diff options
| author | Christian Poessinger <christian@poessinger.com> | 2019-07-18 22:22:52 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2019-07-18 22:22:52 +0200 |
| commit | d593351b356b124b0410008acd51bf7017eed05c (patch) | |
| tree | 6a24108c71311c25b3255db4ea3524ad05c8e852 /docs/vpn | |
| parent | 7a4d11b302de3330e1075594d6b511358cb30d94 (diff) | |
| download | vyos-documentation-d593351b356b124b0410008acd51bf7017eed05c.tar.gz vyos-documentation-d593351b356b124b0410008acd51bf7017eed05c.zip | |
VPN: IKEv2: add example for left/right routers
Diffstat (limited to 'docs/vpn')
| -rw-r--r-- | docs/vpn/site2site_ipsec.rst | 73 |
1 files changed, 61 insertions, 12 deletions
diff --git a/docs/vpn/site2site_ipsec.rst b/docs/vpn/site2site_ipsec.rst index a81c8d90..9279c112 100644 --- a/docs/vpn/site2site_ipsec.rst +++ b/docs/vpn/site2site_ipsec.rst @@ -115,11 +115,23 @@ rules. (if you used the default configuration at the top of this page) IKEv2 ^^^^^ -.. note:: This is just a preliminary config which should be extended! +Imagine the following topology + +.. figure:: ../_static/images/vpn_s2s_ikev2.png + :scale: 50 % + :alt: IPSec IKEv2 site2site VPN + + IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio) + + +.. note:: Don't get confused about the used /31 tunnel subnet. RFC3031_ gives + you additional information for using /31 subnets on point-to-point links. + +**left** .. code-block:: sh - set interfaces vti vti10 address '10.0.0.1/30' + set interfaces vti vti10 address '10.0.0.2/31' set vpn ipsec esp-group ESP_DEFAULT compression 'disable' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' @@ -137,13 +149,50 @@ IKEv2 set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec site-to-site peer 2.2.2.2 authentication id '1.1.1.1' - set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'secretkey' - set vpn ipsec site-to-site peer 2.2.2.2 authentication remote-id '2.2.2.2' - set vpn ipsec site-to-site peer 2.2.2.2 connection-type 'initiate' - set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'IKEv2_DEFAULT' - set vpn ipsec site-to-site peer 2.2.2.2 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1' - set vpn ipsec site-to-site peer 2.2.2.2 vti bind 'vti10' - set vpn ipsec site-to-site peer 2.2.2.2 vti esp-group 'ESP_DEFAULT' + set vpn ipsec ipsec-interfaces interface 'eth0.201' + set vpn ipsec site-to-site peer 172.18.202.10 authentication id '172.18.201.10' + set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey' + set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10' + set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'initiate' + set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT' + set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10' + set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10' + set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT' + +**right** + +.. code-block:: sh + + set interfaces vti vti10 address '10.0.0.3/31' + + set vpn ipsec esp-group ESP_DEFAULT compression 'disable' + set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' + set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' + set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' + set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' + set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' + set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' + set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' + set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' + set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable' + set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' + set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' + set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' + set vpn ipsec ipsec-interfaces interface 'eth0.202' + set vpn ipsec site-to-site peer 172.18.201.10 authentication id '172.18.202.10' + set vpn ipsec site-to-site peer 172.18.201.10 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer 172.18.201.10 authentication pre-shared-secret 'secretkey' + set vpn ipsec site-to-site peer 172.18.201.10 authentication remote-id '172.18.201.10' + set vpn ipsec site-to-site peer 172.18.201.10 connection-type 'initiate' + set vpn ipsec site-to-site peer 172.18.201.10 ike-group 'IKEv2_DEFAULT' + set vpn ipsec site-to-site peer 172.18.201.10 ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10' + set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10' + set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT' + +.. _RFC3031: https://tools.ietf.org/html/rfc3021 |