summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn/site2site_ipsec.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/vpn/site2site_ipsec.rst')
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst54
1 files changed, 47 insertions, 7 deletions
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index e81c5c3b..aace98aa 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -264,9 +264,15 @@ rules. (if you used the default configuration at the top of this page)
IKEv2
^^^^^
+Example:
+
+* left local_ip: 192.168.0.10 # VPN Gateway, behind NAT device
+* left public_ip:172.18.201.10
+* right local_ip: 172.18.202.10 # right side WAN IP
+
Imagine the following topology
-.. figure:: /_static/images/vpn_s2s_ikev2.png
+.. figure:: /_static/images/vpn_s2s_ikev2_c.png
:scale: 50 %
:alt: IPSec IKEv2 site2site VPN
@@ -289,9 +295,6 @@ Imagine the following topology
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
- set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
- set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
- set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
@@ -304,10 +307,10 @@ Imagine the following topology
set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey'
set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10'
- set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'initiate'
+ set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'respond'
set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit'
- set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10'
+ set vpn ipsec site-to-site peer 172.18.202.10 local-address '192.168.0.10'
set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10'
set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT'
@@ -323,7 +326,7 @@ Imagine the following topology
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
- set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
@@ -344,3 +347,40 @@ Imagine the following topology
set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10'
set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10'
set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT'
+
+Key Parameters:
+
+* ``authentication id/remote-id`` - IKE identification is used for validation
+ of VPN peer devices during IKE negotiation. If you do not configure local/
+ remote-identity, the device uses the IPv4 or IPv6 address that corresponds
+ to the local/remote peer by default.
+ In certain network setups (like ipsec interface with dynamic address, or
+ behind the NAT ), the IKE ID received from the peer does not match the IKE
+ gateway configured on the device. This can lead to a Phase 1 validation
+ failure.
+ So, make sure to configure the local/remote id explicitly and ensure that the
+ IKE ID is the same as the remote-identity configured on the peer device.
+
+* ``disable-route-autoinstall`` - This option when configured disables the
+ routes installed in the default table 220 for site-to-site ipsec.
+ It is mostly used with VTI configuration.
+
+* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
+ notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
+ are periodically sent in order to check the liveliness of theIPsec peer. The
+ values clear, hold, and restart all activate DPD and determine the action to
+ perform on a timeout.
+ With ``clear`` the connection is closed with no further actions taken.
+ ``hold`` installs a trap policy, which will catch matching traffic and tries
+ to re-negotiate the connection on demand.
+ ``restart`` will immediately trigger an attempt to re-negotiate the
+ connection.
+
+* ``close-action = none | clear | hold | restart`` - defines the action to take
+ if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
+ values). A closeaction should not be used if the peer uses reauthentication or
+ uniqueids.
+
+ For a responder, close-action or dead-peer-detection must not be enabled.
+ For an initiator DPD with `restart` action, and `close-action 'restart'`
+ is recommended in IKE profile.
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 22:38:18 +0000