From 8a3147fca5aa6e1623a09d3ce120886463006418 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 15 Nov 2020 20:10:57 +0100 Subject: vpn: dmvpn: move example from blueprints to the dmvpn chapter --- docs/appendix/examples/dmvpn.rst | 173 ----------- docs/appendix/examples/index.rst | 2 - docs/vpn/dmvpn.rst | 654 +++++++++++++++++---------------------- docs/vpn/gre-ipsec.rst | 190 ------------ docs/vpn/index.rst | 4 +- docs/vpn/ipsec.rst | 191 ++++++++++++ 6 files changed, 480 insertions(+), 734 deletions(-) delete mode 100644 docs/appendix/examples/dmvpn.rst delete mode 100644 docs/vpn/gre-ipsec.rst create mode 100644 docs/vpn/ipsec.rst diff --git a/docs/appendix/examples/dmvpn.rst b/docs/appendix/examples/dmvpn.rst deleted file mode 100644 index 05e7c73a..00000000 --- a/docs/appendix/examples/dmvpn.rst +++ /dev/null @@ -1,173 +0,0 @@ -.. _examples-dmvpn: - -######### -DMVPN Hub -######### - -******** -Overview -******** - -General information can be found in the :ref:`vpn-dmvpn` chapter. - -This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) as multiple -spokes. The lab was build using :abbr:`EVE-NG (Emulated Virtual Environment NG)`. - -.. figure:: /_static/images/blueprint-dmvpn.png - :alt: DMVPN network - -Each node (Hub and Spoke) uses an IP address from the network 172.16.253.128/29. - -The below referenced IP address `192.0.2.1` is used as example address -representing a global unicast address under which the HUB can be contacted by -each and every individual spoke. - -************* -Configuration -************* - -Hub -=== - -.. code-block:: none - - set interfaces ethernet eth0 address 192.0.2.1/24 - - set interfaces tunnel tun100 address '172.16.253.134/29' - set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 local-ip '192.0.2.1' - set interfaces tunnel tun100 multicast 'enable' - set interfaces tunnel tun100 parameters ip key '1' - - set protocols nhrp tunnel tun100 cisco-authentication 'secret' - set protocols nhrp tunnel tun100 holding-time '300' - set protocols nhrp tunnel tun100 multicast 'dynamic' - set protocols nhrp tunnel tun100 redirect - set protocols nhrp tunnel tun100 shortcut - - set vpn ipsec esp-group ESP-HUB compression 'disable' - set vpn ipsec esp-group ESP-HUB lifetime '1800' - set vpn ipsec esp-group ESP-HUB mode 'tunnel' - set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' - set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' - set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' - set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' - set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' - set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' - set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' - set vpn ipsec ike-group IKE-HUB lifetime '3600' - set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' - set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' - set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' - set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' - - set vpn ipsec ipsec-interfaces interface 'eth0' - - set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' - set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' - set vpn ipsec profile NHRPVPN bind tunnel 'tun100' - set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' - set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' - -Spoke -===== - -The individual spoke configurations only differ in the local IP address on the -``tun10`` interface. See the above diagram for the individual IP addresses. - -spoke01 -------- - -.. code-block:: none - - crypto keyring DMVPN - pre-shared-key address 192.0.2.1 key secret - ! - crypto isakmp policy 10 - encr aes 256 - authentication pre-share - group 2 - crypto isakmp invalid-spi-recovery - crypto isakmp keepalive 30 30 periodic - crypto isakmp profile DMVPN - keyring DMVPN - match identity address 192.0.2.1 255.255.255.255 - ! - crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac - mode transport - ! - crypto ipsec profile DMVPN - set security-association idle-time 720 - set transform-set DMVPN-AES256 - set isakmp-profile DMVPN - ! - interface Tunnel10 - description Tunnel to DMVPN HUB - ip address 172.16.253.129 255.255.255.248 - no ip redirects - ip nhrp authentication secret - ip nhrp map 172.16.253.134 192.0.2.1 - ip nhrp map multicast 192.0.2.1 - ip nhrp network-id 1 - ip nhrp holdtime 600 - ip nhrp nhs 172.16.253.134 - ip nhrp registration timeout 75 - tunnel source FastEthernet0/0 - tunnel mode gre multipoint - tunnel key 1 - ! - interface FastEthernet0/0 - ip address dhcp - duplex half - - -spoke05 -------- - -VyOS can also run in DMVPN spoke mode. - -.. code-block:: none - - set interfaces ethernet eth0 address 'dhcp' - - set interfaces tunnel tun100 address '172.16.253.133/29' - set interfaces tunnel tun100 dhcp-interface 'eth0' - set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 multicast 'enable' - set interfaces tunnel tun100 parameters ip key '1' - - set protocols nhrp tunnel tun100 cisco-authentication 'secret' - set protocols nhrp tunnel tun100 holding-time '300' - set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '92.0.2.1' - set protocols nhrp tunnel tun100 map 172.16.253.134/29 register - set protocols nhrp tunnel tun100 multicast 'dynamic' - - set vpn ipsec esp-group ESP-HUB compression 'disable' - set vpn ipsec esp-group ESP-HUB lifetime '1800' - set vpn ipsec esp-group ESP-HUB mode 'tunnel' - set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' - set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' - set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' - set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' - set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' - set vpn ipsec ike-group IKE-HUB close-action 'none' - set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' - set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' - set vpn ipsec ike-group IKE-HUB lifetime '3600' - set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' - set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' - set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' - set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' - - set vpn ipsec ipsec-interfaces interface 'eth0' - - set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' - set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' - set vpn ipsec profile NHRPVPN bind tunnel 'tun100' - set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' - set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' - diff --git a/docs/appendix/examples/index.rst b/docs/appendix/examples/index.rst index 58251378..b2f7bfde 100644 --- a/docs/appendix/examples/index.rst +++ b/docs/appendix/examples/index.rst @@ -5,11 +5,9 @@ Configuration Blueprints This chapter contains various configuration examples: - .. toctree:: :maxdepth: 2 - dmvpn dhcp-relay-through-gre-bridge zone-policy bgp-ipv6-unnumbered diff --git a/docs/vpn/dmvpn.rst b/docs/vpn/dmvpn.rst index 9ca28b3c..1a6bdd64 100644 --- a/docs/vpn/dmvpn.rst +++ b/docs/vpn/dmvpn.rst @@ -6,8 +6,8 @@ DMVPN :abbr:`DMVPN (Dynamic Multipoint Virtual Private Network)` is a dynamic :abbr:`VPN (Virtual Private Network)` technology originally developed by Cisco. -While their implementation was somewhat proprietary, the underlying technologies -are actually standards based. The three technologies are: +While their implementation was somewhat proprietary, the underlying +technologies are actually standards based. The three technologies are: * :abbr:`NHRP (Next Hop Resolution Protocol)` :rfc:`2332` * :abbr:`mGRE (Multipoint Generic Routing Encapsulation)` :rfc:`1702` @@ -26,390 +26,310 @@ peers. complete solution also incorporates the use of a routing protocol. BGP is particularly well suited for use with DMVPN. -Baseline Configuration: - -**STEPS:** - -#. Create tunnel config (`interfaces tunnel`) -#. Create nhrp (`protocols nhrp`) -#. Create ipsec vpn (optional, but recommended for security) (`vpn ipsec`) - -The tunnel will be set to mGRE if for encapsulation `gre` is set, and no -`remote-ip` is set. If the public ip is provided by DHCP the tunnel `local-ip` -can be set to "0.0.0.0". If you do set the `remote-ip` directive at any point, the interface will need to be `delete`'d from the config and recreated without the `remote-ip` config ever being set. - .. figure:: ../_static/images/vpn_dmvpn_topology01.png :scale: 40 % :alt: Baseline DMVPN topology Baseline DMVPN topology -HUB Configuration -^^^^^^^^^^^^^^^^^ +************* +Configuration +************* -.. code-block:: none +* Please refer to the :ref:`tunnel-interface` documentation for the individual + tunnel related options. - interfaces - tunnel { - address - encapsulation gre - local-ip - multicast enable - description - parameters { - ip { - - } - } - } - } - protocols { - nhrp { - tunnel { - cisco-authentication - holding-time - multicast dynamic - redirect - } - } - } - vpn { - ipsec { - esp-group { - lifetime <30-86400> - mode tunnel - pfs enable - proposal <1-65535> { - encryption aes256 - hash sha1 - } - proposal <1-65535> { - encryption 3des - hash md5 - } - } - ike-group { - key-exchange ikev1 - lifetime <30-86400> - proposal <1-65535> { - encryption aes256 - hash sha1 - } - proposal <1-65535> { - encryption aes128 - hash sha1 - } - } - ipsec-interfaces { - interface - } - profile { - authentication { - mode pre-shared-secret - pre-shared-secret - } - bind { - tunnel - } - esp-group - ike-group - } - } - } - -HUB Example Configuration: +* Please refer to the :ref:`ipsec` documentation for the individual IPSec + related options. -.. code-block:: none +.. cfgcmd:: set protocols nhrp tunnel cisco-authentication - set interfaces ethernet eth0 address '198.51.100.41/30' - set interfaces ethernet eth1 address '192.168.1.1/24' - set system host-name 'HUB' - - set interfaces tunnel tun0 address 10.0.0.1/24 - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 local-ip 198.51.100.41 - set interfaces tunnel tun0 multicast enable - set interfaces tunnel tun0 parameters ip key 1 - - set protocols nhrp tunnel tun0 cisco-authentication SECRET - set protocols nhrp tunnel tun0 holding-time 300 - set protocols nhrp tunnel tun0 multicast dynamic - set protocols nhrp tunnel tun0 redirect - - set vpn ipsec ipsec-interfaces interface eth0 - set vpn ipsec ike-group IKE-HUB proposal 1 - set vpn ipsec ike-group IKE-HUB proposal 1 encryption aes256 - set vpn ipsec ike-group IKE-HUB proposal 1 hash sha1 - set vpn ipsec ike-group IKE-HUB proposal 2 encryption aes128 - set vpn ipsec ike-group IKE-HUB proposal 2 hash sha1 - set vpn ipsec ike-group IKE-HUB lifetime 3600 - set vpn ipsec esp-group ESP-HUB proposal 1 encryption aes256 - set vpn ipsec esp-group ESP-HUB proposal 1 hash sha1 - set vpn ipsec esp-group ESP-HUB proposal 2 encryption 3des - set vpn ipsec esp-group ESP-HUB proposal 2 hash md5 - set vpn ipsec esp-group ESP-HUB lifetime 1800 - set vpn ipsec esp-group ESP-HUB pfs dh-group2 - - set vpn ipsec profile NHRPVPN - set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret - set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET - set vpn ipsec profile NHRPVPN bind tunnel tun0 - set vpn ipsec profile NHRPVPN esp-group ESP-HUB - set vpn ipsec profile NHRPVPN ike-group IKE-HUB - - set protocols static route 0.0.0.0/0 next-hop 1.1.1.2 - set protocols static route 192.168.2.0/24 next-hop 10.0.0.2 - set protocols static route 192.168.3.0/24 next-hop 10.0.0.3 - -HUB on AWS Configuration Specifics -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Setting this up on AWS will require a "Custom Protocol Rule" for protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and secondly on the security group network ACL attached to the EC2 instance. This has been tested as working for the official AMI image on the AWS Marketplace. (Locate the correct VPC and security group by navigating through the details pane below your EC2 instance in the AWS console) - -SPOKE Configuration -^^^^^^^^^^^^^^^^^^^ - -SPOKE1 Configuration: + Enables Cisco style authentication on NHRP packets. This embeds the secret + plaintext password to the outgoing NHRP packets. Incoming NHRP packets on + this interface are discarded unless the secret password is present. Maximum + length of the secret is 8 characters. -.. code-block:: none +.. cfgcmd:: set protocols nhrp tunnel dynamic-map
+ nbma-domain-name + + Specifies that the :abbr:`NBMA (Non-broadcast multiple-access network)` + addresses of the next hop servers are defined in the domain name + nbma-domain-name. For each A record opennhrp creates a dynamic NHS entry. + + Each dynamic NHS will get a peer entry with the configured network address + and the discovered NBMA address. + + The first registration request is sent to the protocol broadcast address, and + the server's real protocol address is dynamically detected from the first + registration reply. + +.. cfgcmd:: set protocols nhrp tunnel holding-time + + Specifies the holding time for NHRP Registration Requests and Resolution + Replies sent from this interface or shortcut-target. The holdtime is specified + in seconds and defaults to two hours. + +.. cfgcmd:: set protocols nhrp tunnel map cisco + + If the statically mapped peer is running Cisco IOS, specify the cisco keyword. + It is used to fix statically the Registration Request ID so that a matching + Purge Request can be sent if NBMA address has changed. This is to work around + broken IOS which requires Purge Request ID to match the original Registration + Request ID. + +.. cfgcmd:: set protocols nhrp tunnel map nbma-address
+ + Creates static peer mapping of protocol-address to :abbr:`NBMA (Non-broadcast + multiple-access network)` address. + + If the IP prefix mask is present, it directs opennhrp to use this peer as a + next hop server when sending Resolution Requests matching this subnet. + + This is also known as the HUBs IP address or FQDN. + +.. cfgcmd:: set protocols nhrp tunnel map register + + The optional parameter register specifies that Registration Request should be + sent to this peer on startup. + + This option is required when running a DMVPN spoke. + +.. cfgcmd:: set protocols nhrp tunnel multicast + + Determines how opennhrp daemon should soft switch the multicast traffic. + Currently, multicast traffic is captured by opennhrp daemon using a packet + socket, and resent back to proper destinations. This means that multicast + packet sending is CPU intensive. + + Specfying nhs makes all multicast packets to be repeated to each statically + configured next hop. + + Synamic instructs to forward to all peers which we have a direct connection + with. Alternatively, you can specify the directive multiple times for each + protocol-address the multicast traffic should be sent to. + + .. warning:: It is very easy to misconfigure multicast repeating if you have + multiple NHSes. + +.. cfgcmd:: set protocols nhrp tunnel non-caching - interfaces - tunnel { - address - encapsulation gre - local-ip - multicast enable - description - parameters { - ip { - - } - } - } - } - protocols { - nhrp { - tunnel { - cisco-authentication - map { - nbma-address - register - } - holding-time - multicast nhs - redirect - shortcut - } - } - } - vpn { - ipsec { - esp-group { - lifetime <30-86400> - mode tunnel - pfs enable - proposal <1-65535> { - encryption aes256 - hash sha1 - } - proposal <1-65535> { - encryption 3des - hash md5 - } - } - ike-group { - key-exchange ikev1 - lifetime <30-86400> - proposal <1-65535> { - encryption aes256 - hash sha1 - } - proposal <1-65535> { - encryption aes128 - hash sha1 - } - } - ipsec-interfaces { - interface - } - profile { - authentication { - mode pre-shared-secret - pre-shared-secret - } - bind { - tunnel - } - esp-group - ike-group - } - } - } - -SPOKE1 Example Configuration + Disables caching of peer information from forwarded NHRP Resolution Reply + packets. This can be used to reduce memory consumption on big NBMA subnets. + + .. note:: Currently does not do much as caching is not implemented. + +.. cfgcmd:: set protocols nhrp tunnel redirect + + Enable sending of Cisco style NHRP Traffic Indication packets. If this is + enabled and opennhrp detects a forwarded packet, it will send a message to + the original sender of the packet instructing it to create a direct connection + with the destination. This is basically a protocol independent equivalent of + ICMP redirect. + +.. cfgcmd:: set protocols nhrp tunnel shortcut + + Enable creation of shortcut routes. + + A received NHRP Traffic Indication will trigger the resolution and + establishment of a shortcut route. + +.. cfgcmd:: set protocols nhrp tunnel shortcut-destination + + This instructs opennhrp to reply with authorative answers on NHRP Resolution + Requests destinied to addresses in this interface (instead of forwarding the + packets). This effectively allows the creation of shortcut routes to subnets + located on the interface. + + When specified, this should be the only keyword for the interface. + +.. cfgcmd:: set protocols nhrp tunnel shortcut-target
+ + Defines an off-NBMA network prefix for which the GRE interface will act as a + gateway. This an alternative to defining local interfaces with + shortcut-destination flag. + +.. cfgcmd:: set protocols nhrp tunnel shortcut-target
+ holding-time + + Specifies the holding time for NHRP Registration Requests and Resolution + Replies sent from this interface or shortcut-target. The holdtime is specified + in seconds and defaults to two hours. + +******* +Example +******* + + +This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as +multiple spoke sites. The lab was build using :abbr:`EVE-NG (Emulated Virtual +Environment NG)`. + +.. figure:: /_static/images/blueprint-dmvpn.png + :alt: DMVPN network + + DMVPN example network + +Each node (Hub and Spoke) uses an IP address from the network 172.16.253.128/29. + +The below referenced IP address `192.0.2.1` is used as example address +representing a global unicast address under which the HUB can be contacted by +each and every individual spoke. + +Configuration +============= + +Hub +--- .. code-block:: none - set interfaces ethernet eth0 address 'dhcp' - set interfaces ethernet eth1 address '192.168.2.1/24' - set system host-name 'SPOKE1' - - set interfaces tunnel tun0 address 10.0.0.2/24 - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 local-ip 0.0.0.0 - set interfaces tunnel tun0 multicast enable - set interfaces tunnel tun0 parameters ip key 1 - - set protocols nhrp tunnel tun0 cisco-authentication 'SECRET' - set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 198.51.100.41 - set protocols nhrp tunnel tun0 map 10.0.0.1/24 'register' - set protocols nhrp tunnel tun0 multicast 'nhs' - set protocols nhrp tunnel tun0 'redirect' - set protocols nhrp tunnel tun0 'shortcut' - - set vpn ipsec ipsec-interfaces interface eth0 - set vpn ipsec ike-group IKE-SPOKE proposal 1 - set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption aes256 - set vpn ipsec ike-group IKE-SPOKE proposal 1 hash sha1 - set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption aes128 - set vpn ipsec ike-group IKE-SPOKE proposal 2 hash sha1 - set vpn ipsec ike-group IKE-SPOKE lifetime 3600 - set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption aes256 - set vpn ipsec esp-group ESP-SPOKE proposal 1 hash sha1 - set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 3des - set vpn ipsec esp-group ESP-SPOKE proposal 2 hash md5 - set vpn ipsec esp-group ESP-SPOKE lifetime 1800 - set vpn ipsec esp-group ESP-SPOKE pfs dh-group2 - - set vpn ipsec profile NHRPVPN - set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret - set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET - set vpn ipsec profile NHRPVPN bind tunnel tun0 - set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE - set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE - - set protocols static route 192.168.1.0/24 next-hop 10.0.0.1 - set protocols static route 192.168.3.0/24 next-hop 10.0.0.3 - - -SPOKE2 Configuration + set interfaces ethernet eth0 address 192.0.2.1/24 + + set interfaces tunnel tun100 address '172.16.253.134/29' + set interfaces tunnel tun100 encapsulation 'gre' + set interfaces tunnel tun100 local-ip '192.0.2.1' + set interfaces tunnel tun100 multicast 'enable' + set interfaces tunnel tun100 parameters ip key '1' + + set protocols nhrp tunnel tun100 cisco-authentication 'secret' + set protocols nhrp tunnel tun100 holding-time '300' + set protocols nhrp tunnel tun100 multicast 'dynamic' + set protocols nhrp tunnel tun100 redirect + set protocols nhrp tunnel tun100 shortcut + + set vpn ipsec esp-group ESP-HUB compression 'disable' + set vpn ipsec esp-group ESP-HUB lifetime '1800' + set vpn ipsec esp-group ESP-HUB mode 'tunnel' + set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' + set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' + set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' + set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' + set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' + set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' + set vpn ipsec ike-group IKE-HUB lifetime '3600' + set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' + set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' + set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' + + set vpn ipsec ipsec-interfaces interface 'eth0' + + set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' + set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' + set vpn ipsec profile NHRPVPN bind tunnel 'tun100' + set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' + set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' + +.. note:: Setting this up on AWS will require a "Custom Protocol Rule" for + protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC + Network ACL, and secondly on the security group network ACL attached to the + EC2 instance. This has been tested as working for the official AMI image on + the AWS Marketplace. (Locate the correct VPC and security group by navigating + through the details pane below your EC2 instance in the AWS console). + +Spoke +----- + +The individual spoke configurations only differ in the local IP address on the +``tun10`` interface. See the above diagram for the individual IP addresses. + +spoke01-spoke04 +^^^^^^^^^^^^^^^ .. code-block:: none - interfaces - tunnel { - address - encapsulation gre - local-ip - multicast enable - description - parameters { - ip { - - } - } - } - } - protocols { - nhrp { - tunnel { - cisco-authentication - map { - nbma-address - register - } - holding-time - multicast nhs - redirect - shortcut - } - } - } - vpn { - ipsec { - esp-group { - lifetime <30-86400> - mode tunnel - pfs enable - proposal <1-65535> { - encryption aes256 - hash sha1 - } - proposal <1-65535> { - encryption 3des - hash md5 - } - } - ike-group { - key-exchange ikev1 - lifetime <30-86400> - proposal <1-65535> { - encryption aes256 - hash sha1 - } - proposal <1-65535> { - encryption aes128 - hash sha1 - } - } - ipsec-interfaces { - interface - } - profile { - authentication { - mode pre-shared-secret - pre-shared-secret - } - bind { - tunnel - } - esp-group - ike-group - } - } - } - -SPOKE2 Example Configuration + crypto keyring DMVPN + pre-shared-key address 192.0.2.1 key secret + ! + crypto isakmp policy 10 + encr aes 256 + authentication pre-share + group 2 + crypto isakmp invalid-spi-recovery + crypto isakmp keepalive 30 30 periodic + crypto isakmp profile DMVPN + keyring DMVPN + match identity address 192.0.2.1 255.255.255.255 + ! + crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac + mode transport + ! + crypto ipsec profile DMVPN + set security-association idle-time 720 + set transform-set DMVPN-AES256 + set isakmp-profile DMVPN + ! + interface Tunnel10 + ! individual spoke tunnel IP must change + ip address 172.16.253.129 255.255.255.248 + no ip redirects + ip nhrp authentication secret + ip nhrp map 172.16.253.134 192.0.2.1 + ip nhrp map multicast 192.0.2.1 + ip nhrp network-id 1 + ip nhrp holdtime 600 + ip nhrp nhs 172.16.253.134 + ip nhrp registration timeout 75 + tunnel source FastEthernet0/0 + tunnel mode gre multipoint + tunnel key 1 + ! + interface FastEthernet0/0 + ip address dhcp + duplex half + + +spoke05 +^^^^^^^ + +VyOS can also run in DMVPN spoke mode. .. code-block:: none set interfaces ethernet eth0 address 'dhcp' - set interfaces ethernet eth1 address '192.168.3.1/24' - set system host-name 'SPOKE2' - - set interfaces tunnel tun0 address 10.0.0.3/24 - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 local-ip 0.0.0.0 - set interfaces tunnel tun0 multicast enable - set interfaces tunnel tun0 parameters ip key 1 - - set protocols nhrp tunnel tun0 cisco-authentication SECRET - set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 198.51.100.41 - set protocols nhrp tunnel tun0 map 10.0.0.1/24 register - set protocols nhrp tunnel tun0 multicast nhs - set protocols nhrp tunnel tun0 redirect - set protocols nhrp tunnel tun0 shortcut - - set vpn ipsec ipsec-interfaces interface eth0 - set vpn ipsec ike-group IKE-SPOKE proposal 1 - set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption aes256 - set vpn ipsec ike-group IKE-SPOKE proposal 1 hash sha1 - set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption aes128 - set vpn ipsec ike-group IKE-SPOKE proposal 2 hash sha1 - set vpn ipsec ike-group IKE-SPOKE lifetime 3600 - set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption aes256 - set vpn ipsec esp-group ESP-SPOKE proposal 1 hash sha1 - set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 3des - set vpn ipsec esp-group ESP-SPOKE proposal 2 hash md5 - set vpn ipsec esp-group ESP-SPOKE lifetime 1800 - set vpn ipsec esp-group ESP-SPOKE pfs dh-group2 - - set vpn ipsec profile NHRPVPN - set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret - set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET - set vpn ipsec profile NHRPVPN bind tunnel tun0 - set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE - set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE - - set protocols static route 192.168.1.0/24 next-hop 10.0.0.1 - set protocols static route 192.168.2.0/24 next-hop 10.0.0.2 + + set interfaces tunnel tun100 address '172.16.253.133/29' + set interfaces tunnel tun100 local-ip 0.0.0.0 + set interfaces tunnel tun100 encapsulation 'gre' + set interfaces tunnel tun100 multicast 'enable' + set interfaces tunnel tun100 parameters ip key '1' + + set protocols nhrp tunnel tun100 cisco-authentication 'secret' + set protocols nhrp tunnel tun100 holding-time '300' + set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '92.0.2.1' + set protocols nhrp tunnel tun100 map 172.16.253.134/29 register + set protocols nhrp tunnel tun100 multicast 'nhs' + set protocols nhrp tunnel tun100 redirect + set protocols nhrp tunnel tun100 shortcut + + set vpn ipsec esp-group ESP-HUB compression 'disable' + set vpn ipsec esp-group ESP-HUB lifetime '1800' + set vpn ipsec esp-group ESP-HUB mode 'tunnel' + set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' + set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' + set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' + set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' + set vpn ipsec ike-group IKE-HUB close-action 'none' + set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' + set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' + set vpn ipsec ike-group IKE-HUB lifetime '3600' + set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' + set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' + set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' + + set vpn ipsec ipsec-interfaces interface 'eth0' + + set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' + set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' + set vpn ipsec profile NHRPVPN bind tunnel 'tun100' + set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' + set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' + + diff --git a/docs/vpn/gre-ipsec.rst b/docs/vpn/gre-ipsec.rst deleted file mode 100644 index 6d4bf1d0..00000000 --- a/docs/vpn/gre-ipsec.rst +++ /dev/null @@ -1,190 +0,0 @@ -.. _gre-ipsec: - -GRE/IPsec ---------- - -Generic Routing Encapsulation (GRE), GRE/IPsec (or IPIP/IPsec, SIT/IPsec, or any -other stateless tunnel protocol over IPsec) is the usual way to protect the -traffic inside a tunnel. - -An advantage of this scheme is that you get a real interface with its own -address, which makes it easier to setup static routes or use dynamic routing -protocols without having to modify IPsec policies. The other advantage is that -it greatly simplifies router to router communication, which can be tricky with -plain IPsec because the external outgoing address of the router usually doesn't -match the IPsec policy of typical site-to-site setup and you need to add special -configuration for it, or adjust the source address for outgoing traffic of your -applications. GRE/IPsec has no such problem and is completely transparent for -the applications. - -GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme -easy to implement between VyOS and virtually any other router. - -For simplicity we'll assume that the protocol is GRE, it's not hard to guess -what needs to be changed to make it work with a different protocol. We assume -that IPsec will use pre-shared secret authentication and will use AES128/SHA1 -for the cipher and hash. Adjust this as necessary. - -.. NOTE:: VMware users should ensure that VMXNET3 adapters used, e1000 adapters - have known issue with GRE processing - -IPsec policy matching GRE -^^^^^^^^^^^^^^^^^^^^^^^^^ - -The first and arguably cleaner option is to make your IPsec policy match GRE -packets between external addresses of your routers. This is the best option if -both routers have static external addresses. - -Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, -and the RIGHT router is 203.0.113.45 - -On the LEFT: - -.. code-block:: none - - # GRE tunnel - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 local-ip 192.0.2.10 - set interfaces tunnel tun0 remote-ip 203.0.113.45 - set interfaces tunnel tun0 address 10.10.10.1/30 - - ## IPsec - set vpn ipsec ipsec-interfaces interface eth0 - - # IKE group - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' - set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' - - # ESP group - set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128' - set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' - - # IPsec tunnel - set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret - set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY - - set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup - - set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10 - - # This will match all GRE traffic to the peer - set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre - -On the RIGHT, setup by analogy and swap local and remote addresses. - - -Source tunnel from loopbacks -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The scheme above doesn't work when one of the routers has a dynamic external -address though. The classic workaround for this is to setup an address on a -loopback interface and use it as a source address for the GRE tunnel, then setup -an IPsec policy to match those loopback addresses. - -We assume that the LEFT router has static 192.0.2.10 address on eth0, and the -RIGHT router has a dynamic address on eth0. - -**Setting up the GRE tunnel** - -On the LEFT: - -.. code-block:: none - - set interfaces loopback lo address 192.168.99.1/32 - - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 address 10.10.10.1/30 - set interfaces tunnel tun0 local-ip 192.168.99.1 - set interfaces tunnel tun0 remote-ip 192.168.99.2 - -On the RIGHT: - -.. code-block:: none - - set interfaces loopback lo address 192.168.99.2/32 - - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 address 10.10.10.2/30 - set interfaces tunnel tun0 local-ip 192.168.99.2 - set interfaces tunnel tun0 remote-ip 192.168.99.1 - -**Setting up IPSec** - -However, now you need to make IPsec work with dynamic address on one side. The -tricky part is that pre-shared secret authentication doesn't work with dynamic -address, so we'll have to use RSA keys. - -First, on both routers run the operational command "generate vpn rsa-key bits -2048". You may choose different length than 2048 of course. - -.. code-block:: none - - vyos@left# run generate vpn rsa-key bits 2048 - Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key - - Your new local RSA key has been generated - The public portion of the key is: - - 0sAQO2335[long string here] - -Then on the opposite router, add the RSA key to your config. - -.. code-block:: none - - set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE - -Now you are ready to setup IPsec. You'll need to use an ID instead of address -for the peer on the dynamic side. - -On the LEFT (static address): - -.. code-block:: none - - set vpn rsa-keys rsa-key-name RIGHT rsa-key - - set vpn ipsec ipsec-interfaces interface eth0 - - set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 - set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 - set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - - set vpn ipsec site-to-site peer @RIGHT authentication mode rsa - set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name RIGHT - set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup - set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup - set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 - set vpn ipsec site-to-site peer @RIGHT connection-type respond - set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote - - -On the RIGHT (dynamic address): - -.. code-block:: none - - set vpn rsa-keys rsa-key-name LEFT rsa-key - - set vpn ipsec ipsec-interfaces interface eth0 - - set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 - set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 - set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - - set vpn ipsec site-to-site peer 192.0.2.10 authentication id @RIGHT - set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa - set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa-key-name LEFT - set vpn ipsec site-to-site peer 192.0.2.10 remote-id @LEFT - set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate - set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup - set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 192.0.2.10 local-address any - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote diff --git a/docs/vpn/index.rst b/docs/vpn/index.rst index 9ba31ae6..c208b3c0 100644 --- a/docs/vpn/index.rst +++ b/docs/vpn/index.rst @@ -8,11 +8,11 @@ VPN :maxdepth: 2 dmvpn - gre-ipsec + ipsec l2tp + openconnect openvpn pptp site2site_ipsec sstp wireguard - openconnect diff --git a/docs/vpn/ipsec.rst b/docs/vpn/ipsec.rst new file mode 100644 index 00000000..8b0ad3b3 --- /dev/null +++ b/docs/vpn/ipsec.rst @@ -0,0 +1,191 @@ +.. _ipsec: + +##### +IPsec +##### + +Generic Routing Encapsulation (GRE), GRE/IPsec (or IPIP/IPsec, SIT/IPsec, or any +other stateless tunnel protocol over IPsec) is the usual way to protect the +traffic inside a tunnel. + +An advantage of this scheme is that you get a real interface with its own +address, which makes it easier to setup static routes or use dynamic routing +protocols without having to modify IPsec policies. The other advantage is that +it greatly simplifies router to router communication, which can be tricky with +plain IPsec because the external outgoing address of the router usually doesn't +match the IPsec policy of typical site-to-site setup and you need to add special +configuration for it, or adjust the source address for outgoing traffic of your +applications. GRE/IPsec has no such problem and is completely transparent for +the applications. + +GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme +easy to implement between VyOS and virtually any other router. + +For simplicity we'll assume that the protocol is GRE, it's not hard to guess +what needs to be changed to make it work with a different protocol. We assume +that IPsec will use pre-shared secret authentication and will use AES128/SHA1 +for the cipher and hash. Adjust this as necessary. + +.. NOTE:: VMware users should ensure that VMXNET3 adapters used, e1000 adapters + have known issue with GRE processing + +IPsec policy matching GRE +^^^^^^^^^^^^^^^^^^^^^^^^^ + +The first and arguably cleaner option is to make your IPsec policy match GRE +packets between external addresses of your routers. This is the best option if +both routers have static external addresses. + +Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, +and the RIGHT router is 203.0.113.45 + +On the LEFT: + +.. code-block:: none + + # GRE tunnel + set interfaces tunnel tun0 encapsulation gre + set interfaces tunnel tun0 local-ip 192.0.2.10 + set interfaces tunnel tun0 remote-ip 203.0.113.45 + set interfaces tunnel tun0 address 10.10.10.1/30 + + ## IPsec + set vpn ipsec ipsec-interfaces interface eth0 + + # IKE group + set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' + set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' + set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' + + # ESP group + set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128' + set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' + + # IPsec tunnel + set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret + set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY + + set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup + set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup + + set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10 + + # This will match all GRE traffic to the peer + set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre + +On the RIGHT, setup by analogy and swap local and remote addresses. + + +Source tunnel from loopbacks +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The scheme above doesn't work when one of the routers has a dynamic external +address though. The classic workaround for this is to setup an address on a +loopback interface and use it as a source address for the GRE tunnel, then setup +an IPsec policy to match those loopback addresses. + +We assume that the LEFT router has static 192.0.2.10 address on eth0, and the +RIGHT router has a dynamic address on eth0. + +**Setting up the GRE tunnel** + +On the LEFT: + +.. code-block:: none + + set interfaces loopback lo address 192.168.99.1/32 + + set interfaces tunnel tun0 encapsulation gre + set interfaces tunnel tun0 address 10.10.10.1/30 + set interfaces tunnel tun0 local-ip 192.168.99.1 + set interfaces tunnel tun0 remote-ip 192.168.99.2 + +On the RIGHT: + +.. code-block:: none + + set interfaces loopback lo address 192.168.99.2/32 + + set interfaces tunnel tun0 encapsulation gre + set interfaces tunnel tun0 address 10.10.10.2/30 + set interfaces tunnel tun0 local-ip 192.168.99.2 + set interfaces tunnel tun0 remote-ip 192.168.99.1 + +**Setting up IPSec** + +However, now you need to make IPsec work with dynamic address on one side. The +tricky part is that pre-shared secret authentication doesn't work with dynamic +address, so we'll have to use RSA keys. + +First, on both routers run the operational command "generate vpn rsa-key bits +2048". You may choose different length than 2048 of course. + +.. code-block:: none + + vyos@left# run generate vpn rsa-key bits 2048 + Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key + + Your new local RSA key has been generated + The public portion of the key is: + + 0sAQO2335[long string here] + +Then on the opposite router, add the RSA key to your config. + +.. code-block:: none + + set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE + +Now you are ready to setup IPsec. You'll need to use an ID instead of address +for the peer on the dynamic side. + +On the LEFT (static address): + +.. code-block:: none + + set vpn rsa-keys rsa-key-name RIGHT rsa-key + + set vpn ipsec ipsec-interfaces interface eth0 + + set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 + set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 + + set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 + set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 + set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 + + set vpn ipsec site-to-site peer @RIGHT authentication mode rsa + set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name RIGHT + set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup + set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup + set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 + set vpn ipsec site-to-site peer @RIGHT connection-type respond + set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local + set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote + + +On the RIGHT (dynamic address): + +.. code-block:: none + + set vpn rsa-keys rsa-key-name LEFT rsa-key + + set vpn ipsec ipsec-interfaces interface eth0 + + set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 + set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 + + set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 + set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 + set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 + + set vpn ipsec site-to-site peer 192.0.2.10 authentication id @RIGHT + set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa + set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa-key-name LEFT + set vpn ipsec site-to-site peer 192.0.2.10 remote-id @LEFT + set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate + set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup + set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup + set vpn ipsec site-to-site peer 192.0.2.10 local-address any + set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local + set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote -- cgit v1.2.3