summaryrefslogtreecommitdiff
path: root/docs/vpn
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2019-07-13 22:08:29 +0200
committerChristian Poessinger <christian@poessinger.com>2019-07-13 22:27:20 +0200
commit08a239b3692e0aa30ff08117ca82f218c1c4aa08 (patch)
tree1c941be2061d856660c275ea102d2fa8f1e6437f /docs/vpn
parent4cad92e786b46e5cd1ba8dbd5ed0b11f0afd21c0 (diff)
downloadvyos-documentation-08a239b3692e0aa30ff08117ca82f218c1c4aa08.tar.gz
vyos-documentation-08a239b3692e0aa30ff08117ca82f218c1c4aa08.zip
VPN: add IKEv2 example configuration for site2site VPN
Diffstat (limited to 'docs/vpn')
-rw-r--r--docs/vpn/site2site_ipsec.rst43
1 files changed, 41 insertions, 2 deletions
diff --git a/docs/vpn/site2site_ipsec.rst b/docs/vpn/site2site_ipsec.rst
index 8fa9f612..a81c8d90 100644
--- a/docs/vpn/site2site_ipsec.rst
+++ b/docs/vpn/site2site_ipsec.rst
@@ -1,7 +1,10 @@
.. _size2site_ipsec:
-Site-to-Site IPsec
-------------------
+Site-to-Site
+------------
+
+IKEv1
+^^^^^
Example:
@@ -108,3 +111,39 @@ rules. (if you used the default configuration at the top of this page)
# remote office side
set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'
+
+IKEv2
+^^^^^
+
+.. note:: This is just a preliminary config which should be extended!
+
+.. code-block:: sh
+
+ set interfaces vti vti10 address '10.0.0.1/30'
+
+ set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
+ set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
+ set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
+ set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
+ set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
+ set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
+ set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
+ set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
+ set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
+ set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
+ set vpn ipsec site-to-site peer 2.2.2.2 authentication id '1.1.1.1'
+ set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'secretkey'
+ set vpn ipsec site-to-site peer 2.2.2.2 authentication remote-id '2.2.2.2'
+ set vpn ipsec site-to-site peer 2.2.2.2 connection-type 'initiate'
+ set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'IKEv2_DEFAULT'
+ set vpn ipsec site-to-site peer 2.2.2.2 ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1'
+ set vpn ipsec site-to-site peer 2.2.2.2 vti bind 'vti10'
+ set vpn ipsec site-to-site peer 2.2.2.2 vti esp-group 'ESP_DEFAULT'