IPSec Site-to-Site VPN Test Plan

Author: Laxmanagouda Patil

+----+ 140.1.1.0/24 +----+ 150.1.1.0/24 +----+ Head Office | R1 |----------------| R2 |-----------------| R3 | Branch Office +----+ dp0s9 dp0s3 +----+ dp0s8 dp0s8 +----+ dp0s3 / <========= IPSEC VPN Tunnel ========> \ dp0s3 / \ / 10.1.1.0/24 \ 172.16.1.0/24 / \ +------+ +------+ | LAN1 | | LAN2 | +------+ +------+

Test Cases

dan-ipsec_01 - Launch, Installation and validation of DANOS software on Ubuntu s/w (18.0.4) and KVM based hypervisor

Test Purpose:

 The purpose of this test is to validate the installation of DANOS s/w on KVM based VMs

Test Setup:

 As per the diagram Topology1: DANOS-IPSec

Prerequisites:

·         VM launched on top of X86 server with below configuration

o   Ubuntu 18.04 LTS with 4GB RAM and 8GB harddisk

o   Supported NICs (4 Interfaces)

·         KVM Virt-Manager

Procedure:

  1. Launch VM using DANOS image with above mentioned configuration

  1. Post VM booting and drops into shell, install DANOS using “

install image

  1. For username/password prompt, type “

vyatta

  1. Post step 3, reboot VM once again

Expected Results:

  1. After step 4, DANOS VNF console should be accessible.

dan-ipsec_02 - Test case to bring up and validate site-to-site IPSec tunnel

Test Purpose:

The purpose of this test is to emulate Head-Office to Branch-office connectivity using two VMs connected behind the router

Test Setup:

As per diagram Topology1: DANOS-IPSec

Prerequisites:

  1. 3 VMs with DANOS image UP and Running

Procedure:

  1. Configure the R1 and R3 with WAN/LAN IP address. Configure R2 with corresponding IP address. Check the direct connectivity b/n R1/R2 and R2/R3

  1. Configure OSPF b/n R1/R2 and R3 for establishing layer-3 reachability from R1 to R3 via R2

  1. On R1 and R3, configure IPSec parameters for ESP-group and IKE-group with “encryption” and “hash” protocol along with IKE version type to be used

  1. On R1 and R3, configure IPSec site-to-site configuration with local and remote peer IP, authentication mode/pre-shared-key, tunnel interface with local/remote prefix for the intended data traffic

  1. Verify the IPSec and IKE tunnel is UP using show commands

  1. Send end-to-end traffic, validate flows are getting encrypted/decrypted at tunnel source/destination end respectively

Expected Results:

  1. After step 5, IPSec tunnel should be up b/n R1 and R3

  1. After step 6, traffic should be encrypted/decrypted b/n R1 and R3

dan-ipsec_03 - Test case to validate IPSec tunnel is able to re-establish after reset

Test Purpose:

The purpose of this test is to verify connectivity b/n two VMs over tunnel

Test Setup:

As per diagram Topology1: DANOS-IPSec

Prerequisites:

  1. 3 VMs with DANOS image UP and Running

Procedure:

  1. Bring up IPSec tunnel as mentioned in test case 2

  1. Keep the traffic flowing from R1 to R3

  1. Reset IPSec tunnel using below command

o   “reset vpn ipsec-peer” on router R3

  1. Validate the tunnels status and traffic b/n peers

Expected Results:

  1. After step 3, tunnel status on R1 and R3 should go down and come back

  1. After step4, traffic should be stopped, there should not be any encryption/decryption of traffic

  1. Once the tunnels gets re-established, traffic should start flowing again

dan-ipsec_04 - Validate IPSec tunnel is able to re-establish tunnel after lifetime expires

Test Purpose:

Test case to validate IPSec tunnel re-establishment after lifetime expiry

Test Setup:

As per diagram Topology1: DANOS-IPSec

Prerequisites:

  1. 3 VMs with DANOS image UP and Running

Procedure:

  1. Bring up IPSec tunnel b/n R1 and R3. Configure IPSec lifetime on R3 for 60 seconds

  1. Start tunnel interested traffic from R1 to R3

  1. Validate tunnel status and traffic after lifetime expires

Expected Results:

  1. After step 3, tunnel should establish after lifetime expires

  1. Traffic should restart flowing b/n R1 and R3

dan-ipsec_05 - Validate IPSec tunnel is able to recreate tunnel after change in ESP encryption parameters

Test Purpose:

Test case to validate tunnel re-establishment after change in ESP parameters

Test Setup:

As per the diagram Topology1: DANOS-IPSec

Prerequisites:

  1. 3 VMs with DANOS image UP and Running

  1. IPSec tunnel UP and Running b/n R1 and R3 with ESP param set to “

aes128gcm128

Procedure:

  1. Start interested traffic from R3 towards R1

  1. Change ESP parameter to “

aes256” on router R1

  1. Run the reset vpn command on R1

  1. Validate tunnels status and traffic

Expected Results:

  1. After step 3, tunnel should be down b/n R1 and R3. Traffic should also be stopped

dan-ipsec_06 - Validate IPSec tunnel is able to recreate tunnel after change in IKE hash parameters

Test Purpose:

Test case to validate tunnel reestablishment after change in IKE HASH parameters

Test Setup:

As per diagram Topology1: DANOS-IPSec

Prerequisites:

  1. 3 VMs with DANOS image UP and Running

  1. IPSec tunnel UP and Running b/n R1 and R3 with ESP param set to “

sha1_160

Procedure:

  1. Start interested traffic from R3 towards R1

  1. Change ESP parameter to “

sha2_512” on router R1

  1. Run the reset vpn command on R1

  1. Validate tunnels status and traffic

Expected Results:

  1. After step 3, tunnel should be down b/n R1 and R3. Traffic should also be stopped

dan-ipsec_07 - Validate IPSec tunnel is able to reestablish tunnel after change in authentication key 

Test Purpose:

Test case to validate tunnel reestablishment after change/revert in authentication key

Test Setup:

As per diagram Topology1: DANOS-IPSec

Prerequisites:

  1. 3 VMs with DANOS image UP and Running

  1. IPSec tunnel UP and Running b/n R1 and R3 with auth key param set to “hm_off1”

Procedure:

  1. Start interested traffic from R3 towards R1

  1. Change auth… key parameter to “

test123” on router R1

  1. Run the reset vpn command on R1

  1. Validate tunnels status and traffic

  1. Revert back the auth key to correct value matching on other end

  1. Validate tunnels status and traffic

Expected Results:

  1. After step 3, tunnel should be down b/n R1 and R3. Traffic should also be stopped

  1. After step 6, tunnel should get reestablish b/n R1 and R3, traffic should start flowing again

dan-ipsec_08 - Validate IPSec tunnel is able to establish more than one tunnel with different configuration

Test Purpose:

Test case to validate more than one tunnel creation with different IPSec params

Test Setup:

As per diagram Topology1: DANOS-IPSec

Prerequisites:

  1. 3 VMs with DANOS image UP and Running

  1. One IPSec tunnel UP and Running b/n R1 and R3

Procedure:

  1. Create another set of ESP/IKE configuration with same tunnel source and destination IP address

  1. Validate tunnels status and traffic on both tunnels

  1. Start the interested traffic for both the tunnels

Expected Results:

  1. After step 2, new tunnel (tun-2) should be formed b/n R1 and R3.

  1. After step 3, traffic should flow for both tunnels

dan-ipsec_09 - Validate IPSec tunnel is able to establish with authentication using RSA key

Test Purpose:

Test case to validate IPSec tunnel establish when authentication mode is set to RSA key

Test Setup:

As per diagram Topology1: DANOS-IPSec

Prerequisites:

  1. 3 VMs with DANOS image UP and Running

Procedure:

  1. Configure IPSec tunnel b/n R1 and R3 with “authentication preshared key“ set to “

RSA-KEY

  1. Validate tunnels status and traffic on both tunnels

  1. Validate tunnel by sending interested traffic

Expected Results:

  1. Tunnel should be formed when authentication key is set to RSA-KEY

  1. Traffic should flow across tunnel

dan-ipsec_10 - Validate IPSec tunnel is able to establish with authentication using X.509 certificate

Test Purpose:

Test case to validate IPSec tunnel establish when authentication mode is set to X.509 certificate

Test Setup:

As per diagram Topology1: DANOS-IPSec

Prerequisites:

  1. 3 VMs with DANOS image UP and Running

Procedure:

  1. Configure IPSec tunnel b/n R1 and R3 with “authentication preshared key“ set to “

X.509 certificate

  1. Validate tunnels status and traffic on both tunnels

  1. Validate tunnel by sending interested traffic

Expected Results:

  1. Tunnel should be formed when authentication key is set to

X.509 certificate

  1. Traffic should flow across tunnel

dan-ipsec_11 - Validate IPSec tunnel when local IP address is removed and reconfigured

Test Purpose:

Test case to validate IPSec tunnel when local IP address is removed and reconfigured

Test Setup:

As per diagram Topology1: DANOS-IPSec

Prerequisites:

  1. 3 VMs with DANOS image UP and Running

  1. IPSec tunnel UP and Running b/n R1 and R3

Procedure:

  1. Remove the configured “local-IP” on R1 router

  1. Validate tunnels status and traffic on both tunnels

  1. Re-add the “local-IP” on R1 router

  1. Validate tunnel by sending interested traffic

Expected Results:

  1. After step 2, tunnel status should be down with no traffic flow

  1. After step 3, tunnel should be UP and traffic should flow across tunnel

dan-ipsec_12 - Validate IPSec tunnel when remote IP address is removed and reconfigured

Test Purpose:

Test case to validate IPSec tunnel when remote IP address is removed and reconfigured

Test Setup:

As per diagram Topology1: DANOS-IPSec

Prerequisites:

  1. 3 VMs with DANOS image UP and Running

  1. IPSec tunnel UP and Running b/n R1 and R3

Procedure:

  1. Remove the configured “remote-IP” on R1 router

  1. Validate tunnels status and traffic on both tunnels

  1. Re-add the “remote-IP” on R1 router

  1. Validate tunnel by sending interested traffic

Expected Results:

  1. After step 2, tunnel status should be down with no traffic flow

  1. After step 3, tunnel should be UP and traffic should flow across tunnel