Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 31

Example 2‐7 Configuring an ESP group on EAST

Set the hash algorithm for vyatta@EAST# set vpn ipsec esp‐group ESP‐1E proposal 1 hash
proposal 1. sha1

Set the encryption cipher for vyatta@EAST# set vpn ipsec esp‐group ESP‐1E proposal 2
proposal 2. This also creates the encryption 3des
configuration node for
proposal 2 of ESP group ESP‐1E.

Set the hash algorithm for vyatta@EAST# set vpn ipsec esp‐group ESP‐1E proposal 2 hash
proposal 2. md5

Set the lifetime for the whole vyatta@EAST# set vpn ipsec esp‐group ESP‐1E lifetime 1800
ESP group.

View the configuration for the vyatta@EAST# show vpn ipsec esp‐group ESP‐1E
ESP group. Don’t commit yet. > proposal 1 {
> encryption aes256
> hash sha1
> }
> proposal 2 {
> encryption 3des
> hash md5
> }
> lifetime 1800

CREATING THE CONNECTION TO WEST

Example 2-8 defines a site-to-site connection to WEST. In this example:
• This connection is configured with a single tunnel:
— Tunnel 1 communicates between 192.168.60.0/24 on EAST and
192.168.40.0/24 on WEST, using ESP group ESP-1E.
• EAST uses IP address 192.0.2.33 on eth0.
• WEST uses IP address 192.0.2.1 on eth1.
• The IKE group is IKE-1E.
• The authentication mode is pre-shared secret. The pre-shared secret is
“test_key_1”.
To configure this connection, perform the following steps on EAST in configuration
mode.
Example 2‐8 Creating a site‐to‐site connection from EAST to WEST

Step Command

Create the node for WEST and vyatta@EAST# set vpn ipsec site‐to‐site peer
set the authentication mode 192.0.2.1 authentication mode pre‐shared‐secret

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 32

Example 2‐8 Creating a site‐to‐site connection from EAST to WEST

Navigate to the node for the vyatta@EAST# edit vpn ipsec site‐to‐site peer 192.0.2.1
peer for easier editing [edit vpn ipsec site‐to‐site peer 192.0.2.1]

Provide the string that will be vyatta@EAST# set authentication pre‐shared‐secret test_key_1
used to generate encryption [edit vpn ipsec site‐to‐site peer 192.0.2.1]
keys.

Specify the default ESP group for vyatta@EAST# set default‐esp‐group ESP‐1E
all tunnels. [edit vpn ipsec site‐to‐site peer 192.0.2.1]

Specify the IKE group. vyatta@EAST# set ike‐group IKE‐1E

[edit vpn ipsec site‐to‐site peer 192.0.2.1]

Identify the IP address on this vyatta@EAST# set local‐address 192.0.2.33

Vyatta system to be used for this [edit vpn ipsec site‐to‐site peer 192.0.2.1]
connection.

Create a tunnel configuration, vyatta@EAST# set tunnel 1 local prefix 192.168.60.0/24

and provide the local subnet for [edit vpn ipsec site‐to‐site peer 192.0.2.1]
this tunnel.

Provide the remote subnet for vyatta@EAST# set tunnel 1 remote prefix 192.168.40.0/24
the tunnel. [edit vpn ipsec site‐to‐site peer 192.0.2.1]

Return to the top of the vyatta@EAST# top

configuration tree.

Now commit the configuration. vyatta@EAST# commit

View the configuration for the vyatta@EAST# show vpn ipsec site‐to‐site peer 192.0.2.1
site‐to‐site connection. authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
}
default‐esp‐group ESP‐1E
ike‐group IKE‐1E
local‐address 192.0.2.33
tunnel 1 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.40.0/24
}
}

View IPsec interface vyatta@EAST# show vpn ipsec ipsec‐interfaces

configuration. interface eth0

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 33

Example 2‐8 Creating a site‐to‐site connection from EAST to WEST

View Ethernet interface vyatta@EAST# show interfaces ethernet eth0

eth0 address configuration. address address 192.0.2.33/27
local‐address is set to this
address.

Authenticating with RSA Digital Signatures

This section presents the following topics:
• Generate a Digital Signature on WEST
• Generate a Digital Signature on EAST
• Record EAST’s Public Key on WEST
• Modify WEST’s Connection to EAST
• Record WEST’s Public Key on EAST
• Modify EAST’s Connection to WEST
In this set of examples, you modify the VPN connection configured in the previous set of
examples between WEST and EAST (“Configuring a Basic Site-to-Site Connection” on
page 20). The site-to-site connection created in that set of examples used pre-shared keys
for authentication. This set of examples modifies the connection to use RSA digital
signatures for authentication.

Generate a Digital Signature on WEST

In this example, you generate WEST’s digital signature. This signature will have two
parts: a public part (the public key) and a private part (the private key). The public key
will be shared with EAST; the private key will remain secret.
To generate an RSA digital signature for system WEST, perform the following steps in
operational mode.
Example 2‐9 Generating a digital signature on WEST

Step Command

Generate the key. vyatta@WEST> generate vpn rsa‐key

The system warns you that the A local RSA key file already exists and will be overwritten
existing RSA key file will be <CTRL>C to exit: 8
overwritten. You have the
opportunity to exit the key
generation process by pressing
<Ctrl>+c.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 34

Example 2‐9 Generating a digital signature on WEST

The system indicates the Generating rsa‐key to /config/ipsec.d/rsa‐keys/localhost.key

location of the file where the
key will be written.

The system displays the public Your new local RSA key has been generated
portion of the generated key. The public portion of the key is:
By default, this key (including
the private portion of the key) is 0sAQPEOQvukvkv1ofuO8gEKp7IFFZz4lQqMZyVMInoQKUU/T0iKSK/0NSH9
stored in Ldrr8yQUFayzKag6wM7ASXWXKyt0LS1Gn8tJVsjKGaOkFgLREtVJD3pRzoc
/config/ipsec.d/rsa‐keys/ 7DSUOBViCD6f/TloTkPepRUtW1bmYev2H7tajSO0K0
localhost.key rqu+7nlocZI0ppMAyF6CS+Wd5W1JBpVGL+EkKfyEl9RagKxRW82XJbgY4LG
77K2YDN90Wd2GgMY3kf+YJLIzFEt/xRbh2/380FMpdaUYcbY31o/5PedUut
JCK5RMwl+IJGaxrKf1OmCQfzXlkM09ijZx8kzPIlBk
5hulZrbUWjzBJdFcwFAyPM3yCuv3+ndFX00t3ZLfKu+/wX595J

vyatta@WEST>

Generate a Digital Signature on EAST

In this example, you generate EAST’s digital signature. This signature will have two
parts: a public part (the public key) and a private part (the private key). The public key
will be shared with WEST; the private key will remain secret.
To generate an RSA digital signature for system EAST, perform the following steps in
operational mode.
Example 2‐10 Generating a digital signature on EAST

Step Command

Generate the key. vyatta@EAST> generate vpn rsa‐key

The system warns you that the A local RSA key file already exists and will be overwritten
existing RSA key file will be <CTRL>C to exit: 5
overwritten. You have the
opportunity to exit the key
generation process by pressing
<Ctrl>+c.

The system indicates the Generating rsa‐key to /config/ipsec.d/rsa‐keys/localhost.key

location of the file where the
key will be written.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 35

Example 2‐10 Generating a digital signature on EAST

The system displays the public Your new local RSA key has been generated
portion of the generated key. The public portion of the key is:
By default, this key (including
the private portion of the key) is 0sAQOVBIJL+rIkpTuwh8FPeceAF0bhgLr++W51bOAIjFbRDbR8gX3Vlz6wi
stored in UbMgGwQxWlYQiqsCeacicsfZx/amlEn9PkSE4e7tqK/JQo40L5C7gcNM24m
/config/ipsec.d/rsa‐keys/ up1d+0WmN3zLb9Qhmq5q3pNJxEwnVbPPQeIdZMJxnb1+lA8DPC3SIxJM/3a
localhost.key t1/KrwqCAhX3QNFY/zNmOtFogELCeyl4+d54wQljA+3dwFAQ4bboJ7YIDs+
rqORxWd3l3I7IajT/pLrwr5eZ8OA9NtAedbMiCwxyuyUbznxXZ8Z/MAi3xj
L1pjYyWjNNiOij82QJfMOrjoXVCfcPn96ZN+Jqk+KknoVeNDwzpoahFOseJ
REeXzkw3/lkMN9N1

vyatta@EAST>

Record EAST’s Public Key on WEST

In this example, you record the public key you have obtained from EAST. The key is
then saved under a name that you can refer to in site-to-site configuration.
A digital signature can be typed in manually, but digital signatures are lengthy and
difficult to type. It is generally easier to copy the digital signature into the clipboard of
your system and then paste it into the configuration. You do this in a number of ways;
for example:
• Receive the public key from the operator of the VPN peer in an e-mail—perhaps an
e-mail protected by a PGP signature. Copy the key text into your clipboard.
• From an X.509 certificate, provided by a Certificate Agency.
• Connect to the VPN peer directly through a Telnet or SSH control session. View
view the public portion of the key using a show command, select the text, and copy
the key text into your clipboard.
Example 2-11 pastes EAST’s public key into RSA configuration. The name
“EAST-key” is used as the identifier of the key.
Before you begin, copy EAST’s public key into your clipboard.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 36

If you are in operational mode on WEST, enter configuration mode now and perform the
following steps:
Example 2‐11 Record EAST’s public key on WEST

Step Command
Specify a name for EAST’s public vyatta@WEST# set vpn rsa‐keys rsa‐key‐name EAST‐key rsa‐key
key and paste EAST’s public key 0sAQOVBIJL+rIkpTuwh8FPeceAF0bhgLr++W51bOAIjFb
into the configuration. RDbR8gX3Vlz6wiUbMgGwQxWlYQiqsCeacicsfZx/amlEn9PkSE4e7tqK/JQ
o40L5C7gcNM24mup1d+0WmN3zLb9Qhmq5q3pNJxEwnVbPPQeIdZMJxnb1+l
A8DPC3SIxJM/3at1/KrwqCAhX3QNFY/zNmOtFogELCeyl4+d54wQljA+3dw
FAQ4bboJ7YIDs+rqORxWd3l3I7IajT/pLrwr5eZ8OA9NtAedbMiCwxyuyUb
znxXZ8Z/MAi3xjL1pjYyWjNNiOij82QJfMOrjoXVCfcPn96ZN+Jqk+KknoV
eNDwzpoahFOseJREeXzkw3/lkMN9N1

Commit the configuration. vyatta@WEST# commit

View the configuration for RSA vyatta@WEST# show vpn rsa‐keys

keys.
Since you have not changed the rsa‐key‐name EAST‐key {
configuration for the local host’s rsa‐key 0sAQOVBIJL+rIkpTuwh8FPeceAF0bhgLr++
key, it does not display. W51bOAIjFbRDbR8gX3Vlz6wiUbMgGwQxWlYQiqsCeacicsfZx/amlEn9PkS
E4e7tqK/JQo40L5C7gcNM24mup1d+0WmN3zLb9Qhmq5q3pNJxEwnVbPPQeI
dZMJxnb1+lA8DPC3SIxJM/3at1/KrwqCAhX3QNFY/zNmOtFogELCeyl4+d5
4wQljA+3dwFAQ4bboJ7YIDs+rqORxWd3l3I7IajT/pLrwr5eZ8OA9NtAedb
MiCwxyuyUbznxXZ8Z/MAi3xjL1pjYyWjNNiOij82QJfMOrjoXVCfcPn96ZN
+Jqk+KknoVeNDwzpoahFOseJREeXzkw3/lkMN9N1
}

vyatta@WEST#

Modify WEST’s Connection to EAST

Example 2-12 modifies the connection from WEST to EAST to use RSA digital
signatures for authentication. In this example:
• The authentication mode is changed from pre-shared secret to RSA digital
signatures.
• EAST’s public key is specified as the remote key, under the identifier configured in
the previous step (see “Record EAST’s Public Key on WEST” on page 35).
To modify the site-to-site connection to use RSA configuration, perform the
following steps:
Example 2‐12 Configure WEST for RSA authentication

Step Command

Remove the pre‐shared key. vyatta@WEST# delete vpn ipsec site‐to‐site peer
192.0.2.33 authentication pre‐shared‐secret

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 37

Example 2‐12 Configure WEST for RSA authentication

Change the authentication vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
mode authentication mode rsa

Provide the identifier for EAST’s vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
digital signature. authentication rsa‐key‐name EAST‐key

Commit the configuration. vyatta@WEST# commit

View the modified configuration vyatta@WEST# show vpn ipsec site‐to‐site peer 192.0.2.33
for the site‐to‐site connection. authentication {
mode rsa
rsa‐key‐name EAST‐key
}
default‐esp‐group ESP‐1W
ike‐group IKE‐1W
local‐address 192.0.2.1
tunnel 1 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.60.0/24
}
}

View IPsec interface vyatta@WEST# show vpn ipsec ipsec‐interfaces

configuration. interface eth1

View Ethernet interface eth1 vyatta@WEST# show interfaces ethernet eth1 address
address configuration. address 192.0.2.1/27
local‐address is set to this
address.

Record WEST’s Public Key on EAST

Example 2-13 pastes WEST’s public key into RSA configuration. The name
“WEST-key” is used as the identifier of the key.
Before you begin, copy WEST’s public key into your clipboard.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 38

If you are in operational mode on EAST, enter configuration mode now and perform the
following steps:
Example 2‐13 Record WEST’s public key on EAST

Step Command
Specify a name for WEST’s vyatta@EAST# set vpn rsa‐keys rsa‐key‐name WEST‐key rsa‐key
public key and paste WEST’s 0sAQPEOQvukvkv1ofuO8gEKp7IFFZz4lQqMZyVMIno
public key into the QKUU/T0iKSK/0NSH9Ldrr8yQUFayzKag6wM7ASXWXKyt0LS1Gn8tJVsjKGa
configuration. OkFgLREtVJD3pRzoc7DSUOBViCD6f/TloTkPepRUtW1bmYev2H7tajSO0K0
rqu+7nlocZI0ppMAyF6CS+Wd5W1JBpVGL+EkKfyEl9RagKxRW82XJbgY4LG
77K2YDN90Wd2GgMY3kf+YJLIzFEt/xRbh2/380FMpdaUYcbY31o/5PedUut
JCK5RMwl+IJGaxrKf1OmCQfzXlkM09ijZx8kzPIlBk
5hulZrbUWjzBJdFcwFAyPM3yCuv3+ndFX00t3ZLfKu+/wX595J

Commit the configuration. vyatta@EAST# commit

View the configuration for RSA vyatta@EAST# show vpn rsa‐keys

keys.
Since you have not changed the rsa‐key‐name WEST‐key {
configuration for the local host’s rsa‐key 0sAQPEOQvukvkv1ofuO8gEKp7IFFZz4lQqMZy
key, it does not display. VMInoQKUU/T0iKSK/0NSH9Ldrr8yQUFayzKag6wM7ASXWXKyt0LS1Gn8tJV
sjKGaOkFgLREtVJD3pRzoc7DSUOBViCD6f/TloTkPepRUtW1bmYev2H7taj
SO0K0
rqu+7nlocZI0ppMAyF6CS+Wd5W1JBpVGL+EkKfyEl9RagKxRW82XJbgY4LG
77K2YDN90Wd2GgMY3kf+YJLIzFEt/xRbh2/380FMpdaUYcbY31o/5PedUut
JCK5RMwl+IJGaxrKf1OmCQfzXlkM09ijZx8kzPIlBk
5hulZrbUWjzBJdFcwFAyPM3yCuv3+ndFX00t3ZLfKu+/wX595J
}

vyatta@EAST#

Modify EAST’s Connection to WEST

Example 2-14 modifies the connection from EAST to WEST to use RSA digital
signatures for authentication.
In this example:
• The authentication mode is changed from pre-shared secret to RSA digital
signatures.
• WEST’s public key is specified as the remote key, under the identifier configured in
the previous step (see “Record WEST’s Public Key on EAST” on page 37).

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 39

To modify the site-to-site connection to use RSA configuration, perform the

following steps:
Example 2‐14 Configure EAST for RSA authentication

Step Command
Remove the pre‐shared key. vyatta@EAST# delete vpn ipsec site‐to‐site peer 192.0.2.1
authentication pre‐shared‐secret

Change the authentication vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
mode authentication mode rsa

Provide the identifier for WEST’s vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
digital signature. authentication rsa‐key‐name WEST‐key

Commit the configuration. vyatta@EAST# commit

View the modified configuration vyatta@EAST# show vpn ipsec site‐to‐site peer 192.0.2.1
for the site‐to‐site connection. authentication {
mode rsa
rsa‐key WEST‐key
}
default‐esp‐group ESP‐1E
ike‐group IKE‐1E
local‐address 192.0.2.33
tunnel 1 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.40.0/24
}
}

View IPsec interface vyatta@EAST# show vpn ipsec ipsec‐interfaces

configuration. interface eth0

View Ethernet interface eth0 vyatta@EAST# show interfaces ethernet eth0 address
address configuration. address 192.0.2.33/27
local‐address is set to this
address.

Authenticating with X.509 Certificates

This section presents the following topics:
• Modify WEST’s Connection to EAST
• Modify EAST’s Connection to WEST

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 40

In this set of examples, you modify the VPN connection configured in the basic set of
examples between WEST and EAST (“Configuring a Basic Site-to-Site Connection” on
page 20). The site-to-site connection created in that set of examples used pre-shared keys
for authentication. This set of examples modifies the configuration to use X.509
certificates for authentication.
In general, the procedure for obtaining the files required to authenticate using X.509
certificates is as follows:
1 Generate the private key and a certificate signing request (CSR) (based on the public
key). This can be accomplished using generate vpn x509 key-pair <name> (for
example, generate vpn x509 key-pair west, where west.key is the private key and
west.csr is the certificate signing request file—both created in /config/auth).
2 Send the CSR file (for example, west.csr) to the certificate authority (CA) and
receive back a server certificate (for example, west.crt), the CA certificate (for
example, ca.crt), and potentially, a certificate revocation list (CRL) file. This
procedure varies according to the CA being used.
At this point the configuration can be modified to use these files.

Modify WEST’s Connection to EAST

Example 2-15 modifies the connection from WEST to EAST to use X.509 certificates
for authentication. In this example:
• The authentication mode is changed from pre-shared secret to X.509 certificates.
• The certificate for the peer is identified using its Distinguished Name information.
This is the information prompted for when creating the certificate signing request
(CSR) file on the peer.
• The locations of the CA certificate, the server certificate, and the private key file for
the server are specified.
To modify the site-to-site connection to use X.509 certificate authentication, perform the
following steps:
Example 2‐15 Configure WEST for X.509 certificate authentication

Step Command
Remove the pre‐shared key. vyatta@WEST# delete vpn ipsec site‐to‐site peer 192.0.2.33
authentication pre‐shared‐secret

Change the authentication vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
mode. authentication mode x509

Specify the ‘distinguished name’ vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
of the certificate for the peer. authentication remote‐id “C=US, ST=CA, O=ABC Company,
CN=east, [email protected]”
VPN 6.5R1 v01
Vyatta