summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2021-10-19 14:34:39 +0200
committerGitHub <noreply@github.com>2021-10-19 14:34:39 +0200
commit8e0c2e42fbc58c2bf49dabee50b8c9ea0c5622ec (patch)
tree43d5695d4bac5d859c1b4cd24c8ff2e36fc0bb30
parent9a4c2fd85ebbe01fb1f63aeecd9f54a696ad93b1 (diff)
parent72a677f75e9657bb2b39a25d175afe0fcd5d7186 (diff)
downloadvyos-documentation-8e0c2e42fbc58c2bf49dabee50b8c9ea0c5622ec.tar.gz
vyos-documentation-8e0c2e42fbc58c2bf49dabee50b8c9ea0c5622ec.zip
Merge pull request #642 from goodNETnick/master
IPsec key-pair new syntax
-rw-r--r--docs/configuration/vpn/ipsec.rst63
1 files changed, 43 insertions, 20 deletions
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
index 2888336c..ea13d82b 100644
--- a/docs/configuration/vpn/ipsec.rst
+++ b/docs/configuration/vpn/ipsec.rst
@@ -118,35 +118,57 @@ However, now you need to make IPsec work with dynamic address on one side. The
tricky part is that pre-shared secret authentication doesn't work with dynamic
address, so we'll have to use RSA keys.
-First, on both routers run the operational command "generate vpn rsa-key bits
-2048". You may choose different length than 2048 of course.
+First, on both routers run the operational command "generate pki key-pair
+install <key-pair nam>>". You may choose different length than 2048 of course.
.. code-block:: none
- vyos@left# run generate vpn rsa-key bits 2048
- Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
+ vyos@left# run generate pki key-pair install ipsec-LEFT
+ Enter private key type: [rsa, dsa, ec] (Default: rsa)
+ Enter private key bits: (Default: 2048)
+ Note: If you plan to use the generated key on this router, do not encrypt the private key.
+ Do you want to encrypt the private key with a passphrase? [y/N] N
+ Configure mode commands to install key pair:
+ Do you want to install the public key? [Y/n] Y
+ set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
+ Do you want to install the private key? [Y/n] Y
+ set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...'
+ [edit]
+
+Configuration commands will display.
+Note the command with the public key
+(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...').
+Then do the same on the opposite router:
- Your new local RSA key has been generated
- The public portion of the key is:
+.. code-block:: none
+
+ vyos@left# run generate pki key-pair install ipsec-RIGHT
+
+Note the command with the public key
+(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...').
+
+Now the noted public keys should be entered on the opposite routers.
+
+On the LEFT:
+
+.. code-block:: none
- 0sAQO2335[long string here]
+ set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'
-Then on the opposite router, add the RSA key to your config.
+On the RIGHT:
.. code-block:: none
- set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE
+ set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
Now you are ready to setup IPsec. You'll need to use an ID instead of address
-for the peer on the dynamic side.
+for the peer.
On the LEFT (static address):
.. code-block:: none
- set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT>
-
- set vpn ipsec ipsec-interfaces interface eth0
+ set vpn ipsec interface eth0
set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
@@ -155,8 +177,11 @@ On the LEFT (static address):
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
+ set vpn ipsec site-to-site peer @RIGHT authentication id LEFT
set vpn ipsec site-to-site peer @RIGHT authentication mode rsa
- set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name RIGHT
+ set vpn ipsec site-to-site peer @RIGHT authentication rsa local-key ipsec-LEFT
+ set vpn ipsec site-to-site peer @RIGHT authentication rsa remote-key ipsec-RIGHT
+ set vpn ipsec site-to-site peer @RIGHT authentication remote-id RIGHT
set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup
set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup
set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10
@@ -164,14 +189,11 @@ On the LEFT (static address):
set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local
set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote
-
On the RIGHT (dynamic address):
.. code-block:: none
- set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT>
-
- set vpn ipsec ipsec-interfaces interface eth0
+ set vpn ipsec interface eth0
set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
@@ -180,9 +202,10 @@ On the RIGHT (dynamic address):
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
- set vpn ipsec site-to-site peer 192.0.2.10 authentication id @RIGHT
+ set vpn ipsec site-to-site peer 192.0.2.10 authentication id RIGHT
set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa
- set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa-key-name LEFT
+ set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa local-key ipsec-RIGHT
+ set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa remote-key ipsec-LEFT
set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT
set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate
set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup