From 8adf48d9b102cf9bd49b6d4516debaab1320d38a Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Fri, 25 Dec 2020 07:00:53 -0500 Subject: RSA Keys: Added information related to RSA keys RSA-Keys page was blank, so added the steps to generate and add the keys to the VPN IPSec config. Also corrected the IPSec/GRE page where authentication parameter was missing before remote-id. --- docs/configuration/vpn/rsa-keys.rst | 86 ++++++++++++++++++++++++++++++++++++- 1 file changed, 85 insertions(+), 1 deletion(-) (limited to 'docs/configuration/vpn/rsa-keys.rst') diff --git a/docs/configuration/vpn/rsa-keys.rst b/docs/configuration/vpn/rsa-keys.rst index 9f289d0d..7912cffe 100644 --- a/docs/configuration/vpn/rsa-keys.rst +++ b/docs/configuration/vpn/rsa-keys.rst @@ -1,4 +1,88 @@ ######## RSA-Keys -######## \ No newline at end of file +######## +RSA can be used for services such as key exchanges and for encryption purposes. +To make IPSec work with dynamic address on one/both sides, we will have to use +RSA keys for authentication. They are very fast and easy to setup. + +First, on both routers run the operational command “generate vpn rsa-key +bits 2048”. You may choose different length than 2048 of course. + +.. code-block:: none + + vyos@left# run generate vpn rsa-key bits 2048 + Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key + + Your new local RSA key has been generated + The public portion of the key is: + + 0sAQO2335[long string here] + +Please note down this public key, as you have to add this RSA key in the opposite router. + +.. code-block:: none + + set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE + +Now you are ready to setup IPsec. The key points: + +1. Since both routers do not know their effective public addresses, we set the local-address of the peer to "any". +2. On the initiator, we set the peer address to its public address, but on the responder we only set the id. +3. On the initiator, we need to set the remote-id option so that it can identify IKE traffic from the responder correctly. +4. On the responder, we need to set the local id so that initiator can know who's talking to it for the point #3 to work. +5. Don't forget to enable NAT traversal on both sides, "set vpn ipsec nat-traversal enable". + +LEFT SIDE: + +.. code-block:: none + + set vpn rsa-keys rsa-key-name RIGHT rsa-key + + set vpn ipsec ipsec-interfaces interface eth0 + set vpn ipsec nat-traversal 'enable' + + set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 + set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 + + set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 + set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 + set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 + + set vpn ipsec site-to-site peer 192.0.2.60 authentication mode rsa + set vpn ipsec site-to-site peer 192.0.2.60 authentication id @LEFT + set vpn ipsec site-to-site peer 192.0.2.60 authentication rsa-key-name RIGHT + set vpn ipsec site-to-site peer 192.0.2.60 authentication remote-id RIGHT + set vpn ipsec site-to-site peer 192.0.2.60 default-esp-group MyESPGroup + set vpn ipsec site-to-site peer 192.0.2.60 ike-group MyIKEGroup + set vpn ipsec site-to-site peer 192.0.2.60 local-address any + set vpn ipsec site-to-site peer 192.0.2.60 connection-type initiate + set vpn ipsec site-to-site peer 192.0.2.60 tunnel 1 local prefix 192.168.99.1/32 + set vpn ipsec site-to-site peer 192.0.2.60 tunnel 1 remote prefix 192.168.99.2/32 + +RIGHT SIDE: + +.. code-block:: none + + set vpn rsa-keys rsa-key-name LEFT rsa-key + + set vpn ipsec ipsec-interfaces interface eth0 + set vpn ipsec nat-traversal 'enable' + + set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 + set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 + + set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 + set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 + set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 + + set vpn ipsec site-to-site peer @LEFT authentication id @RIGHT + set vpn ipsec site-to-site peer @LEFT authentication mode rsa + set vpn ipsec site-to-site peer @LEFT authentication rsa-key-name LEFT + set vpn ipsec site-to-site peer @LEFT connection-type respond + set vpn ipsec site-to-site peer @LEFT default-esp-group MyESPGroup + set vpn ipsec site-to-site peer @LEFT ike-group MyIKEGroup + set vpn ipsec site-to-site peer @LEFT local-address any + set vpn ipsec site-to-site peer @LEFT tunnel 1 local prefix 192.168.99.2/32 + set vpn ipsec site-to-site peer @LEFT tunnel 1 remote prefix 192.168.99.1/32 + -- cgit v1.2.3