diff options
| author | sofukong <130022807+sofukong@users.noreply.github.com> | 2023-11-03 14:45:52 +0800 |
|---|---|---|
| committer | sofukong <130022807+sofukong@users.noreply.github.com> | 2023-11-03 14:45:52 +0800 |
| commit | 8182b5bef07d3338ca7d777ab4196056da11723d (patch) | |
| tree | f8db591e77b6bdd13afe864a4dbcae641b516600 /docs/configuration/vpn/site2site_ipsec.rst | |
| parent | 354d09858baab04d1a26076b64cea7fe0bfd5e67 (diff) | |
| parent | 5634562722a5f96dd68f867a21e62b125f07776c (diff) | |
| download | vyos-documentation-8182b5bef07d3338ca7d777ab4196056da11723d.tar.gz vyos-documentation-8182b5bef07d3338ca7d777ab4196056da11723d.zip | |
Merge branch 'equuleus' of https://github.com/sofukong/vyos-documentation into equuleus
Diffstat (limited to 'docs/configuration/vpn/site2site_ipsec.rst')
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 879f8dfa..53109243 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -272,15 +272,28 @@ Imagine the following topology IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio) +**LEFT:** +* WAN interface on `eth0.201` +* `eth0.201` interface IP: `172.18.201.10/24` +* `vti10` interface IP: `10.0.0.2/31` +* `dum0` interface IP: `10.0.11.1/24` (for testing purposes) + +**RIGHT:** +* WAN interface on `eth0.202` +* `eth0.201` interface IP: `172.18.202.10/24` +* `vti10` interface IP: `10.0.0.3/31` +* `dum0` interface IP: `10.0.12.1/24` (for testing purposes) .. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links. -**left** +**LEFT** .. code-block:: none + set interfaces ethernet eth0 vif 201 address '172.18.201.10/24' + set interfaces dummy dum0 address '10.0.11.1/24' set interfaces vti vti10 address '10.0.0.2/31' set vpn ipsec esp-group ESP_DEFAULT compression 'disable' @@ -311,10 +324,14 @@ Imagine the following topology set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10' set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT' -**right** + set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10 + +**RIGHT** .. code-block:: none + set interfaces ethernet eth0 vif 202 address '172.18.202.10/24' + set interfaces dummy dum0 address '10.0.12.1/24' set interfaces vti vti10 address '10.0.0.3/31' set vpn ipsec esp-group ESP_DEFAULT compression 'disable' @@ -345,6 +362,8 @@ Imagine the following topology set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10' set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT' + set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10 + Key Parameters: * ``authentication local-id/remote-id`` - IKE identification is used for |