blob: 1ebab731f6b742246e401d8ff24c0192daf94322 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
########
RSA-Keys
########
RSA can be used for services such as key exchanges and for encryption purposes.
To make IPSec work with dynamic address on one/both sides, we will have to use
RSA keys for authentication. They are very fast and easy to setup.
First, on both routers run the operational command "generate pki key-pair
install <key-pair nam>>". You may choose different length than 2048 of course.
.. code-block:: none
vyos@left# run generate pki key-pair install ipsec-LEFT
Enter private key type: [rsa, dsa, ec] (Default: rsa)
Enter private key bits: (Default: 2048)
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] N
Configure mode commands to install key pair:
Do you want to install the public key? [Y/n] Y
set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
Do you want to install the private key? [Y/n] Y
set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...'
[edit]
Configuration commands will display.
Note the command with the public key
(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...').
Then do the same on the opposite router:
.. code-block:: none
vyos@left# run generate pki key-pair install ipsec-RIGHT
Note the command with the public key
(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...').
The noted public keys should be entered on the opposite routers.
On the LEFT:
.. code-block:: none
set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'
On the RIGHT:
.. code-block:: none
set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
Now you are ready to setup IPsec. The key points:
1. Since both routers do not know their effective public addresses, we set the local-address of the peer to "any".
2. On the initiator, we set the peer address to its public address, but on the responder we only set the id.
3. On the initiator, we need to set the remote-id option so that it can identify IKE traffic from the responder correctly.
4. On the responder, we need to set the local id so that initiator can know who's talking to it for the point #3 to work.
On the LEFT (static address):
.. code-block:: none
set vpn ipsec interface eth0
set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
set vpn ipsec site-to-site peer @RIGHT authentication id LEFT
set vpn ipsec site-to-site peer @RIGHT authentication mode rsa
set vpn ipsec site-to-site peer @RIGHT authentication rsa local-key ipsec-LEFT
set vpn ipsec site-to-site peer @RIGHT authentication rsa remote-key ipsec-RIGHT
set vpn ipsec site-to-site peer @RIGHT authentication remote-id RIGHT
set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup
set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup
set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10
set vpn ipsec site-to-site peer @RIGHT connection-type respond
set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local
set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote
On the RIGHT (dynamic address):
.. code-block:: none
set vpn ipsec interface eth0
set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
set vpn ipsec site-to-site peer 192.0.2.10 authentication id RIGHT
set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa
set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa local-key ipsec-RIGHT
set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa remote-key ipsec-LEFT
set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT
set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate
set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup
set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup
set vpn ipsec site-to-site peer 192.0.2.10 local-address any
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
|