Verifying Hub-and-Spoke VPN Configuration
This topic includes the following sections:
Verifying Configuration of the Hub (Device in Corporate Office)
For reference, the configuration of the Corporate office router is shown.
The following sample of output from the show configuration command shows traceoption configuration for troubleshooting purposes.
system {
host-name CORPORATE;
root-authentication {
encrypted-password "$1$0wc5IQiB$MTQlktoQ9/nRF10Gntin./";
## SECRET-DATA
}
services {
ssh;
web-management {
http {
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 10.1.1.2/30;
}
}
}
st0 {
unit 0 {
multipoint;
family inet {
next-hop-tunnel 10.11.11.11 ipsec-vpn sunnyvale-vpn;
address 10.11.11.10/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.1.1.1;
route 192.168.168.0/24 next-hop 10.11.11.11;
route 192.168.178.0/24 next-hop 10.11.11.12;
}
}
security {
ike {
traceoptions {
flag policy-manager;
flag ike;
flag routing-socket;
flag general;
}
policy ike-policy1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$LrN7w2mPQF/t24jqmfn6rev";
## SECRET-DATA
}
gateway sunnyvale-gate {
ike-policy ike-policy1;
address 10.2.2.2;
external-interface ge-0/0/3.0;
}
gateway westford-gate {
ike-policy ike-policy1;
address 10.3.3.2;
external-interface ge-0/0/3.0;
}
}
ipsec {
policy vpn-policy1 {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn sunnyvale-vpn {
bind-interface st0.0;
ike {
gateway sunnyvale-gate;
ipsec-policy vpn-policy1;
}
}
vpn westford-vpn {
bind-interface st0.0;
ike {
gateway westford-gate;
ipsec-policy vpn-policy1;
}
}
}
nat {
source {
rule-set nat-out {
from zone trust;
to zone untrust;
rule interface-nat {
match {
source-address 192.168.10.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat interface;
}
}
}
}
}
zones {
security-zone trust {
address-book {
address local-net 10.10.10.0/24;
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/3.0;
}
}
security-zone vpn {
address-book {
address sunnyvale-net 192.168.168.0/24;
address westford-net 192.168.178.0/24;
}
interfaces {
st0.0;
}
}
}
policies {
from-zone trust to-zone untrust {
policy any-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit ;
}
}
}
from-zone trust to-zone vpn {
policy local-to-spokes {
match {
source-address local-net;
destination-address [ sunnyvale-net westford-net ];
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy spokes-to-local {
match {
source-address [ sunnyvale-net westford-net ];
destination-address local-net;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone vpn {
policy spoke-to-spoke {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
}
Delete or deactivate the traceoptions after you complete troubleshooting.
Verifying Configuration of the Spoke (Device in Westford Office)
For reference, the configuration of the spoke router is shown.
The following sample of output from the show configuration command shows traceoption configuration for troubleshooting purposes.
system {
host-name Westford;
root-authentication {
encrypted-password "$1$Qk3dVh9X$d3KOf3dhR6uQKhi8FWU.P0";
## SECRET-DATA
}
services {
web-management {
http {
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.3.3.2/30;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.178.1/24;
}
}
}
st0 {
unit 0 {
family inet {
address 10.11.11.12/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.1.1.1;
route 10.10.10.0/24 next-hop 10.11.11.10;
route 192.168.168.0/24 next-hop 10.11.11.10;
}
}
security {
ike {
traceoptions {
flag policy-manager;
flag ike;
flag routing-socket;
flag general;
}
policy ike-policy1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$VNsaGF39A0IGDPQFnpu8X7";
## SECRET-DATA
}
gateway corp-gate {
ike-policy ike-policy1;
address 10.1.1.2;
external-interface ge-0/0/0.0;
}
}
ipsec {
policy vpn-policy1 {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn corp-vpn {
bind-interface st0.0;
ike {
gateway corp-gate;
ipsec-policy vpn-policy1;
}
}
}
nat {
source {
rule-set nat-out {
from zone trust;
to zone untrust;
rule interface-nat {
match {
source-address 192.168.178.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat interface;
}
}
}
}
}
zones {
security-zone trust {
address-book {
address local-net 192.168.178.0/24;
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/3.0;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone vpn {
address-book {
address corp-net 10.10.10.0/24;
address sunnyvale-net 192.168.168.0/24;
}
interfaces {
st0.0;
}
}
}
policies {
from-zone trust to-zone untrust {
policy any-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
source-nat {
interface;
}
}
}
}
}
from-zone vpn to-zone trust {
policy from-corp {
match {
source-address [ corp-net sunnyvale-net ];
destination-address local-net;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy to-corp {
match {
source-address local-net;
destination-address [ corp-net sunnyvale-net ];
application any;
}
then {
permit;
}
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
}
In the preceding sample of output from the show configuration command, the highlighted lines show traceoptions for troubleshooting purposes.
Delete or deactivate the traceoptions after you complete troubleshooting.