summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2023-02-06 21:06:31 +0100
committerGitHub <noreply@github.com>2023-02-06 21:06:31 +0100
commita51949687e37de3b2f573788f8d20490b40d6c6a (patch)
tree041825aa22f05fe1cad3c38bb893ab62b4c7e4d5
parent05839481615d05396a193db82883a15c41e3cdf0 (diff)
parent8f61920f01d30e2a864dc6927b0038357e56bb05 (diff)
downloadvyos-documentation-a51949687e37de3b2f573788f8d20490b40d6c6a.tar.gz
vyos-documentation-a51949687e37de3b2f573788f8d20490b40d6c6a.zip
Merge pull request #946 from sever-sever/ipsec-auth-doc
Change IPsec authentication PSK and examples
-rw-r--r--docs/configexamples/azure-vpn-bgp.rst7
-rw-r--r--docs/configexamples/azure-vpn-dual-bgp.rst51
-rw-r--r--docs/configuration/interfaces/l2tpv3.rst21
-rw-r--r--docs/configuration/nat/nat44.rst27
-rw-r--r--docs/configuration/system/acceleration.rst39
-rw-r--r--docs/configuration/vpn/ipsec.rst6
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst34
7 files changed, 113 insertions, 72 deletions
diff --git a/docs/configexamples/azure-vpn-bgp.rst b/docs/configexamples/azure-vpn-bgp.rst
index 6e715d79..fc6e1a04 100644
--- a/docs/configexamples/azure-vpn-bgp.rst
+++ b/docs/configexamples/azure-vpn-bgp.rst
@@ -100,15 +100,18 @@ Vyos configuration
.. code-block:: none
- set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
+ set vpn ipsec authentication psk azure id '198.51.100.3'
+ set vpn ipsec authentication psk azure id '203.0.113.2'
+ set vpn ipsec authentication psk azure secret 'ch00s3-4-s3cur3-psk'
+ set vpn ipsec site-to-site peer azure authentication local-id '198.51.100.3'
set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
+ set vpn ipsec site-to-site peer azure remote-address '203.0.113.2'
set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'
diff --git a/docs/configexamples/azure-vpn-dual-bgp.rst b/docs/configexamples/azure-vpn-dual-bgp.rst
index 2172e76d..7f4987bb 100644
--- a/docs/configexamples/azure-vpn-dual-bgp.rst
+++ b/docs/configexamples/azure-vpn-dual-bgp.rst
@@ -103,29 +103,34 @@ Vyos configuration
.. code-block:: none
- set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
- set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
- set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
- set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
- set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
- set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
- set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
- set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
- set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
- set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'
-
- set vpn ipsec site-to-site peer 203.0.113.3 authentication id '198.51.100.3'
- set vpn ipsec site-to-site peer 203.0.113.3 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 203.0.113.3 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
- set vpn ipsec site-to-site peer 203.0.113.3 authentication remote-id '203.0.113.3'
- set vpn ipsec site-to-site peer 203.0.113.3 connection-type 'respond'
- set vpn ipsec site-to-site peer 203.0.113.3 description 'AZURE SECONDARY TUNNEL'
- set vpn ipsec site-to-site peer 203.0.113.3 ike-group 'AZURE'
- set vpn ipsec site-to-site peer 203.0.113.3 ikev2-reauth 'inherit'
- set vpn ipsec site-to-site peer 203.0.113.3 local-address '10.10.0.5'
- set vpn ipsec site-to-site peer 203.0.113.3 vti bind 'vti2'
- set vpn ipsec site-to-site peer 203.0.113.3 vti esp-group 'AZURE'
+ set vpn ipsec authentication psk azure id '198.51.100.3'
+ set vpn ipsec authentication psk azure id '203.0.113.2'
+ set vpn ipsec authentication psk azure id '203.0.113.3'
+ set vpn ipsec authentication psk azure secret 'ch00s3-4-s3cur3-psk'
+
+ set vpn ipsec site-to-site peer azure-primary authentication local-id '198.51.100.3'
+ set vpn ipsec site-to-site peer azure-primary authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer azure-primary authentication remote-id '203.0.113.2'
+ set vpn ipsec site-to-site peer azure-primary connection-type 'respond'
+ set vpn ipsec site-to-site peer azure-primary description 'AZURE PRIMARY TUNNEL'
+ set vpn ipsec site-to-site peer azure-primary ike-group 'AZURE'
+ set vpn ipsec site-to-site peer azure-primary ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer azure-primary local-address '10.10.0.5'
+ set vpn ipsec site-to-site peer azure-primary remote-address '203.0.113.2'
+ set vpn ipsec site-to-site peer azure-primary vti bind 'vti1'
+ set vpn ipsec site-to-site peer azure-primary vti esp-group 'AZURE'
+
+ set vpn ipsec site-to-site peer azure-secondary authentication local-id '198.51.100.3'
+ set vpn ipsec site-to-site peer azure-secondary authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer azure-secondary authentication remote-id '203.0.113.3'
+ set vpn ipsec site-to-site peer azure-secondary connection-type 'respond'
+ set vpn ipsec site-to-site peer azure-secondary description 'AZURE secondary TUNNEL'
+ set vpn ipsec site-to-site peer azure-secondary ike-group 'AZURE'
+ set vpn ipsec site-to-site peer azure-secondary ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer azure-secondary local-address '10.10.0.5'
+ set vpn ipsec site-to-site peer azure-secondary remote-address '203.0.113.3'
+ set vpn ipsec site-to-site peer azure-secondary vti bind 'vti2'
+ set vpn ipsec site-to-site peer azure-secondary vti esp-group 'AZURE'
- **Important**: Add an interface route to reach both Azure's BGP listeners
diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst
index bd5d6862..897e38dc 100644
--- a/docs/configuration/interfaces/l2tpv3.rst
+++ b/docs/configuration/interfaces/l2tpv3.rst
@@ -141,29 +141,26 @@ IPSec:
.. code-block:: none
+ set vpn ipsec authentication psk <pre-shared-name> id '%any'
+ set vpn ipsec authentication psk <pre-shared-name> secret <pre-shared-key>
set vpn ipsec interface <VPN-interface>
- set vpn ipsec esp-group test-ESP-1 compression 'disable'
set vpn ipsec esp-group test-ESP-1 lifetime '3600'
set vpn ipsec esp-group test-ESP-1 mode 'transport'
set vpn ipsec esp-group test-ESP-1 pfs 'enable'
set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128'
set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1'
- set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no'
set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1'
set vpn ipsec ike-group test-IKE-1 lifetime '3600'
set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5'
set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1'
- set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-shared-key>
- set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate'
- set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1'
- set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit'
- set vpn ipsec site-to-site peer <peer-ip> local-address <local-ip>
- set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable'
- set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable'
- set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1'
- set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp'
+ set vpn ipsec site-to-site peer <connection-name> authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer <connection-name> connection-type 'initiate'
+ set vpn ipsec site-to-site peer <connection-name> ike-group 'test-IKE-1'
+ set vpn ipsec site-to-site peer <connection-name> ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer <connection-name> local-address <local-ip>
+ set vpn ipsec site-to-site peer <connection-name> tunnel 1 esp-group 'test-ESP-1'
+ set vpn ipsec site-to-site peer <connection-name> tunnel 1 protocol 'l2tp'
Bridge:
diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst
index 62964fea..b2ba61af 100644
--- a/docs/configuration/nat/nat44.rst
+++ b/docs/configuration/nat/nat44.rst
@@ -697,17 +697,22 @@ too.
.. code-block:: none
- set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret 'PASSWORD IS HERE'
- set vpn ipsec site-to-site peer 198.51.100.243 connection-type 'initiate'
- set vpn ipsec site-to-site peer 198.51.100.243 default-esp-group 'my-esp'
- set vpn ipsec site-to-site peer 198.51.100.243 ike-group 'my-ike'
- set vpn ipsec site-to-site peer 198.51.100.243 ikev2-reauth 'inherit'
- set vpn ipsec site-to-site peer 198.51.100.243 local-address '203.0.113.46'
- set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 local prefix '172.29.41.89/32'
- set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 remote prefix '172.27.1.0/24'
- set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 local prefix '172.29.41.89/32'
- set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 remote prefix '10.125.0.0/16'
+ set vpn ipsec authentication psk vyos id '203.0.113.46'
+ set vpn ipsec authentication psk vyos id '198.51.100.243'
+ set vpn ipsec authentication psk vyos secret 'MYSECRETPASSWORD'
+ set vpn ipsec site-to-site peer branch authentication local-id '203.0.113.46'
+ set vpn ipsec site-to-site peer branch authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer branch authentication remote-id '198.51.100.243'
+ set vpn ipsec site-to-site peer branch connection-type 'initiate'
+ set vpn ipsec site-to-site peer branch default-esp-group 'my-esp'
+ set vpn ipsec site-to-site peer branch ike-group 'my-ike'
+ set vpn ipsec site-to-site peer branch ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer branch local-address '203.0.113.46'
+ set vpn ipsec site-to-site peer branch remote-address '198.51.100.243'
+ set vpn ipsec site-to-site peer branch tunnel 0 local prefix '172.29.41.89/32'
+ set vpn ipsec site-to-site peer branch tunnel 0 remote prefix '172.27.1.0/24'
+ set vpn ipsec site-to-site peer branch tunnel 1 local prefix '172.29.41.89/32'
+ set vpn ipsec site-to-site peer branch tunnel 1 remote prefix '10.125.0.0/16'
Testing and Validation
""""""""""""""""""""""
diff --git a/docs/configuration/system/acceleration.rst b/docs/configuration/system/acceleration.rst
index 62b85c71..63506d6d 100644
--- a/docs/configuration/system/acceleration.rst
+++ b/docs/configuration/system/acceleration.rst
@@ -63,39 +63,50 @@ Side A:
.. code-block::
+
set interfaces vti vti1 address '192.168.1.2/24'
+ set vpn ipsec authentication psk right id '10.10.10.2'
+ set vpn ipsec authentication psk right id '10.10.10.1'
+ set vpn ipsec authentication psk right secret 'Qwerty123'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
- set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123'
- set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate'
- set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup'
- set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup'
- set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2'
- set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1'
+ set vpn ipsec site-to-site peer right authentication local-id '10.10.10.2'
+ set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer right authentication remote-id '10.10.10.1'
+ set vpn ipsec site-to-site peer right connection-type 'initiate'
+ set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup'
+ set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup'
+ set vpn ipsec site-to-site peer right local-address '10.10.10.2'
+ set vpn ipsec site-to-site peer right remote-address '10.10.10.1'
+ set vpn ipsec site-to-site peer right vti bind 'vti1'
Side B:
.. code-block::
set interfaces vti vti1 address '192.168.1.1/24'
+ set vpn ipsec authentication psk left id '10.10.10.2'
+ set vpn ipsec authentication psk left id '10.10.10.1'
+ set vpn ipsec authentication psk left secret 'Qwerty123'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
- set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123'
- set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate'
- set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup'
- set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup'
- set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1'
- set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1'
+ set vpn ipsec site-to-site peer left authentication local-id '10.10.10.1'
+ set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer left authentication remote-id '10.10.10.2'
+ set vpn ipsec site-to-site peer left connection-type 'initiate'
+ set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup'
+ set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup'
+ set vpn ipsec site-to-site peer left local-address '10.10.10.1'
+ set vpn ipsec site-to-site peer left remote-address '10.10.10.2'
+ set vpn ipsec site-to-site peer left vti bind 'vti1'
a bandwidth test over the VPN got these results:
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
index d6a4733c..327f3abb 100644
--- a/docs/configuration/vpn/ipsec.rst
+++ b/docs/configuration/vpn/ipsec.rst
@@ -202,6 +202,11 @@ On the LEFT:
## IPsec
set vpn ipsec interface eth0
+ # Pre-shared-secret
+ set vpn ipsec authentication psk vyos id 192.0.2.10
+ set vpn ipsec authentication psk vyos id 203.0.113.45
+ set vpn ipsec authentication psk vyos secret MYSECRETKEY
+
# IKE group
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
@@ -213,7 +218,6 @@ On the LEFT:
# IPsec tunnel
set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
- set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY
set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45
set vpn ipsec site-to-site peer right ike-group MyIKEGroup
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 68f6c48b..e89d25c6 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -18,23 +18,29 @@ Each site-to-site peer has the next options:
* ``authentication`` - configure authentication between VyOS and a remote peer.
Suboptions:
+ * ``psk`` - Preshared secret key name:
+
+ * ``dhcp-interface`` - ID for authentication generated from DHCP address
+ dynamically;
+ * ``id`` - static ID's for authentication. In general local and remote
+ address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``;
+ * ``secret`` - predefined shared secret. Used if configured mode
+ ``pre-shared-secret``;
+
+
* ``local-id`` - ID for the local VyOS router. If defined, during the
authentication
it will be send to remote peer;
* ``mode`` - mode for authentication between VyOS and remote peer:
- * ``pre-shared-secret`` - use predefined shared secret phrase, must be the
- same for local and remote side;
+ * ``pre-shared-secret`` - use predefined shared secret phrase;
* ``rsa`` - use simple shared RSA key. The key must be defined in the
``set vpn rsa-keys`` section;
* ``x509`` - use certificates infrastructure for authentication.
- * ``pre-shared-secret`` - predefined shared secret. Used if configured
- ``mode pre-shared-secret``;
-
* ``remote-id`` - define an ID for remote peer, instead of using peer name or
address. Useful in case if the remote peer is behind NAT or if ``mode x509``
is used;
@@ -161,6 +167,9 @@ Example:
.. code-block:: none
# server config
+ set vpn ipsec authentication psk OFFICE-B id '198.51.100.3'
+ set vpn ipsec authentication psk OFFICE-B id '203.0.113.2'
+ set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
@@ -171,8 +180,8 @@ Example:
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
+ set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3'
@@ -182,6 +191,9 @@ Example:
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'
# remote office config
+ set vpn ipsec authentication psk OFFICE-A id '198.51.100.3'
+ set vpn ipsec authentication psk OFFICE-A id '203.0.113.2'
+ set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
@@ -192,8 +204,8 @@ Example:
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
+ set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2'
@@ -279,6 +291,9 @@ Imagine the following topology
set interfaces vti vti10 address '10.0.0.2/31'
+ set vpn ipsec authentication psk OFFICE-B id '172.18.201.10'
+ set vpn ipsec authentication psk OFFICE-B id '172.18.202.10'
+ set vpn ipsec authentication psk OFFICE-B secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
@@ -293,7 +308,6 @@ Imagine the following topology
set vpn ipsec interface 'eth0.201'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'secretkey'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT'
@@ -308,6 +322,9 @@ Imagine the following topology
set interfaces vti vti10 address '10.0.0.3/31'
+ set vpn ipsec authentication psk OFFICE-A id '172.18.201.10'
+ set vpn ipsec authentication psk OFFICE-A id '172.18.202.10'
+ set vpn ipsec authentication psk OFFICE-A secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
@@ -325,7 +342,6 @@ Imagine the following topology
set vpn ipsec interface 'eth0.202'
set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'secretkey'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT'