summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn/rsa-keys.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/vpn/rsa-keys.rst')
-rw-r--r--docs/configuration/vpn/rsa-keys.rst88
1 files changed, 88 insertions, 0 deletions
diff --git a/docs/configuration/vpn/rsa-keys.rst b/docs/configuration/vpn/rsa-keys.rst
new file mode 100644
index 00000000..7912cffe
--- /dev/null
+++ b/docs/configuration/vpn/rsa-keys.rst
@@ -0,0 +1,88 @@
+
+########
+RSA-Keys
+########
+RSA can be used for services such as key exchanges and for encryption purposes.
+To make IPSec work with dynamic address on one/both sides, we will have to use
+RSA keys for authentication. They are very fast and easy to setup.
+
+First, on both routers run the operational command “generate vpn rsa-key
+bits 2048”. You may choose different length than 2048 of course.
+
+.. code-block:: none
+
+ vyos@left# run generate vpn rsa-key bits 2048
+ Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
+
+ Your new local RSA key has been generated
+ The public portion of the key is:
+
+ 0sAQO2335[long string here]
+
+Please note down this public key, as you have to add this RSA key in the opposite router.
+
+.. code-block:: none
+
+ set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE
+
+Now you are ready to setup IPsec. The key points:
+
+1. Since both routers do not know their effective public addresses, we set the local-address of the peer to "any".
+2. On the initiator, we set the peer address to its public address, but on the responder we only set the id.
+3. On the initiator, we need to set the remote-id option so that it can identify IKE traffic from the responder correctly.
+4. On the responder, we need to set the local id so that initiator can know who's talking to it for the point #3 to work.
+5. Don't forget to enable NAT traversal on both sides, "set vpn ipsec nat-traversal enable".
+
+LEFT SIDE:
+
+.. code-block:: none
+
+ set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT>
+
+ set vpn ipsec ipsec-interfaces interface eth0
+ set vpn ipsec nat-traversal 'enable'
+
+ set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
+ set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
+
+ set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
+ set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
+ set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
+
+ set vpn ipsec site-to-site peer 192.0.2.60 authentication mode rsa
+ set vpn ipsec site-to-site peer 192.0.2.60 authentication id @LEFT
+ set vpn ipsec site-to-site peer 192.0.2.60 authentication rsa-key-name RIGHT
+ set vpn ipsec site-to-site peer 192.0.2.60 authentication remote-id RIGHT
+ set vpn ipsec site-to-site peer 192.0.2.60 default-esp-group MyESPGroup
+ set vpn ipsec site-to-site peer 192.0.2.60 ike-group MyIKEGroup
+ set vpn ipsec site-to-site peer 192.0.2.60 local-address any
+ set vpn ipsec site-to-site peer 192.0.2.60 connection-type initiate
+ set vpn ipsec site-to-site peer 192.0.2.60 tunnel 1 local prefix 192.168.99.1/32
+ set vpn ipsec site-to-site peer 192.0.2.60 tunnel 1 remote prefix 192.168.99.2/32
+
+RIGHT SIDE:
+
+.. code-block:: none
+
+ set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT>
+
+ set vpn ipsec ipsec-interfaces interface eth0
+ set vpn ipsec nat-traversal 'enable'
+
+ set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
+ set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
+
+ set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
+ set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
+ set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
+
+ set vpn ipsec site-to-site peer @LEFT authentication id @RIGHT
+ set vpn ipsec site-to-site peer @LEFT authentication mode rsa
+ set vpn ipsec site-to-site peer @LEFT authentication rsa-key-name LEFT
+ set vpn ipsec site-to-site peer @LEFT connection-type respond
+ set vpn ipsec site-to-site peer @LEFT default-esp-group MyESPGroup
+ set vpn ipsec site-to-site peer @LEFT ike-group MyIKEGroup
+ set vpn ipsec site-to-site peer @LEFT local-address any
+ set vpn ipsec site-to-site peer @LEFT tunnel 1 local prefix 192.168.99.2/32
+ set vpn ipsec site-to-site peer @LEFT tunnel 1 remote prefix 192.168.99.1/32
+