summaryrefslogtreecommitdiff
path: root/docs/vpn
diff options
context:
space:
mode:
Diffstat (limited to 'docs/vpn')
-rw-r--r--docs/vpn/site2site_ipsec.rst73
1 files changed, 61 insertions, 12 deletions
diff --git a/docs/vpn/site2site_ipsec.rst b/docs/vpn/site2site_ipsec.rst
index a81c8d90..9279c112 100644
--- a/docs/vpn/site2site_ipsec.rst
+++ b/docs/vpn/site2site_ipsec.rst
@@ -115,11 +115,23 @@ rules. (if you used the default configuration at the top of this page)
IKEv2
^^^^^
-.. note:: This is just a preliminary config which should be extended!
+Imagine the following topology
+
+.. figure:: ../_static/images/vpn_s2s_ikev2.png
+ :scale: 50 %
+ :alt: IPSec IKEv2 site2site VPN
+
+ IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio)
+
+
+.. note:: Don't get confused about the used /31 tunnel subnet. RFC3031_ gives
+ you additional information for using /31 subnets on point-to-point links.
+
+**left**
.. code-block:: sh
- set interfaces vti vti10 address '10.0.0.1/30'
+ set interfaces vti vti10 address '10.0.0.2/31'
set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
@@ -137,13 +149,50 @@ IKEv2
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
- set vpn ipsec site-to-site peer 2.2.2.2 authentication id '1.1.1.1'
- set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'secretkey'
- set vpn ipsec site-to-site peer 2.2.2.2 authentication remote-id '2.2.2.2'
- set vpn ipsec site-to-site peer 2.2.2.2 connection-type 'initiate'
- set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'IKEv2_DEFAULT'
- set vpn ipsec site-to-site peer 2.2.2.2 ikev2-reauth 'inherit'
- set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1'
- set vpn ipsec site-to-site peer 2.2.2.2 vti bind 'vti10'
- set vpn ipsec site-to-site peer 2.2.2.2 vti esp-group 'ESP_DEFAULT'
+ set vpn ipsec ipsec-interfaces interface 'eth0.201'
+ set vpn ipsec site-to-site peer 172.18.202.10 authentication id '172.18.201.10'
+ set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey'
+ set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10'
+ set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'initiate'
+ set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT'
+ set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10'
+ set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10'
+ set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT'
+
+**right**
+
+.. code-block:: sh
+
+ set interfaces vti vti10 address '10.0.0.3/31'
+
+ set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
+ set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
+ set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
+ set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
+ set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
+ set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
+ set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
+ set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
+ set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
+ set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
+ set vpn ipsec ipsec-interfaces interface 'eth0.202'
+ set vpn ipsec site-to-site peer 172.18.201.10 authentication id '172.18.202.10'
+ set vpn ipsec site-to-site peer 172.18.201.10 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 172.18.201.10 authentication pre-shared-secret 'secretkey'
+ set vpn ipsec site-to-site peer 172.18.201.10 authentication remote-id '172.18.201.10'
+ set vpn ipsec site-to-site peer 172.18.201.10 connection-type 'initiate'
+ set vpn ipsec site-to-site peer 172.18.201.10 ike-group 'IKEv2_DEFAULT'
+ set vpn ipsec site-to-site peer 172.18.201.10 ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10'
+ set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10'
+ set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT'
+
+.. _RFC3031: https://tools.ietf.org/html/rfc3021