mirror of
https://github.com/vyos/vyos-documentation.git
synced 2025-10-26 08:41:46 +01:00
Change IPsec authentication PSK and examples
This commit is contained in:
Viacheslav Hletenko
parent
d39ce49e2f
commit
8f61920f01
@ -100,15 +100,18 @@ Vyos configuration
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
|
||||
set vpn ipsec authentication psk azure id '198.51.100.3'
|
||||
set vpn ipsec authentication psk azure id '203.0.113.2'
|
||||
set vpn ipsec authentication psk azure secret 'ch00s3-4-s3cur3-psk'
|
||||
set vpn ipsec site-to-site peer azure authentication local-id '198.51.100.3'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
|
||||
set vpn ipsec site-to-site peer azure remote-address '203.0.113.2'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'
|
||||
|
||||
|
||||
@ -103,29 +103,34 @@ Vyos configuration
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
|
||||
set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'
|
||||
set vpn ipsec authentication psk azure id '198.51.100.3'
|
||||
set vpn ipsec authentication psk azure id '203.0.113.2'
|
||||
set vpn ipsec authentication psk azure id '203.0.113.3'
|
||||
set vpn ipsec authentication psk azure secret 'ch00s3-4-s3cur3-psk'
|
||||
|
||||
set vpn ipsec site-to-site peer 203.0.113.3 authentication id '198.51.100.3'
|
||||
set vpn ipsec site-to-site peer 203.0.113.3 authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer 203.0.113.3 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
|
||||
set vpn ipsec site-to-site peer 203.0.113.3 authentication remote-id '203.0.113.3'
|
||||
set vpn ipsec site-to-site peer 203.0.113.3 connection-type 'respond'
|
||||
set vpn ipsec site-to-site peer 203.0.113.3 description 'AZURE SECONDARY TUNNEL'
|
||||
set vpn ipsec site-to-site peer 203.0.113.3 ike-group 'AZURE'
|
||||
set vpn ipsec site-to-site peer 203.0.113.3 ikev2-reauth 'inherit'
|
||||
set vpn ipsec site-to-site peer 203.0.113.3 local-address '10.10.0.5'
|
||||
set vpn ipsec site-to-site peer 203.0.113.3 vti bind 'vti2'
|
||||
set vpn ipsec site-to-site peer 203.0.113.3 vti esp-group 'AZURE'
|
||||
set vpn ipsec site-to-site peer azure-primary authentication local-id '198.51.100.3'
|
||||
set vpn ipsec site-to-site peer azure-primary authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer azure-primary authentication remote-id '203.0.113.2'
|
||||
set vpn ipsec site-to-site peer azure-primary connection-type 'respond'
|
||||
set vpn ipsec site-to-site peer azure-primary description 'AZURE PRIMARY TUNNEL'
|
||||
set vpn ipsec site-to-site peer azure-primary ike-group 'AZURE'
|
||||
set vpn ipsec site-to-site peer azure-primary ikev2-reauth 'inherit'
|
||||
set vpn ipsec site-to-site peer azure-primary local-address '10.10.0.5'
|
||||
set vpn ipsec site-to-site peer azure-primary remote-address '203.0.113.2'
|
||||
set vpn ipsec site-to-site peer azure-primary vti bind 'vti1'
|
||||
set vpn ipsec site-to-site peer azure-primary vti esp-group 'AZURE'
|
||||
|
||||
set vpn ipsec site-to-site peer azure-secondary authentication local-id '198.51.100.3'
|
||||
set vpn ipsec site-to-site peer azure-secondary authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer azure-secondary authentication remote-id '203.0.113.3'
|
||||
set vpn ipsec site-to-site peer azure-secondary connection-type 'respond'
|
||||
set vpn ipsec site-to-site peer azure-secondary description 'AZURE secondary TUNNEL'
|
||||
set vpn ipsec site-to-site peer azure-secondary ike-group 'AZURE'
|
||||
set vpn ipsec site-to-site peer azure-secondary ikev2-reauth 'inherit'
|
||||
set vpn ipsec site-to-site peer azure-secondary local-address '10.10.0.5'
|
||||
set vpn ipsec site-to-site peer azure-secondary remote-address '203.0.113.3'
|
||||
set vpn ipsec site-to-site peer azure-secondary vti bind 'vti2'
|
||||
set vpn ipsec site-to-site peer azure-secondary vti esp-group 'AZURE'
|
||||
|
||||
- **Important**: Add an interface route to reach both Azure's BGP listeners
|
||||
|
||||
|
||||
@ -141,29 +141,26 @@ IPSec:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
set vpn ipsec authentication psk <pre-shared-name> id '%any'
|
||||
set vpn ipsec authentication psk <pre-shared-name> secret <pre-shared-key>
|
||||
set vpn ipsec interface <VPN-interface>
|
||||
set vpn ipsec esp-group test-ESP-1 compression 'disable'
|
||||
set vpn ipsec esp-group test-ESP-1 lifetime '3600'
|
||||
set vpn ipsec esp-group test-ESP-1 mode 'transport'
|
||||
set vpn ipsec esp-group test-ESP-1 pfs 'enable'
|
||||
set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128'
|
||||
set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1'
|
||||
set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no'
|
||||
set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1'
|
||||
set vpn ipsec ike-group test-IKE-1 lifetime '3600'
|
||||
set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5'
|
||||
set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128'
|
||||
set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1'
|
||||
set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-shared-key>
|
||||
set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate'
|
||||
set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1'
|
||||
set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit'
|
||||
set vpn ipsec site-to-site peer <peer-ip> local-address <local-ip>
|
||||
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable'
|
||||
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable'
|
||||
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1'
|
||||
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp'
|
||||
set vpn ipsec site-to-site peer <connection-name> authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer <connection-name> connection-type 'initiate'
|
||||
set vpn ipsec site-to-site peer <connection-name> ike-group 'test-IKE-1'
|
||||
set vpn ipsec site-to-site peer <connection-name> ikev2-reauth 'inherit'
|
||||
set vpn ipsec site-to-site peer <connection-name> local-address <local-ip>
|
||||
set vpn ipsec site-to-site peer <connection-name> tunnel 1 esp-group 'test-ESP-1'
|
||||
set vpn ipsec site-to-site peer <connection-name> tunnel 1 protocol 'l2tp'
|
||||
|
||||
Bridge:
|
||||
|
||||
|
||||
@ -697,17 +697,22 @@ too.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret 'PASSWORD IS HERE'
|
||||
set vpn ipsec site-to-site peer 198.51.100.243 connection-type 'initiate'
|
||||
set vpn ipsec site-to-site peer 198.51.100.243 default-esp-group 'my-esp'
|
||||
set vpn ipsec site-to-site peer 198.51.100.243 ike-group 'my-ike'
|
||||
set vpn ipsec site-to-site peer 198.51.100.243 ikev2-reauth 'inherit'
|
||||
set vpn ipsec site-to-site peer 198.51.100.243 local-address '203.0.113.46'
|
||||
set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 local prefix '172.29.41.89/32'
|
||||
set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 remote prefix '172.27.1.0/24'
|
||||
set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 local prefix '172.29.41.89/32'
|
||||
set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 remote prefix '10.125.0.0/16'
|
||||
set vpn ipsec authentication psk vyos id '203.0.113.46'
|
||||
set vpn ipsec authentication psk vyos id '198.51.100.243'
|
||||
set vpn ipsec authentication psk vyos secret 'MYSECRETPASSWORD'
|
||||
set vpn ipsec site-to-site peer branch authentication local-id '203.0.113.46'
|
||||
set vpn ipsec site-to-site peer branch authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer branch authentication remote-id '198.51.100.243'
|
||||
set vpn ipsec site-to-site peer branch connection-type 'initiate'
|
||||
set vpn ipsec site-to-site peer branch default-esp-group 'my-esp'
|
||||
set vpn ipsec site-to-site peer branch ike-group 'my-ike'
|
||||
set vpn ipsec site-to-site peer branch ikev2-reauth 'inherit'
|
||||
set vpn ipsec site-to-site peer branch local-address '203.0.113.46'
|
||||
set vpn ipsec site-to-site peer branch remote-address '198.51.100.243'
|
||||
set vpn ipsec site-to-site peer branch tunnel 0 local prefix '172.29.41.89/32'
|
||||
set vpn ipsec site-to-site peer branch tunnel 0 remote prefix '172.27.1.0/24'
|
||||
set vpn ipsec site-to-site peer branch tunnel 1 local prefix '172.29.41.89/32'
|
||||
set vpn ipsec site-to-site peer branch tunnel 1 remote prefix '10.125.0.0/16'
|
||||
|
||||
Testing and Validation
|
||||
""""""""""""""""""""""
|
||||
|
||||
@ -63,39 +63,50 @@ Side A:
|
||||
|
||||
.. code-block::
|
||||
|
||||
|
||||
set interfaces vti vti1 address '192.168.1.2/24'
|
||||
set vpn ipsec authentication psk right id '10.10.10.2'
|
||||
set vpn ipsec authentication psk right id '10.10.10.1'
|
||||
set vpn ipsec authentication psk right secret 'Qwerty123'
|
||||
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
|
||||
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
|
||||
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
|
||||
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
|
||||
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
|
||||
set vpn ipsec interface 'eth0'
|
||||
set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123'
|
||||
set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate'
|
||||
set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup'
|
||||
set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup'
|
||||
set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2'
|
||||
set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1'
|
||||
set vpn ipsec site-to-site peer right authentication local-id '10.10.10.2'
|
||||
set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer right authentication remote-id '10.10.10.1'
|
||||
set vpn ipsec site-to-site peer right connection-type 'initiate'
|
||||
set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup'
|
||||
set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup'
|
||||
set vpn ipsec site-to-site peer right local-address '10.10.10.2'
|
||||
set vpn ipsec site-to-site peer right remote-address '10.10.10.1'
|
||||
set vpn ipsec site-to-site peer right vti bind 'vti1'
|
||||
|
||||
Side B:
|
||||
|
||||
.. code-block::
|
||||
|
||||
set interfaces vti vti1 address '192.168.1.1/24'
|
||||
set vpn ipsec authentication psk left id '10.10.10.2'
|
||||
set vpn ipsec authentication psk left id '10.10.10.1'
|
||||
set vpn ipsec authentication psk left secret 'Qwerty123'
|
||||
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
|
||||
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
|
||||
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
|
||||
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
|
||||
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
|
||||
set vpn ipsec interface 'eth0'
|
||||
set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123'
|
||||
set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate'
|
||||
set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup'
|
||||
set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup'
|
||||
set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1'
|
||||
set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1'
|
||||
set vpn ipsec site-to-site peer left authentication local-id '10.10.10.1'
|
||||
set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer left authentication remote-id '10.10.10.2'
|
||||
set vpn ipsec site-to-site peer left connection-type 'initiate'
|
||||
set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup'
|
||||
set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup'
|
||||
set vpn ipsec site-to-site peer left local-address '10.10.10.1'
|
||||
set vpn ipsec site-to-site peer left remote-address '10.10.10.2'
|
||||
set vpn ipsec site-to-site peer left vti bind 'vti1'
|
||||
|
||||
a bandwidth test over the VPN got these results:
|
||||
|
||||
|
||||
@ -202,6 +202,11 @@ On the LEFT:
|
||||
## IPsec
|
||||
set vpn ipsec interface eth0
|
||||
|
||||
# Pre-shared-secret
|
||||
set vpn ipsec authentication psk vyos id 192.0.2.10
|
||||
set vpn ipsec authentication psk vyos id 203.0.113.45
|
||||
set vpn ipsec authentication psk vyos secret MYSECRETKEY
|
||||
|
||||
# IKE group
|
||||
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
|
||||
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
|
||||
@ -213,7 +218,6 @@ On the LEFT:
|
||||
|
||||
# IPsec tunnel
|
||||
set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
|
||||
set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY
|
||||
set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45
|
||||
|
||||
set vpn ipsec site-to-site peer right ike-group MyIKEGroup
|
||||
|
||||
@ -18,23 +18,29 @@ Each site-to-site peer has the next options:
|
||||
* ``authentication`` - configure authentication between VyOS and a remote peer.
|
||||
Suboptions:
|
||||
|
||||
* ``psk`` - Preshared secret key name:
|
||||
|
||||
* ``dhcp-interface`` - ID for authentication generated from DHCP address
|
||||
dynamically;
|
||||
* ``id`` - static ID's for authentication. In general local and remote
|
||||
address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``;
|
||||
* ``secret`` - predefined shared secret. Used if configured mode
|
||||
``pre-shared-secret``;
|
||||
|
||||
|
||||
* ``local-id`` - ID for the local VyOS router. If defined, during the
|
||||
authentication
|
||||
it will be send to remote peer;
|
||||
|
||||
* ``mode`` - mode for authentication between VyOS and remote peer:
|
||||
|
||||
* ``pre-shared-secret`` - use predefined shared secret phrase, must be the
|
||||
same for local and remote side;
|
||||
* ``pre-shared-secret`` - use predefined shared secret phrase;
|
||||
|
||||
* ``rsa`` - use simple shared RSA key. The key must be defined in the
|
||||
``set vpn rsa-keys`` section;
|
||||
|
||||
* ``x509`` - use certificates infrastructure for authentication.
|
||||
|
||||
* ``pre-shared-secret`` - predefined shared secret. Used if configured
|
||||
``mode pre-shared-secret``;
|
||||
|
||||
* ``remote-id`` - define an ID for remote peer, instead of using peer name or
|
||||
address. Useful in case if the remote peer is behind NAT or if ``mode x509``
|
||||
is used;
|
||||
@ -161,6 +167,9 @@ Example:
|
||||
.. code-block:: none
|
||||
|
||||
# server config
|
||||
set vpn ipsec authentication psk OFFICE-B id '198.51.100.3'
|
||||
set vpn ipsec authentication psk OFFICE-B id '203.0.113.2'
|
||||
set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey'
|
||||
set vpn ipsec esp-group office-srv-esp lifetime '1800'
|
||||
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
|
||||
set vpn ipsec esp-group office-srv-esp pfs 'enable'
|
||||
@ -171,8 +180,8 @@ Example:
|
||||
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
|
||||
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
|
||||
set vpn ipsec interface 'eth1'
|
||||
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3'
|
||||
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SomePreSharedKey'
|
||||
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2'
|
||||
set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
|
||||
set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3'
|
||||
@ -182,6 +191,9 @@ Example:
|
||||
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'
|
||||
|
||||
# remote office config
|
||||
set vpn ipsec authentication psk OFFICE-A id '198.51.100.3'
|
||||
set vpn ipsec authentication psk OFFICE-A id '203.0.113.2'
|
||||
set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey'
|
||||
set vpn ipsec esp-group office-srv-esp lifetime '1800'
|
||||
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
|
||||
set vpn ipsec esp-group office-srv-esp pfs 'enable'
|
||||
@ -192,8 +204,8 @@ Example:
|
||||
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
|
||||
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
|
||||
set vpn ipsec interface 'eth1'
|
||||
set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2'
|
||||
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'SomePreSharedKey'
|
||||
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3'
|
||||
set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
|
||||
set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2'
|
||||
@ -279,6 +291,9 @@ Imagine the following topology
|
||||
|
||||
set interfaces vti vti10 address '10.0.0.2/31'
|
||||
|
||||
set vpn ipsec authentication psk OFFICE-B id '172.18.201.10'
|
||||
set vpn ipsec authentication psk OFFICE-B id '172.18.202.10'
|
||||
set vpn ipsec authentication psk OFFICE-B secret 'secretkey'
|
||||
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
|
||||
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
|
||||
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
|
||||
@ -293,7 +308,6 @@ Imagine the following topology
|
||||
set vpn ipsec interface 'eth0.201'
|
||||
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10'
|
||||
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'secretkey'
|
||||
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10'
|
||||
set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond'
|
||||
set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT'
|
||||
@ -308,6 +322,9 @@ Imagine the following topology
|
||||
|
||||
set interfaces vti vti10 address '10.0.0.3/31'
|
||||
|
||||
set vpn ipsec authentication psk OFFICE-A id '172.18.201.10'
|
||||
set vpn ipsec authentication psk OFFICE-A id '172.18.202.10'
|
||||
set vpn ipsec authentication psk OFFICE-A secret 'secretkey'
|
||||
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
|
||||
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
|
||||
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
|
||||
@ -325,7 +342,6 @@ Imagine the following topology
|
||||
set vpn ipsec interface 'eth0.202'
|
||||
set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10'
|
||||
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'secretkey'
|
||||
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10'
|
||||
set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate'
|
||||
set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT'
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user