diff options
| author | aslanvyos <126803786+aslanvyos@users.noreply.github.com> | 2023-10-18 12:14:46 +0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-10-18 12:14:46 +0400 |
| commit | 02e462900ff6b57102229fe7eaaeaca1dc045246 (patch) | |
| tree | e8a7567327e2cea22c46de76724b1749882ad08a | |
| parent | ce71650a4de79d5602b112ce2efe21c2d20a8237 (diff) | |
| download | vyos-documentation-02e462900ff6b57102229fe7eaaeaca1dc045246.tar.gz vyos-documentation-02e462900ff6b57102229fe7eaaeaca1dc045246.zip | |
Update site2site_ipsec.rst
To make easily understandable the Site-to-Site VPN ikev2 configuration for users (specially if the user is new in VyOS) made the following changes:
- Added dummy interface to both routers for testing purposes
- Added static route for both routers for dummy interface
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 879f8dfa..0be12955 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -272,15 +272,28 @@ Imagine the following topology IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio) +**LEFT:** +* WAN interface on `eth0.201` +* `eth0.201` interface IP: `172.18.201.10/24` +* `vti10` interface IP: `10.0.0.2/31` +* `dum0` interface IP: `10.0.11.1/24` (for testing purposes we create the `dummy` interface) + +**RIGHT:** +* WAN interface on `eth0.202` +* `eth0.201` interface IP: `172.18.202.10/24` +* `vti10` interface IP: `10.0.0.3/31` +* `dum0` interface IP: `10.0.12.1/24` (for testing purposes we create the `dummy` interface) .. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links. -**left** +**LEFT** .. code-block:: none + set interfaces ethernet eth0 vif 201 address '172.18.201.10/24' + set interfaces dummy dum0 address '10.0.11.1/24' set interfaces vti vti10 address '10.0.0.2/31' set vpn ipsec esp-group ESP_DEFAULT compression 'disable' @@ -311,10 +324,14 @@ Imagine the following topology set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10' set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT' -**right** + set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10 + +**RIGHT** .. code-block:: none + set interfaces ethernet eth0 vif 202 address '172.18.202.10/24' + set interfaces dummy dum0 address '10.0.12.1/24' set interfaces vti vti10 address '10.0.0.3/31' set vpn ipsec esp-group ESP_DEFAULT compression 'disable' @@ -345,6 +362,8 @@ Imagine the following topology set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10' set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT' + set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10 + Key Parameters: * ``authentication local-id/remote-id`` - IKE identification is used for |