VPN Lab

From Network Security Wiki


Various VPN Lab scenarios are discussed below:


ScreenOS Site to Site VPN

Policy Based VPN

  • Steps Required
  1. Set Gateway
  2. Set Autokey IKE
  3. Set Policies with Action = Tunnel & select the tunnel name from drop-down.


  • Lab


FW1 (Responder) FW2 (Initiator)
debug ike detail debug ike detail
get config get config
get sa get sa
get ike cookie get ike cookie
get vpn get vpn


Packet Capture: Site to Site VPN.pcap

Route Based VPN

  • Steps Required for Route Based VPN in ScreenOS
  1. Create unnumbered tunnel interface
  2. Set Gateway
  3. Set Autokey IKE
  4. Set Proxy-ID(Tunnel interface will come up now)
  5. Set Policies
  6. Create static route pointing to the tunnel


Lab
        This section is under construction.


SRX Site to Site VPN


Dialup VPN

  • Steps Required
  1. Create Dial User Account
  2. Create Dial Up VPN Group
  3. Create the Phase 1 IKE Negotiation
  4. Select Dialup User Group
  5. Choose Mode (Initiator): Aggressive
  6. Enable NAT Traversal
  7. Create the Phase 2 IKE Negotiation
  8. Create Dial Up VPN Policy from Untrust to Trust with Source Address = Dial-Up VPN
  9. Place policy Position at Top


  • NCP-e Client configuration steps
  1. NCP Secure Entry Client Configuration
  2. Click on “Configuration” > “Add Profile” > “Link to Corporate Network Using IPSec”
  3. Enter Profile Name
  4. Choose “LAN (Over IP)”
  5. Give the “Gateway” IP and “XAuth” Username and Password
  6. XAuth can be unchecked as well depending on the XAuth Settings on the Firewall.
  7. Select the Mode as “Aggressive” and select the PFS Group
  8. Enter “Pre Shared Key” and the IKE identity. If you are using Email as the identity then select “Fully Qualified Username”
  9. Specify the IP that will be used as the Source IP by the Client. (If an IPPool is chosen in the XAuth on the firewall, an IP from the IPPool is taken). Otherwise, you can define it Manually on the client using the dropdown. If you choose “Local IP Address”, and no IP Pool is defined on the Firewall XAuth settings, then the PC’s IP is taken as the Source IP. The profile is now created.
  10. By default the NCP client takes the Remote side private IPs as 0.0.0.0/0 which means all traffic from the client will go to the firewall.
  11. Changing it affects the Untrust to Trust policy that we will have to configure at the firewall. If we have to define specific subnets to which we have to reach, we have to define split tunneling.
  12. Click on Edit on the profile and go to “Split Tunneling” & Add a Network
  13. The Proposals can be chosen/modified in the “IPSec General Settings” when we edit the profile.
  14. Click on “Policy Editor” Edit the IKE (Phase 1) and IPSec (Phase 2) proposals. One can also make new proposals.


  • Lab



SSG1
NCP Profile debug ike detail
get sa get config
get ike cookie get event
get vpn get sa id
Packet Capture

Dialup VPN with Xauth IP Pool

  • Steps Required
        This section is under construction.
  • NCP-e Client configuration steps
        This section is under construction.
  • Lab


SSG1
NCP Profile debug ike detail
get sa get config
get ike cookie get event
get vpn get sa id
Packet Capture


Dialup VPN with Xauth User

  • Steps Required
        This section is under construction.
  • NCP-e Client configuration steps
        This section is under construction.
  • Lab


SSG1
NCP Profile debug ike detail
get sa get config
get ike cookie get xauth active
get vpn get sa id
Packet Capture


Cisco VPN Configuration


NAT-Traversal

Source:m00nie.com

GNS3 was used to replicate this scenario.

Scenario
PC1
ip 10.1.1.2 10.1.1.1 24
PC2
ip 20.1.1.2 20.1.1.1 24
R1
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key SuperS3cure address 1.1.1.2
crypto isakmp keepalive 10 periodic

crypto ipsec transform-set MYTSETNAME esp-aes 256 esp-sha-hmac 

crypto map LEFTY 10 ipsec-isakmp 
 set peer 1.1.1.2
 set transform-set MYTSETNAME 
 match address 101

interface Ethernet0/0
 ip address 192.168.1.2 255.255.255.0
 crypto map LEFTY

interface Ethernet0/3
 ip address 10.1.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.1.1

access-list 101 permit ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255
R2
interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly

interface Ethernet0/1
 ip address 1.1.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly

ip route 10.1.1.0 255.255.255.0 192.168.1.2
ip route 20.1.1.0 255.255.255.0 1.1.1.2

ip nat inside source static 192.168.1.2 1.1.1.10
R3
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key SuperS3cure address 1.1.1.10
crypto isakmp keepalive 10 periodic

crypto ipsec transform-set MYTSETNAME esp-aes 256 esp-sha-hmac 

crypto map LEFTY 10 ipsec-isakmp 
 set peer 1.1.1.10
 set transform-set MYTSETNAME 
 match address 101

interface Ethernet0/1
 ip address 1.1.1.2 255.255.255.0
 crypto map LEFTY

interface Ethernet0/3
 ip address 20.1.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 1.1.1.1

access-list 101 permit ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
Verify
R3#sh crypto engine connections active 

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 Ethernet0/1          1.1.1.2         set    HMAC_SHA+AES_256_C        0        0
2001 Ethernet0/1          1.1.1.2         set    AES256+SHA                0       10
2002 Ethernet0/1          1.1.1.2         set    AES256+SHA                9        0

Debug: NAT Traversal

PCAP: Nat Traversal PCAP


Dynamic Multipoint VPN with IPsec

        This section is under construction.

Hub and Spoke VPN

Policy based Hub and Spoke VPN

Source

Steps
        This section is under construction.
On the HUB
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/1" zone "Trust"
set interface ethernet0/2 ip 1.1.1.1/28
set interface ethernet0/2 route
set interface ethernet0/1 ip 192.168.1.1/24
set interface ethernet0/1 nat
set ike gateway "To_Spoke1" address 2.2.2.1 Main outgoing-interface "ethernet0/2" preshare "fjSqyy68N8azlRs6agCvZZSAnQnu7+kfxA==" sec-level standard
set ike gateway "To_Spoke2" address 3.3.3.1 Main outgoing-interface "ethernet0/2" preshare "rQBrqF8+NHPrEgsq/6Cwv/a1W6nR0fi1xw==" sec-level standard
set vpn "To_Spoke1" gateway "To_Spoke1" no-replay tunnel idletime 0 sec-level standard
set vpn "To_Spoke2" gateway "To_Spoke2" no-replay tunnel idletime 0 sec-level standard
set route 192.168.2.1/24 interface ethernet0/2 gateway 1.1.1.2
set route 192.168.3.1/24 interface ethernet0/2 gateway 1.1.1.2
For SPOKE2 to SPOKE1 connectivity
set policy id 16 from "Untrust" to "Trust" "192.168.3.0/24" "192.168.2.0/24" "ANY" tunnel vpn "To_Spoke2" log
set policy id 12 from "Trust" to "Untrust" "192.168.3.0/24" "192.168.2.0/24" "ANY" tunnel vpn "To_Spoke1" log
For SPOKE1 to SPOKE2 connectivity
set policy id 13 from "Untrust" to "Trust" "192.168.2.0/24" "192.168.3.0/24" "ANY" tunnel vpn "To_Spoke1" log
set policy id 17 from "Trust" to "Untrust" "192.168.2.0/24" "192.168.3.0/24" "ANY" tunnel vpn "To_Spoke2" log
For SPOKE1 to HUB connectivity
set policy id 7 from "Trust" to "Untrust" "192.168.1.0/24" "192.168.2.0/24" "ANY" tunnel vpn "To_Spoke1" log
set policy id 8 from "Untrust" to "Trust" "192.168.2.0/24" "192.168.1.0/24" "ANY" tunnel vpn "To_Spoke1" log
For SPOKE2 to HUB connectivity
        This section needs verification or testing! 
set policy id 9 from "Trust" to "Untrust" "192.168.1.0/24" "192.168.3.0/24" "ANY" tunnel vpn "To_Spoke1" log
set policy id 10 from "Untrust" to "Trust" "192.168.3.0/24" "192.168.1.0/24" "ANY" tunnel vpn "To_Spoke1" log


On SPOKE1
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/2 ip 2.2.2.1/28
set interface "ethernet0/1" zone "Trust"
set interface ethernet0/1 ip 192.168.2.1/24
set interface ethernet0/1 nat
set ike gateway "To_HUB" address 1.1.1.1 Main outgoing-interface "ethernet0/2" preshare "/FCeHmVxND/MOpsvdjCDfCkvxxnloaaWcA==" sec-level standard
set vpn "To_HUB" gateway "To_HUB" no-replay tunnel idletime 0 sec-level standard
set route 192.168.1.0/24 interface ethernet0/2 gateway 2.2.2.2
set route 192.168.3.0/24 interface ethernet0/2 gateway 2.2.2.2
set policy id 3 from "Untrust" to "Trust" "192.168.3.0/24" "192.168.2.0/24" "ANY" tunnel vpn "To_HUB" id 0x4 pair-policy 4 log
set policy id 1 from "Trust" to "Untrust" "192.168.2.0/24" "192.168.1.0/24" "ANY" tunnel vpn "To_HUB" id 0x2 pair-policy 2 log
On SPOKE2
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/2 ip 3.3.3.1/28
set interface "ethernet0/1" zone "Trust"
set interface ethernet0/1 ip 192.168.3.1/24
set interface ethernet0/1 nat
set ike gateway "To_HUB" address 1.1.1.1 Main outgoing-interface "ethernet0/2" preshare "/FCeHmVxND/MOpsvdjCDfCkvxxnloaaWcA==" sec-level standard
set vpn "To_HUB" gateway "To_HUB" no-replay tunnel idletime 0 sec-level standard
set route 192.168.1.0/24 interface ethernet0/2 gateway 3.3.3.2
set route 192.168.2.0/24 interface ethernet0/2 gateway 3.3.3.2
set policy id 3 from "Untrust" to "Trust" "192.168.2.0/24" "192.168.3.0/24" "ANY" tunnel vpn "To_HUB" id 0x4 pair-policy 4 log
set policy id 1 from "Trust" to "Untrust" "192.168.3.0/24" "192.168.1.0/24" "ANY" tunnel vpn "To_HUB" id 0x2 pair-policy 2 log

Route based Hub and Spoke VPN

Steps
  1. Create the tunnel interface
  2. Define the IKE Gateway
  3. Define the VPN Tunnel
  4. Add Routes
  5. Configure policy to allow traffic between spokes


Configuration
Hub firewall
set zone name vpn
set interface tunnel.1 zone vpn
set interface tunnel.1 ip unnumbered interface ethernet0/2
set interface tunnel.2 zone vpn
set interface tunnel.2 ip unnumbered interface ethernet0/2
set ike gateway to-spoke1 address 1.1.1.2 main outgoing-interface ethernet0/2 preshare netscreen sec-level standard
set ike gateway to-spoke2 address 1.1.1.3 main outgoing-interface ethernet0/2 preshare netscreen sec-level standard
set vpn vpn-spoke1 gateway to-spoke1 sec-level standard
set vpn vpn-spoke1 bind interface tunnel.1
set vpn vpn-spoke2 gateway to-spoke2 sec-level standard
set vpn vpn-spoke2 bind interface tunnel.2
set route 172.16.2.0/24 interface tunnel.1
set route 172.16.3.0/24 interface tunnel.2
set policy from vpn to vpn "172.16.2.0/24" "172.16.3.0/24" any permit
set policy from vpn to vpn "172.16.3.0/24" "172.16.2.0/24" any permit
Spoke1
set zone name vpn
set interface tunnel1.zone vpn
set interface tunnel.1 ip unnumbered interface ethernet0/0
set ike gateway to-hub address 1.1.1.1 main outgoing-interface ethernet0/0 preshare netscreen sec-level stand
set vpn vpn-spoke1 gateway to-hub sec-level standard
set vpn vpn-spoke1 bind interface tunnel.1
set route 172.16.1.0/24 interface tunnel.1
set route 172.16.3.0/24 interface tunnel.1
set policy from trust to vpn "172.16.2.0/24" "172.16.3.0/24" any permit
set policy from vpn to trust "172.16.3.0/24" "172.16.2.0/24" any permit
Spoke2
set zone name vpn
set interface tunnel1.zone vpn
set interface tunnel.1 ip unnumbered interface ethernet0/0
set ike gateway to-hub address 1.1.1.1 main outgoing-interface ethernet0/0 preshare netscreen sec-level stand
set vpn vpn-spoke2 gateway to-hub sec-level standard
set vpn vpn-spoke2 bind interface tunnel.1
set route 172.16.1.0/24 interface tunnel.1
set route 172.16.2.0/24 interface tunnel.1
set policy from trust to vpn "172.16.2.0/24" "172.16.3.0/24" any permit
set policy from vpn to trust "172.16.3.0/24" "172.16.2.0/24" any permit


Redundant VPN

Source: help.fortinet.com

General configuration steps
  • A redundant configuration at each VPN peer includes:
One Phase 1 configuration (virtual IPsec interface) for each path between the two peers. In a fully-meshed redundant configuration, each network interface on one peer can communicate with each network interface on the remote peer. If both peers have two public interfaces, this means that each peer has four paths, for example.
One Phase 2 definition for each Phase 1 configuration.
One static route for each IPsec interface, with different distance values to prioritize the routes.
Two Accept security policies per IPsec interface, one for each direction of traffic.
Dead peer detection enabled in each Phase 1 definition.
  • The procedures in this section assume that two separate interfaces to the Internet are available on each VPN peer.
Configuring the VPN peers - route-based VPN
  • VPN peers are configured using Interface Mode for redundant tunnels.
  • Configure each VPN peer as follows:
Ensure that the interfaces used in the VPN have static IP addresses.
Create a Phase 1 configuration for each of the paths between the peers.
Enable dead peer detection so that one of the other paths is activated if this path fails.

Primary and Backup VPN

Source: kb.juniper.net

Steps for configuring Primary and Backup VPN with Route Failover using IP-Monitoring
If the primary tunnel fails, then the traffic flows through the backup tunnel.
Route fail over is achieved using IP-Monitoring.
To achieve redundancy between two route based VPN tunnels, a numbered tunnel interface must be configured.
Solution
Configure two route-based VPN tunnels (primary and backup) between two SRX devices.
Configure ISP2 in a virtual routing-instance, RPM probe with target address as ISP1 address (1.1.1.2)  and destination-interface as primary VPN's external interface.
Configure IP-monitoring and match the RPM probe that you have configured earlier, then preferred route with route address as the PC2 address with next-hop as the ip-address of the back-up tunnel on SRX2. In this case, it is ip-address on st0.1 on SRX2. Configure the same on SRX2.
When configuring IP-Monitoring on SRX2, configure next-hop as the ip-address of the back-up tunnel on SRX1. In this case it is the ip-address on st0.1 on SRX1.

                 |-----------------[ISP1]---------------|
                 |                                      |
[PC1]----------[FW1]                                  [FW2]------------[PC2]
                 |                                      |
                 |-----------------[ISP2]---------------|

Overlapping Subnet VPN [1]

Route based

Configuration Steps
  1. Internal LAN interface for both sites will be ethernet0/0 in zone “trust” and will have private IP 192.168.10.1/24.
  2. Internet interface for both sites will be ethernet0/3 in zone “untrust” and will each have a unique public IP.
  3. Tunnel interface tunnel.1 will be in zone “vpn” on both sites to allow for configuring unique policies specifically for tunnel (encrypted) traffic while maintaining unique policies for clear (non-encrypted) traffic.
  4. The address range to reach Remote side hosts from Corporate side is 10.1.20.0/24.
  5. The address range to reach Corporate side hosts from Remote side is 10.1.10.0/24
  6. All traffic between the Corporate and Remote LANs are to be permitted, and traffic may be initiated from either side.
  7. Basic non-VPN settings such as system settings, user login, and default security settings are already pre-configured on both devices.


Basic Steps to Configure
  1. Configure the “vpn” security zone. “Trust” and “Untrust” zones are predefined.
  2. Configure IP addresses for interfaces ethernet0/0 and ethernet0/3. Bind the interfaces the “Trust” and “Untrust” zones respectively.
  3. Create tunnel.1 interface and bind to “vpn” zone.
  4. Configure MIP for the tunnel interface.
  5. Configure default route to Internet next-hop and also a static route for the Remote site LAN. Optionally you can use a dynamic routing protocol such as OSPF instead but that is beyond the scope of this application note.
  6. Configure address book entries for “Trust” and “vpn” zones. This will be necessary for the security policies.
  7. Configure phase-1 (IKE) and phase-2 (VPN) proposals.
  8. Configure IKE gateway profile referencing the phase-1 proposal from step 7.
  9. Configure VPN profile referencing IKE gateway from step 8 and phase-2 proposal from step 7. Then bind interface tunnel.1 to the VPN.
  10. Configure security policy to permit Corporate site LAN to Remote site LAN using the address book entries created in step 6.
  11. Configure security policy to permit Remote site LAN traffic to Corporate site LAN using address book entry from step 6 with destination address as the MIP.
  12. Configure outgoing “Trust” to “Untrust” permit all policy with interface source NAT for Internet traffic.
  13. Configure tcp-mss for IPSec traffic to eliminate the possibility of fragmented TCP traffic. This will lessen the resource utilization on the device.


Corporate Site
set zone name "vpn" vrouter “trust-vr”
set interface ethernet0/0 zone "Trust"
set interface ethernet0/0 ip 192.168.10.1/24
set interface ethernet0/0 nat
set interface ethernet0/3 zone "Untrust"
set interface ethernet0/3 ip 1.1.1.2/30
set interface ethernet0/3 route
set interface tunnel.1 zone "vpn"
set interface tunnel.1 ip 10.1.10.1/24
set interface tunnel.1 mip 10.1.10.1 host 192.168.10.1 netmask 255.255.255.0 vrouter “trust-vr”
set route 0.0.0.0/0 interface ethernet0/3 gateway 1.1.1.1
set route 10.1.20.0/24 interface tunnel.1
set address "Trust" "local-net" 192.168.10.0 255.255.255.0
set address "vpn" "remote-net" 10.1.20.0 255.255.255.0
set ike p1-proposal "ike-proposal1" preshare group2 esp 3des sha-1
set ike p2-proposal "vpn-proposal1" group2 esp 3des sha-1
set ike gateway "remote-ike" address 2.2.2.2 Main outgoing-interface ethernet0/3 preshare "secretkey" proposal "ike-proposal1"
set vpn "remote-vpn" gateway "remote-ike" proposal "vpn-proposal1"
set vpn "remote-vpn" bind interface tunnel.1
set policy from "Trust" to "vpn" "local-net" "remote-net" "ANY" permit
set policy from "vpn" to "Trust" "remote-net" "MIP(10.1.10.1/24)" "ANY" permit
set policy from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set flow tcp-mss 1350


Remote Site Configuration
set zone name "vpn" vrouter “trust-vr”
set interface ethernet0/0 zone "Trust"
set interface ethernet0/0 ip 192.168.10.1/24
set interface ethernet0/0 nat
set interface ethernet0/3 zone "Untrust"
set interface ethernet0/3 ip 2.2.2.2/30
set interface ethernet0/3 route
set interface tunnel.1 zone "vpn"
set interface tunnel.1 ip 10.1.20.1/24
set interface tunnel.1 mip 10.1.20.1 host 192.168.10.1 netmask 255.255.255.0 vrouter “trust-vr”
set route 0.0.0.0/0 interface ethernet0/3 gateway 2.2.2.1
set route 10.1.10.0/24 interface tunnel.1
set address "Trust" "local-net" 192.168.10.0 255.255.255.0
set address "vpn" "corporate-net" 10.1.10.0 255.255.255.0
set ike p1-proposal "ike-proposal1" preshare group2 esp 3des sha-1
set ike p2-proposal "vpn-proposal1" group2 esp 3des sha-1
set ike gateway "corporate-ike" address 1.1.1.2 Main outgoing-interface ethernet0/3 preshare "secretkey" proposal "ike-proposal1"
set vpn "corporate-vpn" gateway "remote-ike" proposal "vpn-proposal1"
set vpn "corporate-vpn" bind interface tunnel.1
set policy from "Trust" to "vpn" "local-net" "corporate-net" "ANY" permit
set policy from "vpn" to "Trust" "corporate-net" "MIP(10.1.20.1/24)" "ANY" permit
set policy from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set flow tcp-mss 1350


Policy based

        This section is under construction.

Manual Key VPN

Packet Capture: Manual Kay VPN.pcap

Configuration Steps
        This section is under construction.
SSG-001 Configuration
set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/3 ip 10.200.20.25/24
set interface ethernet0/3 manage-ip 10.200.20.21
set vpn "Test1" id 0x1 manual 1000 2000 gateway 10.200.20.26 outgoing-interface "ethernet0/3"  esp 3des password 123 auth md5 password 123
set vpn "Test1" id 0x0 bind interface tunnel.1
set policy id 1 name "anyany" from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set policy id 2 name "anyany-untrust" from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log 
set route 192.168.2.1/32 interface tunnel.1 gateway 10.200.20.26
SSG-002 Configuration
set interface ethernet0/0 ip 192.168.2.1/24
set interface ethernet0/3 ip 10.200.20.26/24
set interface loopback.1 ip 2.2.2.2/24
set interface ethernet0/3 manage-ip 10.200.20.22
set interface "ethernet0/0" mip 192.168.1.10 host 2.2.2.1 netmask 255.255.255.255 vr "trust-vr"
set vpn "test2" id 0x4 manual 2000 1000 gateway 10.200.20.25 outgoing-interface "ethernet0/3"  esp 3des password 123 auth md5 password 123
set vpn "test2" id 0x0 bind interface tunnel.1
set policy id 1 name "anyany" from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log 
set policy id 2 name "anyany-untrust" from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log 
set route 192.168.1.1/32 interface tunnel.1 gateway 10.200.20.25
Testing on SSG-002

Before adding Tunnel Route: 

LAB-SSG-002-> ping 192.168.1.1 from eth0/0
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 1 seconds from ethernet0/0
ip 192.168.1.1 is unreachable in vr trust-vr

Success Rate is 0 percent.

After adding Tunnel Route: 

LAB-SSG-002-> ping 192.168.1.1 from eth0/0
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 1 seconds from ethernet0/0
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=1/1/1 ms
Verifying
SSG-001
LAB-SSG-001-> get sa
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000001<    10.200.20.26  500 esp:3des/md5  00001000   n/a   n/a M/-    -1 0
00000001>    10.200.20.26  500 esp:3des/md5  00002000   n/a   n/a M/-    -1 0

LAB-SSG-001-> get sa id 0x01
index 0, name Test1, peer gateway ip 10.200.20.26. vsys<Root>
manual key. base node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>.
tunnel id 1, peer id -1, NSRP Local.     site-to-site. Local interface is ethernet0/3 <10.200.20.25>.
  esp, group 0, 3des encryption, md5  authentication
  manual key
  monitor<0>, latency: 0, availability: 0
  DF bit: clear
  app_sa_flags: 0x3
  proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0/0
  ike activity timestamp: 0
  DSCP-mark : disabled
nat-traversal map not available
incoming: SPI 00001000, flag 00004000, tunnel info 40000001, pipeline
  life 0 sec, expired, 0 kb, 0 bytes remain
  anti-replay off, idle timeout value <0>, idled 497 seconds
  next pak sequence number: 0x0
  bytes/paks:1280/10; sw bytes/paks:1280/10
outgoing: SPI 00002000, flag 00000000, tunnel info 40000001, pipeline
  life 0 sec, expired, 0 kb, 0 bytes remain
  anti-replay off, idle timeout value <0>, idled 497 seconds
  next pak sequence number: 0xa
  bytes/paks:1280/10; sw bytes/paks:1280/10

LAB-SSG-001-> get ike cookie 

IKEv1 SA -- Active: 0, Dead: 0, Total 0


IKEv2 SA -- Active: 0, Dead: 0, Total 0


LAB-SSG-001-> get sa
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000001<    10.200.20.26  500 esp:3des/md5  00001000   n/a   n/a M/-    -1 0
00000001>    10.200.20.26  500 esp:3des/md5  00002000   n/a   n/a M/-    -1 0

LAB-SSG-001-> get route

IPv4 Dest-Routes for <trust-vr> (5 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*         3     10.200.20.0/24         eth0/3         0.0.0.0   C    0      0     Root
*         2     192.168.1.1/32         eth0/0         0.0.0.0   H    0      0     Root
*        11     192.168.2.1/32          tun.1    10.200.20.26   S   20      1     Root
*         1     192.168.1.0/24         eth0/0         0.0.0.0   C    0      0     Root
*         4    10.200.20.25/32         eth0/3         0.0.0.0   H    0      0     Root


LAB-SSG-001-> get vpn
Name            Gateway         Mode RPlay 1st Proposal         Monitor Use Cnt Interface 
--------------- --------------- ---- ----- -------------------- ------- ------- ---------------
  Total Auto VPN: 0
  Total Pure Transport Mode IPSEC VPN: 0

Name       Gateway         Interface       Lcl SPI  Rmt SPI  Algorithm        Monitor Tunnel ID 
---------- --------------- --------------- -------- -------- ---------------- ------- ----------
Test1      10.200.20.26    eth0/3          00001000 00002000 esp:  3des/  md5     off 0x00000001
Total Manual VPN 1
SSG-002
 
LAB-SSG-002-> get ike cookie

IKEv1 SA -- Active: 0, Dead: 0, Total 0


IKEv2 SA -- Active: 0, Dead: 0, Total 0


 
LAB-SSG-002-> get sa
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000004<    10.200.20.25  500 esp:3des/md5  00002000   n/a   n/a M/-    -1 0
00000004>    10.200.20.25  500 esp:3des/md5  00001000   n/a   n/a M/-    -1 0

 
LAB-SSG-002-> get sa id 0x4
index 1, name test2, peer gateway ip 10.200.20.25. vsys<Root>
manual key. base node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>.
tunnel id 4, peer id -1, NSRP Local.     site-to-site. Local interface is ethernet0/3 <10.200.20.26>.
  esp, group 0, 3des encryption, md5  authentication
  manual key
  monitor<0>, latency: 0, availability: 0
  DF bit: clear
  app_sa_flags: 0x3
  proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0
  ike activity timestamp: 0
  DSCP-mark : disabled
nat-traversal map not available
incoming: SPI 00002000, flag 00004000, tunnel info 40000004, pipeline
  life 0 sec, expired, 0 kb, 0 bytes remain
  anti-replay off, idle timeout value <0>, idled 721 seconds
  next pak sequence number: 0x0
  bytes/paks:1280/10; sw bytes/paks:1280/10
outgoing: SPI 00001000, flag 00000000, tunnel info 40000004, pipeline
  life 0 sec, expired, 0 kb, 0 bytes remain
  anti-replay off, idle timeout value <0>, idled 721 seconds
  next pak sequence number: 0xa
  bytes/paks:1280/10; sw bytes/paks:1280/10

 
LAB-SSG-002-> get vpn
Name            Gateway         Mode RPlay 1st Proposal         Monitor Use Cnt Interface 
--------------- --------------- ---- ----- -------------------- ------- ------- ---------------
  Total Auto VPN: 0

Name       Gateway         Interface       Lcl SPI  Rmt SPI  Algorithm        Monitor Tunnel ID 
---------- --------------- --------------- -------- -------- ---------------- ------- ----------
test2      10.200.20.25    eth0/3          00002000 00001000 esp:  3des/  md5     off 0x00000004
Total Manual VPN 1

 
LAB-SSG-002-> get route

IPv4 Dest-Routes for <trust-vr> (6 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*         5     10.200.20.0/24         eth0/3         0.0.0.0   C    0      0     Root
*        22     192.168.1.1/32          tun.1    10.200.20.25   S   20      1     Root
*        19     192.168.2.1/32         eth0/0         0.0.0.0   H    0      0     Root
*        18     192.168.2.0/24         eth0/0         0.0.0.0   C    0      0     Root
*         6    10.200.20.26/32         eth0/3         0.0.0.0   H    0      0     Root
*        16         2.2.2.0/24     loopback.1         0.0.0.0   C    0      0     Root


 
LAB-SSG-002-> get session
alloc 2/max 128064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 128062
Total 0 sessions shown




References
  1. www.bt.com/india


{{#widget:DISQUS |id=networkm |uniqid=VPN Lab |url=https://aman.awiki.org/wiki/VPN_Lab }}

Retrieved from "https://aman.awiki.org/wiki/VPN_Lab?oldid=4025"