summaryrefslogtreecommitdiff
path: root/docs/configexamples/site-2-site-cisco.rst
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2023-10-26 13:36:13 +0200
committerGitHub <noreply@github.com>2023-10-26 13:36:13 +0200
commit7aa0c1ab320a527900c5c54c81264a2f31b7db06 (patch)
tree8b040d7add61ba45b15dc7eb92019d4cb620f517 /docs/configexamples/site-2-site-cisco.rst
parent90c343fa9289ec150b3908bb625156198c2d6145 (diff)
parent4d7e44d3e7a80d028a12785ccaed4d78ab7636bd (diff)
downloadvyos-documentation-7aa0c1ab320a527900c5c54c81264a2f31b7db06.tar.gz
vyos-documentation-7aa0c1ab320a527900c5c54c81264a2f31b7db06.zip
Merge pull request #1126 from srividya0208/ipsec_vips
Added config example of vpn ipsec site-to-site
Diffstat (limited to 'docs/configexamples/site-2-site-cisco.rst')
-rw-r--r--docs/configexamples/site-2-site-cisco.rst177
1 files changed, 177 insertions, 0 deletions
diff --git a/docs/configexamples/site-2-site-cisco.rst b/docs/configexamples/site-2-site-cisco.rst
new file mode 100644
index 00000000..96e48d07
--- /dev/null
+++ b/docs/configexamples/site-2-site-cisco.rst
@@ -0,0 +1,177 @@
+.. _examples-site-2-site-cisco:
+
+Site-to-Site IPSec VPN to Cisco using FlexVPN
+---------------------------------------------
+
+This guide shows a sample configuration for FlexVPN site-to-site Internet
+Protocol Security (IPsec)/Generic Routing Encapsulation (GRE) tunnel.
+
+FlexVPN is a newer "solution" for deployment of VPNs and it utilizes IKEv2 as
+the key exchange protocol. The result is a flexible and scalable VPN solution
+that can be easily adapted to fit various network needs. It can also support a
+variety of encryption methods, including AES and 3DES.
+
+The lab was built using EVE-NG.
+
+
+Configuration
+^^^^^^^^^^^^^^
+
+VyOS
+=====
+
+- GRE:
+
+.. code-block:: none
+
+ set interfaces tunnel tun1 encapsulation 'gre'
+ set interfaces tunnel tun1 ip adjust-mss '1336'
+ set interfaces tunnel tun1 mtu '1376'
+ set interfaces tunnel tun1 remote '10.1.1.6'
+ set interfaces tunnel tun1 source-address '88.2.2.1'
+
+
+- IPsec:
+
+.. code-block:: none
+
+ set vpn ipsec authentication psk vyos_cisco_l id 'vyos.net’
+ set vpn ipsec authentication psk vyos_cisco_l id 'cisco.hub.net'
+ set vpn ipsec authentication psk vyos_cisco_l secret 'secret'
+ set vpn ipsec esp-group e1 lifetime '3600'
+ set vpn ipsec esp-group e1 mode 'tunnel'
+ set vpn ipsec esp-group e1 pfs 'disable'
+ set vpn ipsec esp-group e1 proposal 1 encryption 'aes128'
+ set vpn ipsec esp-group e1 proposal 1 hash 'sha256'
+ set vpn ipsec ike-group i1 key-exchange 'ikev2'
+ set vpn ipsec ike-group i1 lifetime '28800'
+ set vpn ipsec ike-group i1 proposal 1 dh-group '5'
+ set vpn ipsec ike-group i1 proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group i1 proposal 1 hash 'sha256'
+ set vpn ipsec interface 'eth2'
+ set vpn ipsec options disable-route-autoinstall
+ set vpn ipsec options flexvpn
+ set vpn ipsec options interface 'tun1'
+ set vpn ipsec options virtual-ip
+ set vpn ipsec site-to-site peer cisco_hub authentication local-id 'vyos.net'
+ set vpn ipsec site-to-site peer cisco_hub authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer cisco_hub authentication remote-id 'cisco.hub.net'
+ set vpn ipsec site-to-site peer cisco_hub connection-type 'initiate'
+ set vpn ipsec site-to-site peer cisco_hub default-esp-group 'e1'
+ set vpn ipsec site-to-site peer cisco_hub ike-group 'i1'
+ set vpn ipsec site-to-site peer cisco_hub local-address '88.2.2.1'
+ set vpn ipsec site-to-site peer cisco_hub remote-address '10.1.1.6'
+ set vpn ipsec site-to-site peer cisco_hub tunnel 1 local prefix '88.2.2.1/32'
+ set vpn ipsec site-to-site peer cisco_hub tunnel 1 protocol 'gre'
+ set vpn ipsec site-to-site peer cisco_hub tunnel 1 remote prefix '10.1.1.6/32'
+ set vpn ipsec site-to-site peer cisco_hub virtual-address '0.0.0.0'
+
+
+Cisco
+=====
+.. code-block:: none
+
+ aaa new-model
+ !
+ !
+ aaa authorization network default local
+ !
+ crypto ikev2 name-mangler GET_DOMAIN
+ fqdn all
+ email all
+ !
+ !
+ crypto ikev2 authorization policy vyos
+ pool mypool
+ aaa attribute list mylist
+ route set interface
+ route accept any tag 100 distance 5
+ !
+ crypto ikev2 keyring mykeys
+ peer peer1
+ identity fqdn vyos.net
+ pre-shared-key local secret
+ pre-shared-key remote secret
+ crypto ikev2 profile my_profile
+ match identity remote fqdn vyos.net
+ identity local fqdn cisco.hub.net
+ authentication remote pre-share
+ authentication local pre-share
+ keyring local mykeys
+ dpd 10 3 periodic
+ aaa authorization group psk list local name-mangler GET_DOMAIN
+ aaa authorization user psk cached
+ virtual-template 1
+ !
+ !
+ !
+ crypto ipsec transform-set TSET esp-aes esp-sha256-hmac
+ mode tunnel
+ !
+ !
+ crypto ipsec profile my-ipsec-profile
+ set transform-set TSET
+ set ikev2-profile my_profile
+ !
+ interface Virtual-Template1 type tunnel
+ no ip address
+ ip mtu 1376
+ ip nhrp network-id 1
+ ip nhrp shortcut virtual-template 1
+ ip tcp adjust-mss 1336
+ tunnel path-mtu-discovery
+ tunnel protection ipsec profile my-ipsec-profile
+ !
+ ip local pool my_pool 172.16.122.1 172.16.122.254
+
+
+Since the tunnel is a point-to-point GRE tunnel, it behaves like any other
+point-to-point interface (for example: serial, dialer), and it is possible to
+run any Interior Gateway Protocol (IGP)/Exterior Gateway Protocol (EGP) over
+the link in order to exchange routing information
+
+Verification
+^^^^^^^^^^^^
+
+.. code-block:: none
+
+ vyos@vyos$ show interfaces
+ Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+ Interface IP Address S/L Description
+ --------- ---------- --- -----------
+ eth0 - u/u
+ eth1 - u/u
+ eth2 88.2.2.1/24 u/u
+ eth3 172.16.1.2/24 u/u
+ lo 127.0.0.1/8 u/u
+ ::1/128
+ tun1 172.16.122.2/32 u/u
+
+ vyos@vyos:~$ show vpn ipsec sa
+ Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
+ ------------------ ------- -------- -------------- ---------------- ---------------- --------------------- -----------------------------
+ cisco_hub-tunnel-1 up 44m17s 35K/31K 382/367 10.1.1.6 cisco.hub.net AES_CBC_128/HMAC_SHA2_256_128
+
+
+ Hub#sh crypto ikev2 sa detailed
+ IPv4 Crypto IKEv2 SA
+
+ Tunnel-id Local Remote fvrf/ivrf Status
+ 5 10.1.1.6/4500 88.2.2.1/4500 none/none READY
+ Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
+ Life/Active Time: 86400/2694 sec
+ CE id: 0, Session-id: 2
+ Status Description: Negotiation done
+ Local spi: C94EE2DC92A60C47 Remote spi: 9AF0EF151BECF14C
+ Local id: cisco.hub.net
+ Remote id: vyos.net
+ Local req msg id: 269 Remote req msg id: 0
+ Local next msg id: 269 Remote next msg id: 0
+ Local req queued: 269 Remote req queued: 0
+ Local window: 5 Remote window: 1
+ DPD configured for 10 seconds, retry 3
+ Fragmentation not configured.
+ Extended Authentication not configured.
+ NAT-T is not detected
+ Cisco Trust Security SGT is disabled
+ Assigned host addr: 172.16.122.2