel vpn "To_Spoke1" log set policy id 8 from "Untrust" to "Trust" "192.168.2.0/24" "192.168.1.0/24" "ANY" tunnel vpn "To_Spoke1" log
- For SPOKE2 to HUB connectivity
 This section needs verification or testing!
|
set policy id 9 from "Trust" to "Untrust" "192.168.1.0/24" "192.168.3.0/24" "ANY" tunnel vpn "To_Spoke1" log set policy id 10 from "Untrust" to "Trust" "192.168.3.0/24" "192.168.1.0/24" "ANY" tunnel vpn "To_Spoke1" log
- On SPOKE1
set interface "ethernet0/2" zone "Untrust" set interface ethernet0/2 ip 2.2.2.1/28 set interface "ethernet0/1" zone "Trust" set interface ethernet0/1 ip 192.168.2.1/24 set interface ethernet0/1 nat set ike gateway "To_HUB" address 1.1.1.1 Main outgoing-interface "ethernet0/2" preshare "/FCeHmVxND/MOpsvdjCDfCkvxxnloaaWcA==" sec-level standard set vpn "To_HUB" gateway "To_HUB" no-replay tunnel idletime 0 sec-level standard set route 192.168.1.0/24 interface ethernet0/2 gateway 2.2.2.2 set route 192.168.3.0/24 interface ethernet0/2 gateway 2.2.2.2 set policy id 3 from "Untrust" to "Trust" "192.168.3.0/24" "192.168.2.0/24" "ANY" tunnel vpn "To_HUB" id 0x4 pair-policy 4 log set policy id 1 from "Trust" to "Untrust" "192.168.2.0/24" "192.168.1.0/24" "ANY" tunnel vpn "To_HUB" id 0x2 pair-policy 2 log
- On SPOKE2
set interface "ethernet0/2" zone "Untrust" set interface ethernet0/2 ip 3.3.3.1/28 set interface "ethernet0/1" zone "Trust" set interface ethernet0/1 ip 192.168.3.1/24 set interface ethernet0/1 nat set ike gateway "To_HUB" address 1.1.1.1 Main outgoing-interface "ethernet0/2" preshare "/FCeHmVxND/MOpsvdjCDfCkvxxnloaaWcA==" sec-level standard set vpn "To_HUB" gateway "To_HUB" no-replay tunnel idletime 0 sec-level standard set route 192.168.1.0/24 interface ethernet0/2 gateway 3.3.3.2 set route 192.168.2.0/24 interface ethernet0/2 gateway 3.3.3.2 set policy id 3 from "Untrust" to "Trust" "192.168.2.0/24" "192.168.3.0/24" "ANY" tunnel vpn "To_HUB" id 0x4 pair-policy 4 log set policy id 1 from "Trust" to "Untrust" "192.168.3.0/24" "192.168.1.0/24" "ANY" tunnel vpn "To_HUB" id 0x2 pair-policy 2 log
Route based Hub and Spoke VPN
- Steps
- Create the tunnel interface
- Define the IKE Gateway
- Define the VPN Tunnel
- Add Routes
- Configure policy to allow traffic between spokes
- Configuration
- Hub firewall
set zone name vpn set interface tunnel.1 zone vpn set interface tunnel.1 ip unnumbered interface ethernet0/2 set interface tunnel.2 zone vpn set interface tunnel.2 ip unnumbered interface ethernet0/2 set ike gateway to-spoke1 address 1.1.1.2 main outgoing-interface ethernet0/2 preshare netscreen sec-level standard set ike gateway to-spoke2 address 1.1.1.3 main outgoing-interface ethernet0/2 preshare netscreen sec-level standard set vpn vpn-spoke1 gateway to-spoke1 sec-level standard set vpn vpn-spoke1 bind interface tunnel.1 set vpn vpn-spoke2 gateway to-spoke2 sec-level standard set vpn vpn-spoke2 bind interface tunnel.2 set route 172.16.2.0/24 interface tunnel.1 set route 172.16.3.0/24 interface tunnel.2 set policy from vpn to vpn "172.16.2.0/24" "172.16.3.0/24" any permit set policy from vpn to vpn "172.16.3.0/24" "172.16.2.0/24" any permit
- Spoke1
set zone name vpn set interface tunnel1.zone vpn set interface tunnel.1 ip unnumbered interface ethernet0/0 set ike gateway to-hub address 1.1.1.1 main outgoing-interface ethernet0/0 preshare netscreen sec-level stand set vpn vpn-spoke1 gateway to-hub sec-level standard set vpn vpn-spoke1 bind interface tunnel.1 set route 172.16.1.0/24 interface tunnel.1 set route 172.16.3.0/24 interface tunnel.1 set policy from trust to vpn "172.16.2.0/24" "172.16.3.0/24" any permit set policy from vpn to trust "172.16.3.0/24" "172.16.2.0/24" any permit
- Spoke2
set zone name vpn set interface tunnel1.zone vpn set interface tunnel.1 ip unnumbered interface ethernet0/0 set ike gateway to-hub address 1.1.1.1 main outgoing-interface ethernet0/0 preshare netscreen sec-level stand set vpn vpn-spoke2 gateway to-hub sec-level standard set vpn vpn-spoke2 bind interface tunnel.1 set route 172.16.1.0/24 interface tunnel.1 set route 172.16.2.0/24 interface tunnel.1 set policy from trust to vpn "172.16.2.0/24" "172.16.3.0/24" any permit set policy from vpn to trust "172.16.3.0/24" "172.16.2.0/24" any permit
Redundant VPN
Source: help.fortinet.com
- General configuration steps
- A redundant configuration at each VPN peer includes:
One Phase 1 configuration (virtual IPsec interface) for each path between the two peers. In a fully-meshed redundant configuration, each network interface on one peer can communicate with each network interface on the remote peer. If both peers have two public interfaces, this means that each peer has four paths, for example. One Phase 2 definition for each Phase 1 configuration. One static route for each IPsec interface, with different distance values to prioritize the routes. Two Accept security policies per IPsec interface, one for each direction of traffic. Dead peer detection enabled in each Phase 1 definition.
- The procedures in this section assume that two separate interfaces to the Internet are available on each VPN peer.
- Configuring the VPN peers - route-based VPN
- VPN peers are configured using Interface Mode for redundant tunnels.
- Configure each VPN peer as follows:
Ensure that the interfaces used in the VPN have static IP addresses. Create a Phase 1 configuration for each of the paths between the peers. Enable dead peer detection so that one of the other paths is activated if this path fails.
Primary and Backup VPN
Source: kb.juniper.net
- Steps for configuring Primary and Backup VPN with Route Failover using IP-Monitoring
If the primary tunnel fails, then the traffic flows through the backup tunnel. Route fail over is achieved using IP-Monitoring. To achieve redundancy between two route based VPN tunnels, a numbered tunnel interface must be configured.
- Solution
Configure two route-based VPN tunnels (primary and backup) between two SRX devices. Configure ISP2 in a virtual routing-instance, RPM probe with target address as ISP1 address (1.1.1.2) and destination-interface as primary VPN's external interface. Configure IP-monitoring and match the RPM probe that you have configured earlier, then preferred route with route address as the PC2 address with next-hop as the ip-address of the back-up tunnel on SRX2. In this case, it is ip-address on st0.1 on SRX2. Configure the same on SRX2. When configuring IP-Monitoring on SRX2, configure next-hop as the ip-address of the back-up tunnel on SRX1. In this case it is the ip-address on st0.1 on SRX1.
|-----------------[ISP1]---------------|
| |
[PC1]----------[FW1] [FW2]------------[PC2]
| |
|-----------------[ISP2]---------------|
Overlapping Subnet VPN [1]
Route based
- Configuration Steps
- Internal LAN interface for both sites will be ethernet0/0 in zone “trust” and will have private IP 192.168.10.1/24.
- Internet interface for both sites will be ethernet0/3 in zone “untrust” and will each have a unique public IP.
- Tunnel interface tunnel.1 will be in zone “vpn” on both sites to allow for configuring unique policies specifically for tunnel (encrypted) traffic while maintaining unique policies for clear (non-encrypted) traffic.
- The address range to reach Remote side hosts from Corporate side is 10.1.20.0/24.
- The address range to reach Corporate side hosts from Remote side is 10.1.10.0/24
- All traffic between the Corporate and Remote LANs are to be permitted, and traffic may be initiated from either side.
- Basic non-VPN settings such as system settings, user login, and default security settings are already pre-configured on both devices.
- Basic Steps to Configure
- Configure the “vpn” security zone. “Trust” and “Untrust” zones are predefined.
- Configure IP addresses for interfaces ethernet0/0 and ethernet0/3. Bind the interfaces the “Trust” and “Untrust” zones respectively.
- Create tunnel.1 interface and bind to “vpn” zone.
- Configure MIP for the tunnel interface.
- Configure default route to Internet next-hop and also a static route for the Remote site LAN. Optionally you can use a dynamic routing protocol such as OSPF instead but that is beyond the scope of this application note.
- Configure address book entries for “Trust” and “vpn” zones. This will be necessary for the security policies.
- Configure phase-1 (IKE) and phase-2 (VPN) proposals.
- Configure IKE gateway profile referencing the phase-1 proposal from step 7.
- Configure VPN profile referencing IKE gateway from step 8 and phase-2 proposal from step 7. Then bind interface tunnel.1 to the VPN.
- Configure security policy to permit Corporate site LAN to Remote site LAN using the address book entries created in step 6.
- Configure security policy to permit Remote site LAN traffic to Corporate site LAN using address book entry from step 6 with destination address as the MIP.
- Configure outgoing “Trust” to “Untrust” permit all policy with interface source NAT for Internet traffic.
- Configure tcp-mss for IPSec traffic to eliminate the possibility of fragmented TCP traffic. This will lessen the resource utilization on the device.
- Corporate Site
set zone name "vpn" vrouter “trust-vr” set interface ethernet0/0 zone "Trust" set interface ethernet0/0 ip 192.168.10.1/24 set interface ethernet0/0 nat set interface ethernet0/3 zone "Untrust" set interface ethernet0/3 ip 1.1.1.2/30 set interface ethernet0/3 route set interface tunnel.1 zone "vpn" set interface tunnel.1 ip 10.1.10.1/24 set interface tunnel.1 mip 10.1.10.1 host 192.168.10.1 netmask 255.255.255.0 vrouter “trust-vr” set route 0.0.0.0/0 interface ethernet0/3 gateway 1.1.1.1 set route 10.1.20.0/24 interface tunnel.1 set address "Trust" "local-net" 192.168.10.0 255.255.255.0 set address "vpn" "remote-net" 10.1.20.0 255.255.255.0 set ike p1-proposal "ike-proposal1" preshare group2 esp 3des sha-1 set ike p2-proposal "vpn-proposal1" group2 esp 3des sha-1 set ike gateway "remote-ike" address 2.2.2.2 Main outgoing-interface ethernet0/3 preshare "secretkey" proposal "ike-proposal1" set vpn "remote-vpn" gateway "remote-ike" proposal "vpn-proposal1" set vpn "remote-vpn" bind interface tunnel.1 set policy from "Trust" to "vpn" "local-net" "remote-net" "ANY" permit set policy from "vpn" to "Trust" "remote-net" "MIP(10.1.10.1/24)" "ANY" permit set policy from "Trust" to "Untrust" "Any" "Any" "ANY" permit set flow tcp-mss 1350
- Remote Site Configuration
set zone name "vpn" vrouter “trust-vr” set interface ethernet0/0 zone "Trust" set interface ethernet0/0 ip 192.168.10.1/24 set interface ethernet0/0 nat set interface ethernet0/3 zone "Untrust" set interface ethernet0/3 ip 2.2.2.2/30 set interface ethernet0/3 route set interface tunnel.1 zone "vpn" set interface tunnel.1 ip 10.1.20.1/24 set interface tunnel.1 mip 10.1.20.1 host 192.168.10.1 netmask 255.255.255.0 vrouter “trust-vr” set route 0.0.0.0/0 interface ethernet0/3 gateway 2.2.2.1 set route 10.1.10.0/24 interface tunnel.1 set address "Trust" "local-net" 192.168.10.0 255.255.255.0 set address "vpn" "corporate-net" 10.1.10.0 255.255.255.0 set ike p1-proposal "ike-proposal1" preshare group2 esp 3des sha-1 set ike p2-proposal "vpn-proposal1" group2 esp 3des sha-1 set ike gateway "corporate-ike" address 1.1.1.2 Main outgoing-interface ethernet0/3 preshare "secretkey" proposal "ike-proposal1" set vpn "corporate-vpn" gateway "remote-ike" proposal "vpn-proposal1" set vpn "corporate-vpn" bind interface tunnel.1 set policy from "Trust" to "vpn" "local-net" "corporate-net" "ANY" permit set policy from "vpn" to "Trust" "corporate-net" "MIP(10.1.20.1/24)" "ANY" permit set policy from "Trust" to "Untrust" "Any" "Any" "ANY" permit set flow tcp-mss 1350
Policy based
| This section is under construction.
|
Manual Key VPN
Packet Capture:
- Configuration Steps
| This section is under construction.
|
- SSG-001 Configuration
set interface ethernet0/0 ip 192.168.1.1/24 set interface ethernet0/3 ip 10.200.20.25/24 set interface ethernet0/3 manage-ip 10.200.20.21 set vpn "Test1" id 0x1 manual 1000 2000 gateway 10.200.20.26 outgoing-interface "ethernet0/3" esp 3des password 123 auth md5 password 123 set vpn "Test1" id 0x0 bind interface tunnel.1 set policy id 1 name "anyany" from "Trust" to "Untrust" "Any" "Any" "ANY" permit set policy id 2 name "anyany-untrust" from "Untrust" to "Trust" "Any" "Any" "ANY" permit log set route 192.168.2.1/32 interface tunnel.1 gateway 10.200.20.26
- SSG-002 Configuration
set interface ethernet0/0 ip 192.168.2.1/24 set interface ethernet0/3 ip 10.200.20.26/24 set interface loopback.1 ip 2.2.2.2/24 set interface ethernet0/3 manage-ip 10.200.20.22 set interface "ethernet0/0" mip 192.168.1.10 host 2.2.2.1 netmask 255.255.255.255 vr "trust-vr" set vpn "test2" id 0x4 manual 2000 1000 gateway 10.200.20.25 outgoing-interface "ethernet0/3" esp 3des password 123 auth md5 password 123 set vpn "test2" id 0x0 bind interface tunnel.1 set policy id 1 name "anyany" from "Trust" to "Untrust" "Any" "Any" "ANY" permit log set policy id 2 name "anyany-untrust" from "Untrust" to "Trust" "Any" "Any" "ANY" permit log set route 192.168.1.1/32 interface tunnel.1 gateway 10.200.20.25
- Testing on SSG-002
Before adding Tunnel Route:
LAB-SSG-002-> ping 192.168.1.1 from eth0/0 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 1 seconds from ethernet0/0 ip 192.168.1.1 is unreachable in vr trust-vr Success Rate is 0 percent.
After adding Tunnel Route:
LAB-SSG-002-> ping 192.168.1.1 from eth0/0 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 1 seconds from ethernet0/0 !!!!! Success Rate is 100 percent (5/5), round-trip time min/avg/max=1/1/1 ms
- Verifying
- SSG-001
LAB-SSG-001-> get sa total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000001< 10.200.20.26 500 esp:3des/md5 00001000 n/a n/a M/- -1 0 00000001> 10.200.20.26 500 esp:3des/md5 00002000 n/a n/a M/- -1 0
LAB-SSG-001-> get sa id 0x01 index 0, name Test1, peer gateway ip 10.200.20.26. vsys<Root> manual key. base node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>. tunnel id 1, peer id -1, NSRP Local. site-to-site. Local interface is ethernet0/3 <10.200.20.25>. esp, group 0, 3des encryption, md5 authentication manual key monitor<0>, latency: 0, availability: 0 DF bit: clear app_sa_flags: 0x3 proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0/0 ike activity timestamp: 0 DSCP-mark : disabled nat-traversal map not available incoming: SPI 00001000, flag 00004000, tunnel info 40000001, pipeline life 0 sec, expired, 0 kb, 0 bytes remain anti-replay off, idle timeout value <0>, idled 497 seconds next pak sequence number: 0x0 bytes/paks:1280/10; sw bytes/paks:1280/10 outgoing: SPI 00002000, flag 00000000, tunnel info 40000001, pipeline life 0 sec, expired, 0 kb, 0 bytes remain anti-replay off, idle timeout value <0>, idled 497 seconds next pak sequence number: 0xa bytes/paks:1280/10; sw bytes/paks:1280/10
LAB-SSG-001-> get ike cookie IKEv1 SA -- Active: 0, Dead: 0, Total 0 IKEv2 SA -- Active: 0, Dead: 0, Total 0
LAB-SSG-001-> get sa total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000001< 10.200.20.26 500 esp:3des/md5 00001000 n/a n/a M/- -1 0 00000001> 10.200.20.26 500 esp:3des/md5 00002000 n/a n/a M/- -1 0
LAB-SSG-001-> get route
IPv4 Dest-Routes for <trust-vr> (5 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 3 10.200.20.0/24 eth0/3 0.0.0.0 C 0 0 Root
* 2 192.168.1.1/32 eth0/0 0.0.0.0 H 0 0 Root
* 11 192.168.2.1/32 tun.1 10.200.20.26 S 20 1 Root
* 1 192.168.1.0/24 eth0/0 0.0.0.0 C 0 0 Root
* 4 10.200.20.25/32 eth0/3 0.0.0.0 H 0 0 Root
LAB-SSG-001-> get vpn Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface --------------- --------------- ---- ----- -------------------- ------- ------- --------------- Total Auto VPN: 0 Total Pure Transport Mode IPSEC VPN: 0 Name Gateway Interface Lcl SPI Rmt SPI Algorithm Monitor Tunnel ID ---------- --------------- --------------- -------- -------- ---------------- ------- ---------- Test1 10.200.20.26 eth0/3 00001000 00002000 esp: 3des/ md5 off 0x00000001 Total Manual VPN 1
- SSG-002
LAB-SSG-002-> get ike cookie IKEv1 SA -- Active: 0, Dead: 0, Total 0 IKEv2 SA -- Active: 0, Dead: 0, Total 0
LAB-SSG-002-> get sa total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000004< 10.200.20.25 500 esp:3des/md5 00002000 n/a n/a M/- -1 0 00000004> 10.200.20.25 500 esp:3des/md5 00001000 n/a n/a M/- -1 0
LAB-SSG-002-> get sa id 0x4 index 1, name test2, peer gateway ip 10.200.20.25. vsys<Root> manual key. base node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>. tunnel id 4, peer id -1, NSRP Local. site-to-site. Local interface is ethernet0/3 <10.200.20.26>. esp, group 0, 3des encryption, md5 authentication manual key monitor<0>, latency: 0, availability: 0 DF bit: clear app_sa_flags: 0x3 proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0 ike activity timestamp: 0 DSCP-mark : disabled nat-traversal map not available incoming: SPI 00002000, flag 00004000, tunnel info 40000004, pipeline life 0 sec, expired, 0 kb, 0 bytes remain anti-replay off, idle timeout value <0>, idled 721 seconds next pak sequence number: 0x0 bytes/paks:1280/10; sw bytes/paks:1280/10 outgoing: SPI 00001000, flag 00000000, tunnel info 40000004, pipeline life 0 sec, expired, 0 kb, 0 bytes remain anti-replay off, idle timeout value <0>, idled 721 seconds next pak sequence number: 0xa bytes/paks:1280/10; sw bytes/paks:1280/10
LAB-SSG-002-> get vpn Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface --------------- --------------- ---- ----- -------------------- ------- ------- --------------- Total Auto VPN: 0 Name Gateway Interface Lcl SPI Rmt SPI Algorithm Monitor Tunnel ID ---------- --------------- --------------- -------- -------- ---------------- ------- ---------- test2 10.200.20.25 eth0/3 00002000 00001000 esp: 3des/ md5 off 0x00000004 Total Manual VPN 1
LAB-SSG-002-> get route
IPv4 Dest-Routes for <trust-vr> (6 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 5 10.200.20.0/24 eth0/3 0.0.0.0 C 0 0 Root
* 22 192.168.1.1/32 tun.1 10.200.20.25 S 20 1 Root
* 19 192.168.2.1/32 eth0/0 0.0.0.0 H 0 0 Root
* 18 192.168.2.0/24 eth0/0 0.0.0.0 C 0 0 Root
* 6 10.200.20.26/32 eth0/3 0.0.0.0 H 0 0 Root
* 16 2.2.2.0/24 loopback.1 0.0.0.0 C 0 0 Root
LAB-SSG-002-> get session alloc 2/max 128064, alloc failed 0, mcast alloc 0, di alloc failed 0 total reserved 0, free sessions in shared pool 128062 Total 0 sessions shown
- References
- ↑ www.bt.com/india
{{#widget:DISQUS
|id=networkm
|uniqid=VPN Lab
|url=https://aman.awiki.org/wiki/VPN_Lab
}}