diff options
author | Robert Göhler <github@ghlr.de> | 2023-02-06 21:06:31 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-02-06 21:06:31 +0100 |
commit | a51949687e37de3b2f573788f8d20490b40d6c6a (patch) | |
tree | 041825aa22f05fe1cad3c38bb893ab62b4c7e4d5 | |
parent | 05839481615d05396a193db82883a15c41e3cdf0 (diff) | |
parent | 8f61920f01d30e2a864dc6927b0038357e56bb05 (diff) | |
download | vyos-documentation-a51949687e37de3b2f573788f8d20490b40d6c6a.tar.gz vyos-documentation-a51949687e37de3b2f573788f8d20490b40d6c6a.zip |
Merge pull request #946 from sever-sever/ipsec-auth-doc
Change IPsec authentication PSK and examples
-rw-r--r-- | docs/configexamples/azure-vpn-bgp.rst | 7 | ||||
-rw-r--r-- | docs/configexamples/azure-vpn-dual-bgp.rst | 51 | ||||
-rw-r--r-- | docs/configuration/interfaces/l2tpv3.rst | 21 | ||||
-rw-r--r-- | docs/configuration/nat/nat44.rst | 27 | ||||
-rw-r--r-- | docs/configuration/system/acceleration.rst | 39 | ||||
-rw-r--r-- | docs/configuration/vpn/ipsec.rst | 6 | ||||
-rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 34 |
7 files changed, 113 insertions, 72 deletions
diff --git a/docs/configexamples/azure-vpn-bgp.rst b/docs/configexamples/azure-vpn-bgp.rst index 6e715d79..fc6e1a04 100644 --- a/docs/configexamples/azure-vpn-bgp.rst +++ b/docs/configexamples/azure-vpn-bgp.rst @@ -100,15 +100,18 @@ Vyos configuration .. code-block:: none - set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3' + set vpn ipsec authentication psk azure id '198.51.100.3' + set vpn ipsec authentication psk azure id '203.0.113.2' + set vpn ipsec authentication psk azure secret 'ch00s3-4-s3cur3-psk' + set vpn ipsec site-to-site peer azure authentication local-id '198.51.100.3' set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk' set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2' set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond' set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL' set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE' set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5' + set vpn ipsec site-to-site peer azure remote-address '203.0.113.2' set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1' set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE' diff --git a/docs/configexamples/azure-vpn-dual-bgp.rst b/docs/configexamples/azure-vpn-dual-bgp.rst index 2172e76d..7f4987bb 100644 --- a/docs/configexamples/azure-vpn-dual-bgp.rst +++ b/docs/configexamples/azure-vpn-dual-bgp.rst @@ -103,29 +103,34 @@ Vyos configuration .. code-block:: none - set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3' - set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk' - set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2' - set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond' - set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL' - set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE' - set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5' - set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1' - set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE' - - set vpn ipsec site-to-site peer 203.0.113.3 authentication id '198.51.100.3' - set vpn ipsec site-to-site peer 203.0.113.3 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 203.0.113.3 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk' - set vpn ipsec site-to-site peer 203.0.113.3 authentication remote-id '203.0.113.3' - set vpn ipsec site-to-site peer 203.0.113.3 connection-type 'respond' - set vpn ipsec site-to-site peer 203.0.113.3 description 'AZURE SECONDARY TUNNEL' - set vpn ipsec site-to-site peer 203.0.113.3 ike-group 'AZURE' - set vpn ipsec site-to-site peer 203.0.113.3 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 203.0.113.3 local-address '10.10.0.5' - set vpn ipsec site-to-site peer 203.0.113.3 vti bind 'vti2' - set vpn ipsec site-to-site peer 203.0.113.3 vti esp-group 'AZURE' + set vpn ipsec authentication psk azure id '198.51.100.3' + set vpn ipsec authentication psk azure id '203.0.113.2' + set vpn ipsec authentication psk azure id '203.0.113.3' + set vpn ipsec authentication psk azure secret 'ch00s3-4-s3cur3-psk' + + set vpn ipsec site-to-site peer azure-primary authentication local-id '198.51.100.3' + set vpn ipsec site-to-site peer azure-primary authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer azure-primary authentication remote-id '203.0.113.2' + set vpn ipsec site-to-site peer azure-primary connection-type 'respond' + set vpn ipsec site-to-site peer azure-primary description 'AZURE PRIMARY TUNNEL' + set vpn ipsec site-to-site peer azure-primary ike-group 'AZURE' + set vpn ipsec site-to-site peer azure-primary ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer azure-primary local-address '10.10.0.5' + set vpn ipsec site-to-site peer azure-primary remote-address '203.0.113.2' + set vpn ipsec site-to-site peer azure-primary vti bind 'vti1' + set vpn ipsec site-to-site peer azure-primary vti esp-group 'AZURE' + + set vpn ipsec site-to-site peer azure-secondary authentication local-id '198.51.100.3' + set vpn ipsec site-to-site peer azure-secondary authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer azure-secondary authentication remote-id '203.0.113.3' + set vpn ipsec site-to-site peer azure-secondary connection-type 'respond' + set vpn ipsec site-to-site peer azure-secondary description 'AZURE secondary TUNNEL' + set vpn ipsec site-to-site peer azure-secondary ike-group 'AZURE' + set vpn ipsec site-to-site peer azure-secondary ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer azure-secondary local-address '10.10.0.5' + set vpn ipsec site-to-site peer azure-secondary remote-address '203.0.113.3' + set vpn ipsec site-to-site peer azure-secondary vti bind 'vti2' + set vpn ipsec site-to-site peer azure-secondary vti esp-group 'AZURE' - **Important**: Add an interface route to reach both Azure's BGP listeners diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst index bd5d6862..897e38dc 100644 --- a/docs/configuration/interfaces/l2tpv3.rst +++ b/docs/configuration/interfaces/l2tpv3.rst @@ -141,29 +141,26 @@ IPSec: .. code-block:: none + set vpn ipsec authentication psk <pre-shared-name> id '%any' + set vpn ipsec authentication psk <pre-shared-name> secret <pre-shared-key> set vpn ipsec interface <VPN-interface> - set vpn ipsec esp-group test-ESP-1 compression 'disable' set vpn ipsec esp-group test-ESP-1 lifetime '3600' set vpn ipsec esp-group test-ESP-1 mode 'transport' set vpn ipsec esp-group test-ESP-1 pfs 'enable' set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128' set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1' - set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no' set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1' set vpn ipsec ike-group test-IKE-1 lifetime '3600' set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5' set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128' set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1' - set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-shared-key> - set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate' - set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1' - set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer <peer-ip> local-address <local-ip> - set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable' - set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable' - set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1' - set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp' + set vpn ipsec site-to-site peer <connection-name> authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer <connection-name> connection-type 'initiate' + set vpn ipsec site-to-site peer <connection-name> ike-group 'test-IKE-1' + set vpn ipsec site-to-site peer <connection-name> ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer <connection-name> local-address <local-ip> + set vpn ipsec site-to-site peer <connection-name> tunnel 1 esp-group 'test-ESP-1' + set vpn ipsec site-to-site peer <connection-name> tunnel 1 protocol 'l2tp' Bridge: diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index 62964fea..b2ba61af 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -697,17 +697,22 @@ too. .. code-block:: none - set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret 'PASSWORD IS HERE' - set vpn ipsec site-to-site peer 198.51.100.243 connection-type 'initiate' - set vpn ipsec site-to-site peer 198.51.100.243 default-esp-group 'my-esp' - set vpn ipsec site-to-site peer 198.51.100.243 ike-group 'my-ike' - set vpn ipsec site-to-site peer 198.51.100.243 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 198.51.100.243 local-address '203.0.113.46' - set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 local prefix '172.29.41.89/32' - set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 remote prefix '172.27.1.0/24' - set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 local prefix '172.29.41.89/32' - set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 remote prefix '10.125.0.0/16' + set vpn ipsec authentication psk vyos id '203.0.113.46' + set vpn ipsec authentication psk vyos id '198.51.100.243' + set vpn ipsec authentication psk vyos secret 'MYSECRETPASSWORD' + set vpn ipsec site-to-site peer branch authentication local-id '203.0.113.46' + set vpn ipsec site-to-site peer branch authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer branch authentication remote-id '198.51.100.243' + set vpn ipsec site-to-site peer branch connection-type 'initiate' + set vpn ipsec site-to-site peer branch default-esp-group 'my-esp' + set vpn ipsec site-to-site peer branch ike-group 'my-ike' + set vpn ipsec site-to-site peer branch ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer branch local-address '203.0.113.46' + set vpn ipsec site-to-site peer branch remote-address '198.51.100.243' + set vpn ipsec site-to-site peer branch tunnel 0 local prefix '172.29.41.89/32' + set vpn ipsec site-to-site peer branch tunnel 0 remote prefix '172.27.1.0/24' + set vpn ipsec site-to-site peer branch tunnel 1 local prefix '172.29.41.89/32' + set vpn ipsec site-to-site peer branch tunnel 1 remote prefix '10.125.0.0/16' Testing and Validation """""""""""""""""""""" diff --git a/docs/configuration/system/acceleration.rst b/docs/configuration/system/acceleration.rst index 62b85c71..63506d6d 100644 --- a/docs/configuration/system/acceleration.rst +++ b/docs/configuration/system/acceleration.rst @@ -63,39 +63,50 @@ Side A: .. code-block:: + set interfaces vti vti1 address '192.168.1.2/24' + set vpn ipsec authentication psk right id '10.10.10.2' + set vpn ipsec authentication psk right id '10.10.10.1' + set vpn ipsec authentication psk right secret 'Qwerty123' set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' set vpn ipsec interface 'eth0' - set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123' - set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate' - set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup' - set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup' - set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2' - set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1' + set vpn ipsec site-to-site peer right authentication local-id '10.10.10.2' + set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer right authentication remote-id '10.10.10.1' + set vpn ipsec site-to-site peer right connection-type 'initiate' + set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup' + set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup' + set vpn ipsec site-to-site peer right local-address '10.10.10.2' + set vpn ipsec site-to-site peer right remote-address '10.10.10.1' + set vpn ipsec site-to-site peer right vti bind 'vti1' Side B: .. code-block:: set interfaces vti vti1 address '192.168.1.1/24' + set vpn ipsec authentication psk left id '10.10.10.2' + set vpn ipsec authentication psk left id '10.10.10.1' + set vpn ipsec authentication psk left secret 'Qwerty123' set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' set vpn ipsec interface 'eth0' - set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123' - set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate' - set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup' - set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup' - set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1' - set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1' + set vpn ipsec site-to-site peer left authentication local-id '10.10.10.1' + set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer left authentication remote-id '10.10.10.2' + set vpn ipsec site-to-site peer left connection-type 'initiate' + set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup' + set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup' + set vpn ipsec site-to-site peer left local-address '10.10.10.1' + set vpn ipsec site-to-site peer left remote-address '10.10.10.2' + set vpn ipsec site-to-site peer left vti bind 'vti1' a bandwidth test over the VPN got these results: diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index d6a4733c..327f3abb 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -202,6 +202,11 @@ On the LEFT: ## IPsec set vpn ipsec interface eth0 + # Pre-shared-secret + set vpn ipsec authentication psk vyos id 192.0.2.10 + set vpn ipsec authentication psk vyos id 203.0.113.45 + set vpn ipsec authentication psk vyos secret MYSECRETKEY + # IKE group set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' @@ -213,7 +218,6 @@ On the LEFT: # IPsec tunnel set vpn ipsec site-to-site peer right authentication mode pre-shared-secret - set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45 set vpn ipsec site-to-site peer right ike-group MyIKEGroup diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 68f6c48b..e89d25c6 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -18,23 +18,29 @@ Each site-to-site peer has the next options: * ``authentication`` - configure authentication between VyOS and a remote peer. Suboptions: + * ``psk`` - Preshared secret key name: + + * ``dhcp-interface`` - ID for authentication generated from DHCP address + dynamically; + * ``id`` - static ID's for authentication. In general local and remote + address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``; + * ``secret`` - predefined shared secret. Used if configured mode + ``pre-shared-secret``; + + * ``local-id`` - ID for the local VyOS router. If defined, during the authentication it will be send to remote peer; * ``mode`` - mode for authentication between VyOS and remote peer: - * ``pre-shared-secret`` - use predefined shared secret phrase, must be the - same for local and remote side; + * ``pre-shared-secret`` - use predefined shared secret phrase; * ``rsa`` - use simple shared RSA key. The key must be defined in the ``set vpn rsa-keys`` section; * ``x509`` - use certificates infrastructure for authentication. - * ``pre-shared-secret`` - predefined shared secret. Used if configured - ``mode pre-shared-secret``; - * ``remote-id`` - define an ID for remote peer, instead of using peer name or address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used; @@ -161,6 +167,9 @@ Example: .. code-block:: none # server config + set vpn ipsec authentication psk OFFICE-B id '198.51.100.3' + set vpn ipsec authentication psk OFFICE-B id '203.0.113.2' + set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey' set vpn ipsec esp-group office-srv-esp lifetime '1800' set vpn ipsec esp-group office-srv-esp mode 'tunnel' set vpn ipsec esp-group office-srv-esp pfs 'enable' @@ -171,8 +180,8 @@ Example: set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec interface 'eth1' + set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3' set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SomePreSharedKey' set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2' set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike' set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3' @@ -182,6 +191,9 @@ Example: set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21' # remote office config + set vpn ipsec authentication psk OFFICE-A id '198.51.100.3' + set vpn ipsec authentication psk OFFICE-A id '203.0.113.2' + set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey' set vpn ipsec esp-group office-srv-esp lifetime '1800' set vpn ipsec esp-group office-srv-esp mode 'tunnel' set vpn ipsec esp-group office-srv-esp pfs 'enable' @@ -192,8 +204,8 @@ Example: set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec interface 'eth1' + set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2' set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'SomePreSharedKey' set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3' set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike' set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2' @@ -279,6 +291,9 @@ Imagine the following topology set interfaces vti vti10 address '10.0.0.2/31' + set vpn ipsec authentication psk OFFICE-B id '172.18.201.10' + set vpn ipsec authentication psk OFFICE-B id '172.18.202.10' + set vpn ipsec authentication psk OFFICE-B secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' @@ -293,7 +308,6 @@ Imagine the following topology set vpn ipsec interface 'eth0.201' set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10' set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10' set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond' set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT' @@ -308,6 +322,9 @@ Imagine the following topology set interfaces vti vti10 address '10.0.0.3/31' + set vpn ipsec authentication psk OFFICE-A id '172.18.201.10' + set vpn ipsec authentication psk OFFICE-A id '172.18.202.10' + set vpn ipsec authentication psk OFFICE-A secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' @@ -325,7 +342,6 @@ Imagine the following topology set vpn ipsec interface 'eth0.202' set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10' set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10' set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate' set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT' |