0% found this document useful (0 votes)
10 views

Step by Step Configure Router Vyata 6.5.3

The document discusses configuring an IPsec site-to-site VPN connection between devices named WEST and EAST where EAST has a dynamic IP address and is located behind a NAT device. It provides configuration examples for enabling NAT traversal on WEST and defining a connection to EAST using a dynamic IP address of 0.0.0.0. It also shows the NAT configuration on the NAT Gateway device in front of EAST.

Uploaded by

gepenks831
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
10 views

Step by Step Configure Router Vyata 6.5.3

The document discusses configuring an IPsec site-to-site VPN connection between devices named WEST and EAST where EAST has a dynamic IP address and is located behind a NAT device. It provides configuration examples for enabling NAT traversal on WEST and defining a connection to EAST using a dynamic IP address of 0.0.0.0. It also shows the NAT configuration on the NAT Gateway device in front of EAST.

Uploaded by

gepenks831
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 26

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 51

Example 2‐20 Specify that the local IP is dynamic.

Commit the configuration. vyatta@EAST# commit

View the configuration for the vyatta@EAST# show vpn ipsec site‐to‐site peer 192.0.2.1
site‐to‐site connection. authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
}
default‐esp‐group ESP‐1E
dhcp‐interface eth0
ike‐group IKE‐1E
tunnel 1 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.40.0/24
}
}

View IPsec interface vyatta@EAST# show vpn ipsec ipsec‐interfaces


configuration. interface eth0

View Ethernet interface eth0 vyatta@EAST# show interfaces ethernet eth0


address configuration. It is set to address dhcp
dhcp which configures it as a
DHCP client. This is the setting
required by dhcp‐interface.

Display the dynamic DNS configuration on EAST:


Example 2‐21 Display the dynamic DNS configuration.

Step Command

View the dynamic DNS vyatta@EAST# show service dns dynamic


configuration. interface eth0 {
service dyndns {
host‐name east.company.com
login test
password testpassword
}
}

Defining a VPN Connection with NAT


This section presents the following topics:

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 52

• Configure WEST
• Configure EAST
Native IPsec packets are encapsulated using Encapsulated Security Payload (ESP). In
these packets, the IP addresses are embedded within the encapsulated packet. This causes
problems when IPsec packets must traverse a NAT gateway.
When performing Network Address Translation (NAT), the NAT gateway substitutes its
own source IP address (and sometimes a port number), for the original source IP and port
on outgoing packets. The NAT device listens for a reply, and when a response packet is
received, the NAT device reverses the translation so that the incoming packet can arrive
at the correct destination. This allows IP addresses within a private network to be
“hidden” from external networks.
NAT does not work well with IPsec, because the IP addresses are embedded within the
payload of the encapsulated packet. For a number of reasons, this means that the IPsec
peer cannot be located behind the NAT device.
The IPsec NAT Traversal protocol (NAT-T, RFCs 3947 and 3948) allows each IPsec
packet to be re-encapsulated within a UDP packet, which can be handled correctly by the
NAT device. NAT-T runs on top of IPsec. To support NAT-T, the firewall must be set to
allow all of the following:
• IKE through UDP port 500
• IPsec NAT-T through UDP port 4500
• ESP
Some gateway devices pre-allow all of these in a feature called “IPsec Passthrough.”
However, IPsec Passthrough is incompatible with NAT traversal. IPsec Passthrough
devices recognize the IPsec-in-UDP packets and incorrectly attempt passthrough-type
operations on the packets. This corrupts the packets in such a way that NAT-T no longer
works.
NOTE If you enable NAT traversal support, make sure you DISABLE IPsec Passthrough on the
NAT device.
This section presents a sample configuration for a NATted connection between WEST
and EAST. It is similar to the previous example except that in this case EAST resides
behind a NAT device. In this example:
• EAST resides behind a NAT device, and has a dynamic IP address from WEST’s
point of view.
• WEST retains its fixed IP address.
This configuration is similar to something you might see for an IPsec endpoint that is
behind a DSL connection, where the DSL peer’s public IP address is dynamic and the
DSL peer is performing NAT.
When you have finished, these systems will be configured as shown in Figure 2-4.

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 53

Figure 2‐4 IPsec VPN connection with dynamic IP address and NAT

VPN Tunnel

NAT
eth0 eth1 eth0 eth1 eth0
192.168.40.0/24 EAST
.5 .1 .30 .62 dynamic .254 .1

WEST 192.0.2.0/27 192.0.2.32/27 NAT 192.168.0.0/24 .8 eth1

Gateway

192.168.60.0/24

Before you begin:


• This example assumes that you have already configured a basic site-to-site
connection using a preshared key between WEST and EAST, as explained in the
section “Configuring a Basic Site-to-Site Connection” on page 20. Only the relevant
changes to that configuration are presented here.
• This example also assumes that a Masquerade NAT rule is configured on a
Vyatta device called “NAT Gateway” in front of EAST as follows:

Example 2‐22 NAT configuration on the NAT Gateway

Step Command

Show the configuration. vyatta@NATGwy# show service nat rule 10


outbound‐interface eth0
source {
address 192.168.0.0/24
}
type masquerade

Configure WEST
To allow for EAST’s dynamic IP address via NAT, WEST must specify that the VPN
will be traversing NAT, that addresses from certain private networks are allowed, that
addresses from the same subnet as the local private subnet are not allowed, and that a
new site-to-site connection is required to a peer that has a dynamic IP address.
Example 2-23 defines configuration changes for a new site-to-site connection to
EAST via NAT.

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 54

• One important change is to add the NAT traversal related commands.


• Another important change is the IP address of the peer. This is set to 0.0.0.0 to
represent “any” IP address. Because the IP address of the peer is unknown, WEST
will not initiate connections to the peer. It will only receive connections from the
peer.
• All other information is set to be the same as the connection created for the basic
site-to-site tunnel.
To configure this connection, perform the following steps on WEST in configuration
mode.
Example 2‐23 Creating a site‐to‐site connection to a peer with a dynamic IP address via NAT

Step Command

Enable NAT traversal vyatta@WEST# set vpn ipsec nat‐traversal enable


[edit]

Allow private network vyatta@WEST# set vpn ipsec nat‐networks allowed‐network


10.0.0.0/8. 10.0.0.0/8
[edit]

Allow private network vyatta@WEST# set vpn ipsec nat‐networks allowed‐network


172.16.0.0/12. 172.16.0.0/12
[edit]

Allow private network vyatta@WEST# set vpn ipsec nat‐networks allowed‐network


192.168.0.0/16, but exclude the 192.168.0.0/16 exclude 192.168.40.0/24
local subnet (192.168.40.0/24). [edit]

Commit the configuration. vyatta@WEST# commit

View the newly added vyatta@WEST# show vpn ipsec


configuration (only the relevant
parts of the configuration are (...)
shown). nat‐networks {
allowed‐network 10.0.0.0/8 {
}
allowed‐network 172.16.0.0/12 {
}
allowed‐network 192.168.0.0/16 {
exclude 192.168.40.0/24
}
}
nat‐traversal enable
(...)

Delete the previous vyatta@WEST# delete vpn ipsec site‐to‐site peer 192.0.2.33
configuration.

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 55

Example 2‐23 Creating a site‐to‐site connection to a peer with a dynamic IP address via NAT

Create the node for EAST, vyatta@WEST# set vpn ipsec site‐to‐site peer
setting the IP address to 0.0.0.0 authentication mode pre‐shared‐secret
“any”, and set the
authentication mode.

Navigate to the node for the vyatta@WEST# edit vpn ipsec site‐to‐site peer 0.0.0.0
peer for easier editing. [edit vpn ipsec site‐to‐site peer 0.0.0.0]

Provide the string that will be vyatta@WEST# set authentication pre‐shared‐secret test_key_1
used to generate encryption [edit vpn ipsec site‐to‐site peer 0.0.0.0]
keys.

Specify the default ESP group for vyatta@WEST# set default‐esp‐group ESP‐1W
all tunnels. [edit vpn ipsec site‐to‐site peer 0.0.0.0]

Specify the IKE group. vyatta@WEST# set ike‐group IKE‐1W


[edit vpn ipsec site‐to‐site peer 0.0.0.0]

Identify the IP address on this vyatta@WEST# set local‐address 192.0.2.1


Vyatta system to be used for this [edit vpn ipsec site‐to‐site peer 0.0.0.0]
connection.

Create a tunnel configuration, vyatta@WEST# set tunnel 1 local prefix 192.168.40.0/24


and provide the local subnet for [edit vpn ipsec site‐to‐site peer 0.0.0.0]
this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 1 remote prefix 192.168.60.0/24
the tunnel. [edit vpn ipsec site‐to‐site peer 0.0.0.0]

Return to the top of the vyatta@WEST# top


configuration tree.

Commit the configuration. vyatta@WEST# commit

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 56

Example 2‐23 Creating a site‐to‐site connection to a peer with a dynamic IP address via NAT

View the configuration for vyatta@WEST# show vpn ipsec site‐to‐site peer 0.0.0.0
the site‐to‐site connection. authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
}
default‐esp‐group ESP‐1W
ike‐group IKE‐1W
local‐address 192.0.2.1
tunnel 1 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.60.0/24
}
}

View IPsec interface vyatta@WEST# show vpn ipsec ipsec‐interfaces


configuration. interface eth1

View Ethernet interface eth1 vyatta@WEST# show interfaces ethernet eth1 address
address configuration. address 192.0.2.1/27
local‐address is set to this
address.

Configure EAST
Similar to the WEST configuration, EAST must be configured for NAT traversal, but the
connection from EAST to WEST requires only a minor change (local-address) from that
configured in the section “Configuring a Basic Site-to-Site Connection” on page 20.

• The NAT device keeps track of EAST’s fixed IP and correctly routes incoming
packets to EAST, making any necessary changes to outgoing packets
• WEST retains its fixed IP, so no modification is required to the remote peer IP
address.
To configure this connection, perform the following steps on EAST in configuration
mode.
Example 2‐24 Specify a new local‐address and that NAT must be traversed

Step Command

Enable NAT traversal vyatta@EAST# set vpn ipsec nat‐traversal enable


[edit]

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 57

Example 2‐24 Specify a new local‐address and that NAT must be traversed
Allow private network vyatta@EAST# set vpn ipsec nat‐networks allowed‐network
10.0.0.0/8. 10.0.0.0/8
[edit]

Allow private network vyatta@EAST# set vpn ipsec nat‐networks allowed‐network


172.16.0.0/12. 172.16.0.0/12
[edit]

Allow private network vyatta@EAST# set vpn ipsec nat‐networks allowed‐network


192.168.0.0/16 but exclude the 192.168.0.0/16 exclude 192.168.60.0/24
local subnet (192.168.60.0/24). [edit]

Commit the configuration. vyatta@EAST# commit

View the newly added vyatta@EAST# show vpn ipsec


configuration (only the relevant
parts of the configuration are (...)
shown). nat‐networks {
allowed‐network 10.0.0.0/8 {
}
allowed‐network 172.16.0.0/12 {
}
allowed‐network 192.168.0.0/16 {
exclude 192.168.60.0/24
}
}
nat‐traversal enable
(...)

Identify the IP address on this vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
Vyatta system to be used for this local‐address 192.168.0.1
connection. [edit]

Commit the configuration. vyatta@EAST# commit

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 58

Example 2‐24 Specify a new local‐address and that NAT must be traversed

View the modified configuration vyatta@EAST# show vpn ipsec site‐to‐site peer
for the site‐to‐site connection. 192.0.2.1 authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
}
default‐esp‐group ESP‐1E
ike‐group IKE‐1E
local‐address 192.168.0.1
tunnel 1 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.40.0/24
}
}

View IPsec interface vyatta@EAST# show vpn ipsec ipsec‐interfaces


configuration. interface eth0

View Ethernet interface eth0 vyatta@EAST# show interfaces ethernet eth0 address
address configuration. address 192.168.0.1/24
local‐address is set to this
address.

Configuring IPsec Tunnels between Three Gateways


This section presents the following topics:
• Configure WEST
• Configure EAST
• Configure SOUTH
This section presents a sample configuration for multiple site-to-site tunnels between
three gateways: WEST, EAST, and SOUTH. When you have finished, these peers will
be configured as shown in Figure 2-5.

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 59

Figure 2‐5 Multiple site‐to‐site tunnels between three gateways

VPN Tunnel

eth0 eth1 eth0 eth1


192.168.40.0/24 192.168.60.0/24
192.168.41.0/24 192.168.61.0/24
.1 .30 .62 .33

WEST 192.0.2.0/27 192.0.2.32/27 EAST


VPN 192.0.2.64/27
Tunnel
.65 eth0

SOUTH
eth1

192.168.80.0/24
192.168.81.0/24

Configure WEST
This section presents the following topics:
• Configuring the Second ESP Group on WEST
• Adding Tunnels to the Connection to EAST
• Creating the Connection to SOUTH
This example assumes that WEST has already been configured for a basic connection to
EAST, as described in “Configuring a Basic Site-to-Site Connection” on page 157. The
additional configuration for WEST for this scenario consists of the following:
• An additional ESP group
• Three new tunnel configurations for the site-to-site connection to EAST
• A new site-to-site connection to SOUTH
This section presents the following examples:
• Example 2-25 Configuring a second ESP group on WEST
• Example 2-26 Adding tunnels to the connection to EAST
• Example 2-27 Creating a site-to-site connection from WEST to SOUTH

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 60

CONFIGURING THE SECOND ESP GROUP ON WEST


Example 2-25 creates a second ESP group ESP-2W on WEST. This ESP group
contains just one proposal:
• Proposal 1 uses AES-256 as the encryption cipher and SHA-1 as the hash
algorithm
• The lifetime of a proposal from this ESP group is set to 600 seconds.
To create this ESP group, perform the following steps on WEST in configuration
mode.
Example 2‐25 Configuring a second ESP group on WEST

Step Command

Create the configuration node vyatta@WEST# set vpn ipsec esp‐group ESP‐2W proposal 1
for proposal 1 of ESP group
ESP‐2W.

Set the encryption cipher for vyatta@WEST# set vpn ipsec esp‐group ESP‐2W proposal 1
proposal 1. encryption aes256

Set the hash algorithm for vyatta@WEST# set vpn ipsec esp‐group ESP‐2W proposal 1 hash
proposal 1 of ESP‐2W. sha1

Set the lifetime for ESP‐2W. vyatta@WEST# set vpn ipsec esp‐group ESP‐2W lifetime 600

View the configuration for the vyatta@WEST# show vpn ipsec esp‐group ESP‐2W
ESP group. Don’t commit yet. > proposal 1 {
> encryption aes256
> hash sha1
> }
> lifetime 600

ADDING TUNNELS TO THE CONNECTION TO EAST


Example 2-26 adds three tunnels to the site-to-site connection from WEST to EAST.
• Tunnel 2 communicates between 192.168.40.0/24 on WEST and
192.168.61.0/24 on EAST, and uses the default ESP group ESP-1W.
• Tunnel 3 communicates between 192.168.41.0/24 on WEST and
192.168.60.0/24 on EAST, and uses ESP group ESP-2W.
• Tunnel 4 communicates between 192.168.41.0/24 on WEST and
192.168.61.0/24 on EAST, and uses ESP group ESP-2W.

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 61

To configure this connection, perform the following steps on WEST in configuration


mode.
Example 2‐26 Adding tunnels to the connection to EAST

Step Command

Navigate to the configuration vyatta@WEST# edit vpn ipsec site‐to‐site peer 192.0.2.33
node for EAST for easier editing [edit vpn ipsec site‐to‐site peer 192.0.2.33]

Create the configuration node vyatta@WEST# set tunnel 2 local prefix 192.168.40.0/24
for tunnel 2, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.33]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 2 remote prefix 192.168.61.0/24
tunnel 2. [edit vpn ipsec site‐to‐site peer 192.0.2.33]

Create the configuration node vyatta@WEST# set tunnel 3 local prefix 192.168.41.0/24
for tunnel 3, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.33]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 3 remote prefix 192.168.60.0/24
tunnel 3. [edit vpn ipsec site‐to‐site peer 192.0.2.33]

Specify the ESP group for vyatta@WEST# set tunnel 3 esp‐group ESP‐2W
tunnel 3. [edit vpn ipsec site‐to‐site peer 192.0.2.33]

Create the configuration node vyatta@WEST# set tunnel 4 local prefix 192.168.41.0/24
for tunnel 4, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.33]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 4 remote prefix 192.168.61.0/24
tunnel 4. [edit vpn ipsec site‐to‐site peer 192.0.2.33]

Specify the ESP group for vyatta@WEST# set tunnel 4 esp‐group ESP‐2W
tunnel 4. [edit vpn ipsec site‐to‐site peer 192.0.2.33]

Return to the top of the vyatta@WEST# top


configuration tree.

Commit the configuration. vyatta@WEST# commit

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 62

Example 2‐26 Adding tunnels to the connection to EAST

View the configuration for vyatta@WEST# show vpn ipsec site‐to‐site peer
the site‐to‐site connection. 192.0.2.33 authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
}
default‐esp‐group ESP‐1W
ike‐group IKE‐1W
local‐address 192.0.2.1
tunnel 1 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.60.0/24
}
}
tunnel 2 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.61.0/24
}
}
tunnel 3 {
esp‐group ESP‐2W
local {
prefix 192.168.41.0/24
}
remote {
prefix 192.168.60.0/24
}
}
tunnel 4 {
esp‐group ESP‐2W
local {
prefix 192.168.41.0/24
}
remote {
prefix 192.168.61.0/24
}
}

View IPsec interface vyatta@WEST# show vpn ipsec ipsec‐interfaces


configuration. interface eth1

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 63

Example 2‐26 Adding tunnels to the connection to EAST

View Ethernet interface vyatta@WEST# show interfaces ethernet eth1


eth1 address configuration. address address 192.0.2.1/27
local‐address is set to this
address.

CREATING THE CONNECTION TO SOUTH


Example 2-27 defines a site-to-site connection from WEST to SOUTH.
• The connection has four tunnels:
— Tunnel 1 communicates between 192.168.40.0/24 on WEST and
192.168.80.0/24 on SOUTH, and uses the default ESP group ESP-1W.
— Tunnel 2 communicates between 192.168.40.0/24 on WEST and
192.168.81.0/24 on SOUTH, and uses the default ESP group ESP-1W.
— Tunnel 3 communicates between 192.168.41.0/24 on WEST and
192.168.80.0/24 on SOUTH, and uses the default ESP group ESP-1W.
— Tunnel 4 communicates between 192.168.41.0/24 on WEST and
192.168.81.0/24 on SOUTH, and uses the default ESP group ESP-1W.
• WEST uses IP address 192.0.2.1 on eth1.
• SOUTH uses IP address 192.0.2.65 on eth0.
• The IKE group is IKE-1W
• The preshared secret is “test_key_2”.
To configure this connection, perform the following steps on WEST in configuration
mode.
Example 2‐27 Creating a site‐to‐site connection from WEST to SOUTH

Step Command
Create the node for SOUTH and vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.65
set the authentication mode authentication mode pre‐shared‐secret

Navigate to the node for the vyatta@WEST# edit vpn ipsec site‐to‐site peer 192.0.2.65
peer for easier editing [edit vpn ipsec site‐to‐site peer 192.0.2.65]

Provide the string that will be vyatta@WEST# set authentication pre‐shared‐secret test_key_2
used to generate encryption [edit vpn ipsec site‐to‐site peer 192.0.2.65]
keys.

Specify the default ESP group for vyatta@WEST# set default‐esp‐group ESP‐1W
all tunnels. [edit vpn ipsec site‐to‐site peer 192.0.2.65]

Specify the IKE group. vyatta@WEST# set ike‐group IKE‐1W


[edit vpn ipsec site‐to‐site peer 192.0.2.65]

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 64

Example 2‐27 Creating a site‐to‐site connection from WEST to SOUTH

Identify the IP address on this vyatta@WEST# set local‐address 192.0.2.1


Vyatta system to be used for this [edit vpn ipsec site‐to‐site peer 192.0.2.65]
connection.

Create the configuration node vyatta@WEST# set tunnel 1 local prefix 192.168.40.0/24
for tunnel 1, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.65]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 1 remote prefix 192.168.80.0/24
tunnel 1. [edit vpn ipsec site‐to‐site peer 192.0.2.65]

Create the configuration node vyatta@WEST# set tunnel 2 local prefix 192.168.40.0/24
for tunnel 2, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.65]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 2 remote prefix 192.168.81.0/24
tunnel 2. [edit vpn ipsec site‐to‐site peer 192.0.2.65]

Create the configuration node vyatta@WEST# set tunnel 3 local prefix 192.168.41.0/24
for tunnel 3, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.65]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 3 remote prefix 192.168.80.0/24
tunnel 3. [edit vpn ipsec site‐to‐site peer 192.0.2.65]

Create the configuration node vyatta@WEST# set tunnel 4 local prefix 192.168.41.0/24
for tunnel 4, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.65]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 4 remote prefix 192.168.81.0/24
tunnel 4. [edit vpn ipsec site‐to‐site peer 192.0.2.65]

Return to the top of the vyatta@WEST# top


configuration tree.

Commit the configuration. vyatta@WEST# commit

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 65

Example 2‐27 Creating a site‐to‐site connection from WEST to SOUTH

View the configuration for vyatta@WEST# show vpn ipsec site‐to‐site peer
the site‐to‐site connection. 192.0.2.65 authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_2
}
default‐esp‐group ESP‐1W
ike‐group IKE‐1W
local‐address 192.0.2.1
tunnel 1 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.80.0/24
}
}
tunnel 2 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.81.0/24
}
}
tunnel 3 {
local {
prefix 192.168.41.0/24
}
remote {
prefix 192.168.80.0/24
}
}
tunnel 4 {
local {
prefix 192.168.41.0/24
}
remote {
prefix 192.168.81.0/24
}
}

Configure EAST
This section presents the following topics:

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 66

• Configuring the Second ESP Group on EAST


• Adding Tunnels to the Connection to WEST
• Creating the Connection to SOUTH
This example assumes that EAST has already been configured for a basic connection to
WEST, as described in ““Configuring a Basic Site-to-Site Connection” on page 20. The
additional configuration for EAST for this scenario consists of the following:
• An additional ESP group
• Three new tunnel configurations for the site-to-site connection to WEST
• A new site-to-site connection to SOUTH
This section presents the following examples:
• Example 2-28 Configuring a second ESP group on EAST
• Example 2-29 Adding tunnels to the connection to WEST
• Example 2-30 Creating a site-to-site connection from EAST to SOUTH

CONFIGURING THE SECOND ESP GROUP ON EAST


Example 2-28 creates a second ESP group ESP-2W on EAST. This ESP group
contains just one proposal:
• Proposal 1 uses AES-256 as the encryption cipher and SHA-1 as the hash
algorithm
The lifetime of a proposal from this ESP group is set to 600 seconds.
To create this ESP group, perform the following steps on EAST in configuration
mode.
Example 2‐28 Configuring a second ESP group on EAST

Step Command

Create the configuration node vyatta@EAST# set vpn ipsec esp‐group ESP‐2E proposal 1
for proposal 1 of ESP group
ESP‐2E.

Set the encryption cipher for vyatta@EAST# set vpn ipsec esp‐group ESP‐2E proposal 1
proposal 1. encryption aes256

Set the hash algorithm for vyatta@EAST# set vpn ipsec esp‐group ESP‐2E proposal 1 hash
proposal 1 of ESP‐2E. sha1

Set the lifetime for ESP‐2E. vyatta@EAST# set vpn ipsec esp‐group ESP‐2E lifetime 600

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 67

Example 2‐28 Configuring a second ESP group on EAST

View the configuration for the vyatta@EAST# show vpn ipsec esp‐group ESP‐2E
ESP group. Don’t commit yet. > proposal 1 {
> encryption aes256
> hash sha1
> }
> lifetime 600

ADDING TUNNELS TO THE CONNECTION TO WEST


Example 2-29 adds three tunnels to the site-to-site connection from EAST to WEST.
• Tunnel 2 communicates between 192.168.60.0/24 on EAST and
192.168.41.0/24 on WEST, and uses the default ESP group ESP-1E.
• Tunnel 3 communicates between 192.168.61.0/24 on EAST and
192.168.40.0/24 on WEST, and uses ESP group ESP-2E.
• Tunnel 4 communicates between 192.168.61.0/24 on EAST and
192.168.41.0/24 on WEST, and uses ESP group ESP-2E.
To configure this connection, perform the following steps on EAST in configuration
mode.
Example 2‐29 Adding tunnels to the connection to WEST

Step Command

Navigate to the configuration vyatta@EAST# edit vpn ipsec site‐to‐site peer 192.0.2.1
node for WEST for easier editing [edit vpn ipsec site‐to‐site peer 192.0.2.1]

Create the configuration node vyatta@EAST# set tunnel 2 local prefix 192.168.60.0/24
for tunnel 2, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.1]
local subnet for this tunnel.

Provide the remote subnet for vyatta@EAST# set tunnel 2 remote prefix 192.168.41.0/24
tunnel 2. [edit vpn ipsec site‐to‐site peer 192.0.2.1]

Create the configuration node vyatta@EAST# set tunnel 3 local prefix 192.168.61.0/24
for tunnel 3, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.1]
local subnet for this tunnel.

Provide the remote subnet for vyatta@EAST# set tunnel 3 remote prefix 192.168.40.0/24
tunnel 3. [edit vpn ipsec site‐to‐site peer 192.0.2.1]

Specify the ESP group for vyatta@EAST# set tunnel 3 esp‐group ESP‐2E
tunnel 3. [edit vpn ipsec site‐to‐site peer 192.0.2.1]

Create the configuration node vyatta@EAST# set tunnel 4 local prefix 192.168.61.0/24
for tunnel 4, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.1]
local subnet for this tunnel.

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 68

Example 2‐29 Adding tunnels to the connection to WEST

Provide the remote subnet for vyatta@EAST# set tunnel 4 remote prefix 192.168.41.0/24
tunnel 4. [edit vpn ipsec site‐to‐site peer 192.0.2.1]

Specify the ESP group for vyatta@EAST# set tunnel 4 esp‐group ESP‐2E
tunnel 4. [edit vpn ipsec site‐to‐site peer 192.0.2.1]

Return to the top of the vyatta@EAST# top


configuration tree.

Commit the configuration. vyatta@EAST# commit

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 69

Example 2‐29 Adding tunnels to the connection to WEST

View the configuration for vyatta@EAST# show vpn ipsec site‐to‐site peer
the site‐to‐site connection. 192.0.2.1 authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
}
default‐esp‐group ESP‐1E
ike‐group IKE‐1E
local‐address 192.0.2.33
tunnel 1 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.40.0/24
}
}
tunnel 2 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.41.0/24
}
}
tunnel 3 {
esp‐group ESP‐2E
local {
prefix 192.168.61.0/24
}
remote {
prefix 192.168.40.0/24
}
}
tunnel 4 {
esp‐group ESP‐2E
local {
prefix 192.168.61.0/24
}
remote {
prefix 192.168.41.0/24
}
}

View IPsec interface vyatta@EAST# show vpn ipsec ipsec‐interfaces


configuration. interface eth0

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 70

Example 2‐29 Adding tunnels to the connection to WEST

View Ethernet interface vyatta@EAST# show interfaces ethernet eth0


eth0 address configuration. address address 192.0.2.33/27
local‐address is set to this
address.

CREATING THE CONNECTION TO SOUTH


Example 2-30 defines a site-to-site connection from EAST to SOUTH.
• The connection has four tunnels:
— Tunnel 1 communicates between 192.168.60.0/24 on EAST and
192.168.80.0/24 on SOUTH, and uses the default ESP group ESP-1E.
— Tunnel 2 communicates between 192.168.60.0/24 on EAST and
192.168.81.0/24 on SOUTH, and uses the default ESP group ESP-1E.
— Tunnel 3 communicates between 192.168.61.0/24 on EAST and
192.168.80.0/24 on SOUTH, and uses the default ESP group ESP-1E.
— Tunnel 4 communicates between 192.168.61.0/24 on EAST and
192.168.81.0/24 on SOUTH, and uses the default ESP group ESP-1E.
• EAST uses IP address 192.0.2.33 on eth1.
• SOUTH uses IP address 192.0.2.65 on eth0.
• The IKE group is IKE-1E
• The preshared secret is “test_key_2”.
To configure this connection, perform the following steps on EAST in configuration
mode.
Example 2‐30 Creating a site‐to‐site connection from EAST to SOUTH

Step Command
Create the node for SOUTH and vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.65
set the authentication mode authentication mode pre‐shared‐secret

Navigate to the node for the vyatta@EAST# edit vpn ipsec site‐to‐site peer 192.0.2.65
peer for easier editing [edit vpn ipsec site‐to‐site peer 192.0.2.65]

Provide the string that will be vyatta@EAST# set authentication pre‐shared‐secret test_key_2
used to generate encryption [edit vpn ipsec site‐to‐site peer 192.0.2.65]
keys.

Specify the default ESP group. vyatta@EAST# set default‐esp‐group ESP‐1E


[edit vpn ipsec site‐to‐site peer 192.0.2.65]

Specify the IKE group. vyatta@EAST# set ike‐group IKE‐1E


[edit vpn ipsec site‐to‐site peer 192.0.2.65]

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 71

Example 2‐30 Creating a site‐to‐site connection from EAST to SOUTH

Identify the IP address on this vyatta@EAST# set local‐address 192.0.2.33


Vyatta system to be used for this [edit vpn ipsec site‐to‐site peer 192.0.2.65]
connection.

Create the configuration node vyatta@EAST# set tunnel 1 local prefix 192.168.60.0/24
for tunnel 1, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.65]
local subnet for this tunnel.

Provide the remote subnet for vyatta@EAST# set tunnel 1 remote prefix 192.168.80.0/24
tunnel 1. [edit vpn ipsec site‐to‐site peer 192.0.2.65]

Create the configuration node vyatta@EAST# set tunnel 2 local prefix 192.168.60.0/24
for tunnel 2, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.65]
local subnet for this tunnel.

Provide the remote subnet for vyatta@EAST# set tunnel 2 remote prefix 192.168.81.0/24
tunnel 2. [edit vpn ipsec site‐to‐site peer 192.0.2.65]

Create the configuration node vyatta@EAST# set tunnel 3 local prefix 192.168.61.0/24
for tunnel 3, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.65]
local subnet for this tunnel.

Provide the remote subnet for vyatta@EAST# set tunnel 3 remote prefix 192.168.80.0/24
tunnel 3. [edit vpn ipsec site‐to‐site peer 192.0.2.65]

Create the configuration node vyatta@EAST# set tunnel 4 local prefix 192.168.61.0/24
for tunnel 4, and provide the [edit vpn ipsec site‐to‐site peer 192.0.2.65]
local subnet for this tunnel.

Provide the remote subnet for vyatta@EAST# set tunnel 4 remote prefix 192.168.81.0/24
tunnel 4. [edit vpn ipsec site‐to‐site peer 192.0.2.65]

Return to the top of the vyatta@EAST# top


configuration tree.

Commit the configuration. vyatta@EAST# commit

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 72

Example 2‐30 Creating a site‐to‐site connection from EAST to SOUTH

View the configuration for vyatta@EAST# show vpn ipsec site‐to‐site peer
the site‐to‐site connection. 192.0.2.65 authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_2
}
default‐esp‐group ESP‐1E
ike‐group IKE‐1E
local‐address 192.0.2.33
tunnel 1 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.80.0/24
}
}
tunnel 2 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.81.0/24
}
}
tunnel 3 {
local {
prefix 192.168.61.0/24
}
remote {
prefix 192.168.80.0/24
}
}
tunnel 4 {
local {
prefix 192.168.61.0/24
}
remote {
prefix 192.168.81.0/24
}
}

Configure SOUTH
This section presents the following topics:

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 73

• Enabling VPN on SOUTH


• Configuring an IKE Group on SOUTH
• Configuring an ESP Group on SOUTH
• Creating the Connection to WEST
• Creating the Connection to EAST
This section presents the following examples:
• Example 2-31 Enabling IPsec VPN on SOUTH
• Example 2-32 Configuring an IKE group on SOUTH
• Example 2-33 Configuring an ESP group on SOUTH
• Example 2-34 Creating a site-to-site connection from SOUTH to WEST
• Example 2-35 Creating a site-to-site connection from SOUTH to EAST

ENABLING VPN ON SOUTH


In this section, you enable IPsec VPN on the interfaces that will be used in VPN
connections on SOUTH. The VPN tunnels in the example configuration extend through
the wide-area network to eth0 on SOUTH. This means that eth0 on SOUTH must have
VPN enabled. The other interfaces on SOUTH need not.
Example 2-31 enables IPsec VPN on eth0 on SOUTH. To do this, perform the
following steps on SOUTH in configuration mode.
Example 2‐31 Enabling IPsec VPN on SOUTH

Step Command

Enable VPN on eth0 on SOUTH. vyatta@SOUTH# set vpn ipsec ipsec‐interfaces interface eth0

View IPsec interface vyatta@SOUTH# show vpn ipsec ipsec‐interfaces


configuration. Don’t commit yet. > interface eth0

CONFIGURING AN IKE GROUP ON SOUTH


Example 2-32 creates IKE group IKE-1S on SOUTH. This IKE group contains two
proposals:
• Proposal 1 uses AES-256 as the encryption cipher and SHA-1 as the hash
algorithm
• Proposal 2 uses AES-128 as the encryption cipher and SHA-1 as the hash
algorithm
The lifetime of a proposal from this IKE group is set to 3600.
Note that these parameters correspond to those set in IKE-1W on WEST and IKE-1E on
EAST. You must ensure, in defining proposals, that the encryption ciphers and hash
algorithms are such that the two peers will be able to agree on a combination.

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 74

To create this IKE group, perform the following steps on SOUTH in configuration
mode.
Example 2‐32 Configuring an IKE group on SOUTH

Step Command

Creates the configuration node vyatta@SOUTH# set vpn ipsec ike‐group IKE‐1S proposal 1
for proposal 1 of IKE group
IKE‐1S.

Set the encryption cipher for vyatta@SOUTH# set vpn ipsec ike‐group IKE‐1S proposal 1
proposal 1. encryption aes256

Set the hash algorithm for vyatta@SOUTH# set vpn ipsec ike‐group IKE‐1S proposal 1 hash
proposal 1. sha1

Set the encryption cipher for vyatta@SOUTH# set vpn ipsec ike‐group IKE‐1S proposal 2
proposal 2. This also creates the encryption aes128
configuration node for
proposal 2 of IKE group IKE‐1S.

Set the hash algorithm for vyatta@SOUTH# set vpn ipsec ike‐group IKE‐1S proposal 2 hash
proposal 2. sha1

Set the lifetime for the whole vyatta@SOUTH# set vpn ipsec ike‐group IKE‐1S lifetime 3600
IKE group.

View the configuration for the vyatta@SOUTH# show vpn ipsec ike‐group IKE‐1S
IKE group. Don’t commit yet. > proposal 1 {
> encryption aes256
> hash sha1
> }
> proposal 2 {
> encryption aes128
> hash sha1
> }
> lifetime 3600

VPN 6.5R1 v01 Vyatta


Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 75

CONFIGURING AN ESP GROUP ON SOUTH


Example 2-33 creates ESP group ESP-1S on SOUTH. This ESP group contains two
proposals:
• Proposal 1 uses AES-256 as the encryption cipher and SHA-1 as the hash
algorithm
• Proposal 2 uses Triple-DES as the encryption cipher and MD5 as the hash
algorithm
The lifetime of a proposal from this ESP group is set to 1800 seconds.
To create this ESP group, perform the following steps on SOUTH in configuration
mode.
Example 2‐33 Configuring an ESP group on SOUTH

Step Command

Create the configuration node vyatta@SOUTH# set vpn ipsec esp‐group ESP‐1S proposal 1
for proposal 1 of ESP group
ESP‐1S.

Set the encryption cipher for vyatta@SOUTH# set vpn ipsec esp‐group ESP‐1S proposal 1
proposal 1. encryption aes256

Set the hash algorithm for vyatta@SOUTH# set vpn ipsec esp‐group ESP‐1S proposal 1 hash
proposal 1. sha1

Set the encryption cipher for vyatta@SOUTH# set vpn ipsec esp‐group ESP‐1S proposal 2
proposal 2. This also creates the encryption 3des
configuration node for
proposal 2 of ESP group ESP‐1S.

Set the hash algorithm for vyatta@SOUTH# set vpn ipsec esp‐group ESP‐1S proposal 2 hash
proposal 2. md5

Set the lifetime for the whole vyatta@SOUTH# set vpn ipsec esp‐group ESP‐1S lifetime 1800
ESP group.

View the configuration for the vyatta@SOUTH# show vpn ipsec esp‐group ESP‐1S
ESP group. Don’t commit yet. > proposal 1 {
> encryption aes256
> hash sha1
> }
> proposal 2 {
> encryption 3de
> hash md5
> }
> lifetime 1800
VPN 6.5R1 v01
Vyatta

You might also like