summaryrefslogtreecommitdiff
path: root/docs/vpn/site2site_ipsec.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/vpn/site2site_ipsec.rst')
-rw-r--r--docs/vpn/site2site_ipsec.rst109
1 files changed, 109 insertions, 0 deletions
diff --git a/docs/vpn/site2site_ipsec.rst b/docs/vpn/site2site_ipsec.rst
new file mode 100644
index 00000000..f420112a
--- /dev/null
+++ b/docs/vpn/site2site_ipsec.rst
@@ -0,0 +1,109 @@
+.. _size2site_ipsec:
+
+Site-to-Site IPsec
+------------------
+
+Example:
+* eth1 is WAN interface
+* left subnet: 192.168.0.0/24 #s ite1, server side (i.e. locality, actually
+there is no client or server roles)
+* left local_ip: 1.1.1.1 # server side WAN IP
+* right subnet: 10.0.0.0/24 # site2,remote office side
+* right local_ip: 2.2.2.2 # remote office side WAN IP
+
+.. code-block:: sh
+
+ # server config
+ set vpn ipsec esp-group office-srv-esp compression 'disable'
+ set vpn ipsec esp-group office-srv-esp lifetime '1800'
+ set vpn ipsec esp-group office-srv-esp mode 'tunnel'
+ set vpn ipsec esp-group office-srv-esp pfs 'enable'
+ set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
+ set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
+ set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
+ set vpn ipsec ike-group office-srv-ike lifetime '3600'
+ set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
+ set vpn ipsec ipsec-interfaces interface 'eth1'
+ set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'SomePreSharedKey'
+ set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'office-srv-ike'
+ set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1'
+ set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-nat-networks 'disable'
+ set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-public-networks 'disable'
+ set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 esp-group 'office-srv-esp'
+ set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 local prefix '192.168.0.0/24'
+ set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 remote prefix '10.0.0.0/21'
+
+ # remote office config
+ set vpn ipsec esp-group office-srv-esp compression 'disable'
+ set vpn ipsec esp-group office-srv-esp lifetime '1800'
+ set vpn ipsec esp-group office-srv-esp mode 'tunnel'
+ set vpn ipsec esp-group office-srv-esp pfs 'enable'
+ set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
+ set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
+ set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
+ set vpn ipsec ike-group office-srv-ike lifetime '3600'
+ set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
+ set vpn ipsec ipsec-interfaces interface 'eth1'
+ set vpn ipsec site-to-site peer 1.1.1.1 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret 'SomePreSharedKey'
+ set vpn ipsec site-to-site peer 1.1.1.1 ike-group 'office-srv-ike'
+ set vpn ipsec site-to-site peer 1.1.1.1 local-address '2.2.2.2'
+ set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-nat-networks 'disable'
+ set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-public-networks 'disable'
+ set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 esp-group 'office-srv-esp'
+ set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 local prefix '10.0.0.0/21'
+ set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 remote prefix '192.168.0.0/24'
+
+Show status of new setup:
+
+.. code-block:: sh
+
+ vyos@srv-gw0:~$ show vpn ike sa
+ Peer ID / IP Local ID / IP
+ ------------ -------------
+ 2.2.2.2 1.1.1.1
+ State Encrypt Hash D-H Grp NAT-T A-Time L-Time
+ ----- ------- ---- ------- ----- ------ ------
+ up aes256 sha1 5 no 734 3600
+
+ vyos@srv-gw0:~$ show vpn ipsec sa
+ Peer ID / IP Local ID / IP
+ ------------ -------------
+ 2.2.2.2 1.1.1.1
+ Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
+ ------ ----- ------------- ------- ---- ----- ------ ------ -----
+ 0 up 7.5M/230.6K aes256 sha1 no 567 1800 all
+
+If there is SNAT rules on eth1, need to add exclude rule
+
+.. code-block:: sh
+
+ # server side
+ set nat source rule 10 destination address '10.0.0.0/24'
+ set nat source rule 10 'exclude'
+ set nat source rule 10 outbound-interface 'eth1'
+ set nat source rule 10 source address '192.168.0.0/24'
+
+ # remote office side
+ set nat source rule 10 destination address '192.168.0.0/24'
+ set nat source rule 10 'exclude'
+ set nat source rule 10 outbound-interface 'eth1'
+ set nat source rule 10 source address '10.0.0.0/24'
+
+To allow traffic to pass through to clients, you need to add the following
+rules. (if you used the default configuration at the top of this page)
+
+.. code-block:: sh
+
+ # server side
+ set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24'
+
+ # remote office side
+ set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-23 03:27:44 +0000