From 72a677f75e9657bb2b39a25d175afe0fcd5d7186 Mon Sep 17 00:00:00 2001 From: goodNETnick Date: Tue, 19 Oct 2021 17:36:44 +1000 Subject: IPsec key-pair new synthax --- docs/configuration/vpn/ipsec.rst | 63 +++++++++++++++++++++++++++------------- 1 file changed, 43 insertions(+), 20 deletions(-) (limited to 'docs/configuration/vpn/ipsec.rst') diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index 2888336c..ea13d82b 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -118,35 +118,57 @@ However, now you need to make IPsec work with dynamic address on one side. The tricky part is that pre-shared secret authentication doesn't work with dynamic address, so we'll have to use RSA keys. -First, on both routers run the operational command "generate vpn rsa-key bits -2048". You may choose different length than 2048 of course. +First, on both routers run the operational command "generate pki key-pair +install >". You may choose different length than 2048 of course. .. code-block:: none - vyos@left# run generate vpn rsa-key bits 2048 - Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key + vyos@left# run generate pki key-pair install ipsec-LEFT + Enter private key type: [rsa, dsa, ec] (Default: rsa) + Enter private key bits: (Default: 2048) + Note: If you plan to use the generated key on this router, do not encrypt the private key. + Do you want to encrypt the private key with a passphrase? [y/N] N + Configure mode commands to install key pair: + Do you want to install the public key? [Y/n] Y + set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...' + Do you want to install the private key? [Y/n] Y + set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...' + [edit] + +Configuration commands will display. +Note the command with the public key +(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). +Then do the same on the opposite router: - Your new local RSA key has been generated - The public portion of the key is: +.. code-block:: none + + vyos@left# run generate pki key-pair install ipsec-RIGHT + +Note the command with the public key +(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'). + +Now the noted public keys should be entered on the opposite routers. + +On the LEFT: + +.. code-block:: none - 0sAQO2335[long string here] + set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...' -Then on the opposite router, add the RSA key to your config. +On the RIGHT: .. code-block:: none - set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE + set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...' Now you are ready to setup IPsec. You'll need to use an ID instead of address -for the peer on the dynamic side. +for the peer. On the LEFT (static address): .. code-block:: none - set vpn rsa-keys rsa-key-name RIGHT rsa-key - - set vpn ipsec ipsec-interfaces interface eth0 + set vpn ipsec interface eth0 set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 @@ -155,8 +177,11 @@ On the LEFT (static address): set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 + set vpn ipsec site-to-site peer @RIGHT authentication id LEFT set vpn ipsec site-to-site peer @RIGHT authentication mode rsa - set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name RIGHT + set vpn ipsec site-to-site peer @RIGHT authentication rsa local-key ipsec-LEFT + set vpn ipsec site-to-site peer @RIGHT authentication rsa remote-key ipsec-RIGHT + set vpn ipsec site-to-site peer @RIGHT authentication remote-id RIGHT set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 @@ -164,14 +189,11 @@ On the LEFT (static address): set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote - On the RIGHT (dynamic address): .. code-block:: none - set vpn rsa-keys rsa-key-name LEFT rsa-key - - set vpn ipsec ipsec-interfaces interface eth0 + set vpn ipsec interface eth0 set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 @@ -180,9 +202,10 @@ On the RIGHT (dynamic address): set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - set vpn ipsec site-to-site peer 192.0.2.10 authentication id @RIGHT + set vpn ipsec site-to-site peer 192.0.2.10 authentication id RIGHT set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa - set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa-key-name LEFT + set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa local-key ipsec-RIGHT + set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa remote-key ipsec-LEFT set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup -- cgit v1.2.3