diff options
Diffstat (limited to 'docs/configuration/vpn/ipsec.rst')
-rw-r--r-- | docs/configuration/vpn/ipsec.rst | 67 |
1 files changed, 37 insertions, 30 deletions
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index 693f3ec6..d6a4733c 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -111,6 +111,8 @@ VyOS IKE group has the next options: * ``hash`` hash algorithm. + * ``prf`` pseudo-random function. + *********************************************** ESP (Encapsulating Security Payload) Attributes *********************************************** @@ -166,7 +168,7 @@ VyOS ESP group has the next options: *********************************************** Options (Global IPsec settings) Attributes *********************************************** -* ``options`` IPsec settings: +* ``options`` * ``disable-route-autoinstall`` Do not automatically install routes to remote networks; @@ -198,7 +200,7 @@ On the LEFT: set interfaces tunnel tun0 address 10.10.10.1/30 ## IPsec - set vpn ipsec ipsec-interfaces interface eth0 + set vpn ipsec interface eth0 # IKE group set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' @@ -210,16 +212,18 @@ On the LEFT: set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' # IPsec tunnel - set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret - set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY + set vpn ipsec site-to-site peer right authentication mode pre-shared-secret + set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY + set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45 - set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup + set vpn ipsec site-to-site peer right ike-group MyIKEGroup + set vpn ipsec site-to-site peer right default-esp-group MyESPGroup - set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10 + set vpn ipsec site-to-site peer right local-address 192.0.2.10 + set vpn ipsec site-to-site peer right remote-address 203.0.113.45 # This will match all GRE traffic to the peer - set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre + set vpn ipsec site-to-site peer right tunnel 1 protocol gre On the RIGHT, setup by analogy and swap local and remote addresses. @@ -235,6 +239,8 @@ an IPsec policy to match those loopback addresses. We assume that the LEFT router has static 192.0.2.10 address on eth0, and the RIGHT router has a dynamic address on eth0. +The peer names RIGHT and LEFT are used as informational text. + **Setting up the GRE tunnel** On the LEFT: @@ -325,17 +331,17 @@ On the LEFT (static address): set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - set vpn ipsec site-to-site peer @RIGHT authentication id LEFT - set vpn ipsec site-to-site peer @RIGHT authentication mode rsa - set vpn ipsec site-to-site peer @RIGHT authentication rsa local-key ipsec-LEFT - set vpn ipsec site-to-site peer @RIGHT authentication rsa remote-key ipsec-RIGHT - set vpn ipsec site-to-site peer @RIGHT authentication remote-id RIGHT - set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup - set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup - set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 - set vpn ipsec site-to-site peer @RIGHT connection-type respond - set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote + set vpn ipsec site-to-site peer RIGHT authentication local-id LEFT + set vpn ipsec site-to-site peer RIGHT authentication mode rsa + set vpn ipsec site-to-site peer RIGHT authentication rsa local-key ipsec-LEFT + set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key ipsec-RIGHT + set vpn ipsec site-to-site peer RIGHT authentication remote-id RIGHT + set vpn ipsec site-to-site peer RIGHT default-esp-group MyESPGroup + set vpn ipsec site-to-site peer RIGHT ike-group MyIKEGroup + set vpn ipsec site-to-site peer RIGHT local-address 192.0.2.10 + set vpn ipsec site-to-site peer RIGHT connection-type respond + set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local + set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote On the RIGHT (dynamic address): @@ -350,14 +356,15 @@ On the RIGHT (dynamic address): set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - set vpn ipsec site-to-site peer 192.0.2.10 authentication id RIGHT - set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa - set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa local-key ipsec-RIGHT - set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa remote-key ipsec-LEFT - set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT - set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate - set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup - set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 192.0.2.10 local-address any - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote + set vpn ipsec site-to-site peer LEFT authentication local-id RIGHT + set vpn ipsec site-to-site peer LEFT authentication mode rsa + set vpn ipsec site-to-site peer LEFT authentication rsa local-key ipsec-RIGHT + set vpn ipsec site-to-site peer LEFT authentication rsa remote-key ipsec-LEFT + set vpn ipsec site-to-site peer LEFT authentication remote-id LEFT + set vpn ipsec site-to-site peer LEFT connection-type initiate + set vpn ipsec site-to-site peer LEFT default-esp-group MyESPGroup + set vpn ipsec site-to-site peer LEFT ike-group MyIKEGroup + set vpn ipsec site-to-site peer LEFT local-address any + set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10 + set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local + set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote |