vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

vpn: update site2site VTI example

Browse Source
This commit is contained in:
Christian Breunig 2023-12-02 20:54:17 +01:00
parent d4d3efe7fb
commit 0429c31788
1 changed files with 67 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
docs/configuration/vpn/site2site_ipsec.rst
View File

@ -308,31 +308,35 @@ Imagine the following topology
set interfaces dummy dum0 address '10.0.11.1/24'
set interfaces vti vti10 address '10.0.0.2/31'
set vpn ipsec option disable-route-autoinstall
set vpn ipsec authentication psk OFFICE-B id '172.18.201.10'
set vpn ipsec authentication psk OFFICE-B id '172.18.202.10'
set vpn ipsec authentication psk OFFICE-B secret 'secretkey'
set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10'
set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10'
set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0.201'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer OFFICE-B local-address '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-B vti bind 'vti10'
set vpn ipsec site-to-site peer OFFICE-B vti esp-group 'ESP_DEFAULT'
set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate'
set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10'
set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT'
set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10
@ -344,34 +348,35 @@ Imagine the following topology
set interfaces dummy dum0 address '10.0.12.1/24'
set interfaces vti vti10 address '10.0.0.3/31'
set vpn ipsec option disable-route-autoinstall
set vpn ipsec authentication psk OFFICE-A id '172.18.201.10'
set vpn ipsec authentication psk OFFICE-A id '172.18.202.10'
set vpn ipsec authentication psk OFFICE-A secret 'secretkey'
set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10'
set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10'
set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0.202'
set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer OFFICE-A local-address '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-A remote-address '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-A vti bind 'vti10'
set vpn ipsec site-to-site peer OFFICE-A vti esp-group 'ESP_DEFAULT'
set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate'
set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10'
set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT'
set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10