mirror of
https://github.com/vyos/vyos-documentation.git
synced 2025-10-26 08:41:46 +01:00
VPN: IKEv2: add example for left/right routers
This commit is contained in:
Christian Poessinger
parent
7a4d11b302
commit
d593351b35
BIN
docs/_static/images/vpn_s2s_ikev2.png
vendored
Normal file
BIN
docs/_static/images/vpn_s2s_ikev2.png
vendored
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 65 KiB |
1
docs/draw.io/vpn_s2s_ikev2.drawio
Normal file
1
docs/draw.io/vpn_s2s_ikev2.drawio
Normal file
@ -0,0 +1 @@
|
||||
<mxfile modified="2019-07-18T20:12:29.116Z" host="www.draw.io" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36" etag="se-JT0q6YZwCfwyGJaAA" version="10.9.8" type="device"><diagram name="Page-1" id="c37626ed-c26b-45fb-9056-f9ebc6bb27b6">7Zrdk6I4EMD/Gh+lSMLn4zgz7j7cVk3V1H3svWxFiJhaIB7EUfevv4QEIYCje6eOW4XzIOmQTtL5ddP0OEGP2e5TgderLywm6QTa8W6CniYQIoCA+JKSvZJA2/WVJClorGSgEbzSH0QLbS3d0JiUxo2csZTTtSmMWJ6TiBsyXBRsa962ZKk56xonpCd4jXDal/5JY77SUmDbTcdnQpOVnjpwdccCR9+Tgm1yPd8EomX1Ud0ZrnXp+8sVjtm2JULPE/RYMMbVVbZ7JKk0bm02NW5+pPew7oLk/JwBv/tf4d9PP749rV+/8DAihK2iqRwg1bzhdEPqfVSr5fvaQtUeidQCJmi2XVFOXtc4kr1bAYWQrXiW6m6tjhSc7I4uFBy2L7giLCO82Itb9ICp43pqjGZqilytZNuckOM4SrZqHQ6qccSaiuSgvbGMuNDG+RlDgTs0FLADdHeWOsNQwhXW8jLbJTKqWBEtI2YJ83FSlPrbtFaMy1VlWVs0ljRNH1nKikobspEXhL6Ql7xg30mrR/tj3VP7tzDpTBqeiijwG16Q9IWVlFOWi74F45xlrRseUprIDs7kATZHLBdycGnZiFhGo3qFLOdznNFUnssfpIhxjrVYR0AAL8aA65gMwNDtMYCCAQZAEF7LW0YGbsmAg+4PATQicEsEfMe3XBOCAKCPhsA5DQGJRTqmmyVJMrHh50Y0I3n8ILM80ZuznJg4kB3lf0lbi62r1ldteXn9tGs39q0zabExQ/O55/Vpil0SxM4QTZ43g/N5jyakJ3ohBRXGk+SqyXNhSLXI6rCrdrVMK6ybzUqr1r7d6uuL51SeQtVS5pQ2fB8cYXK2KSJy+rnNcZEQfsqx+yC2IKsz5DZjtawgKeb0zVzuEHd6hhdGxUYazgMPWQFqPp30B3qmRrVrraSdHPf0hu/p9UPf8lof15xF2aw3iwAX71u3reUN5bubOxLHjy+7O8LxT4zwbfDuCHGh1t14/eGU/3sgcMdA0AoEQXDPgQD+EoHA8aDhsHbHZcWbutVx07ODAfKBBfruXqt2PTAQKy4dDKADf9K1nbqmclPXBkOZnpeK454txEXCKzqVQPqc4fXePxtWd0zLKid6EDeAYL1rOmstwIcWCCzRbYmNzqFTqxUNpdmcTYhbK+iEG5FrcTOImA6ug0w7GmgR1qlgJDyrSlC7OWJG47iKWUMlADN1vETq13sGuHY/+weO2/fFujR1+RrAUOJ3FSYs6I4YqAd7FwOvrvu0a0H+LSkYeupfhwIZ+UYI4DSEdvc1EDWiDwPBG8PBrUlw7LsLB/4YDm4MAewWBg9l/w+DILh5tgjHbLH9bhPeXbYYHkXi/xHwxmkTCBZF98DLNc6PK9/qnUv1OSsynA4gZlvyT25f+tWBI6W5h5dJXYewE/8uPLPibJYiwOSsGrQz6VU9lq78O4q5HKyXDgaQVkXyS9AK7O7LdwgGshlYv/0blQZ0JV5rR/hlgUUjsNcCtle1Ce2PpvUK7+LQGcK3qHYzPmWrUlwv8Rp8CxsokF7tMQuv8Do+DEJKliMH+vnldP9FNZSBXwYD0Wx+TqbKu82P9tDzvw==</diagram></mxfile>
|
||||
@ -115,11 +115,23 @@ rules. (if you used the default configuration at the top of this page)
|
||||
IKEv2
|
||||
^^^^^
|
||||
|
||||
.. note:: This is just a preliminary config which should be extended!
|
||||
Imagine the following topology
|
||||
|
||||
.. figure:: ../_static/images/vpn_s2s_ikev2.png
|
||||
:scale: 50 %
|
||||
:alt: IPSec IKEv2 site2site VPN
|
||||
|
||||
IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio)
|
||||
|
||||
|
||||
.. note:: Don't get confused about the used /31 tunnel subnet. RFC3031_ gives
|
||||
you additional information for using /31 subnets on point-to-point links.
|
||||
|
||||
**left**
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
set interfaces vti vti10 address '10.0.0.1/30'
|
||||
set interfaces vti vti10 address '10.0.0.2/31'
|
||||
|
||||
set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
|
||||
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
|
||||
@ -137,13 +149,50 @@ IKEv2
|
||||
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
|
||||
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
|
||||
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
|
||||
set vpn ipsec site-to-site peer 2.2.2.2 authentication id '1.1.1.1'
|
||||
set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'secretkey'
|
||||
set vpn ipsec site-to-site peer 2.2.2.2 authentication remote-id '2.2.2.2'
|
||||
set vpn ipsec site-to-site peer 2.2.2.2 connection-type 'initiate'
|
||||
set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'IKEv2_DEFAULT'
|
||||
set vpn ipsec site-to-site peer 2.2.2.2 ikev2-reauth 'inherit'
|
||||
set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1'
|
||||
set vpn ipsec site-to-site peer 2.2.2.2 vti bind 'vti10'
|
||||
set vpn ipsec site-to-site peer 2.2.2.2 vti esp-group 'ESP_DEFAULT'
|
||||
set vpn ipsec ipsec-interfaces interface 'eth0.201'
|
||||
set vpn ipsec site-to-site peer 172.18.202.10 authentication id '172.18.201.10'
|
||||
set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey'
|
||||
set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10'
|
||||
set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'initiate'
|
||||
set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT'
|
||||
set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit'
|
||||
set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10'
|
||||
set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10'
|
||||
set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT'
|
||||
|
||||
**right**
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
set interfaces vti vti10 address '10.0.0.3/31'
|
||||
|
||||
set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
|
||||
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
|
||||
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
|
||||
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
|
||||
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
|
||||
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
|
||||
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
|
||||
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
|
||||
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
|
||||
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
|
||||
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
|
||||
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
|
||||
set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
|
||||
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
|
||||
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
|
||||
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
|
||||
set vpn ipsec ipsec-interfaces interface 'eth0.202'
|
||||
set vpn ipsec site-to-site peer 172.18.201.10 authentication id '172.18.202.10'
|
||||
set vpn ipsec site-to-site peer 172.18.201.10 authentication mode 'pre-shared-secret'
|
||||
set vpn ipsec site-to-site peer 172.18.201.10 authentication pre-shared-secret 'secretkey'
|
||||
set vpn ipsec site-to-site peer 172.18.201.10 authentication remote-id '172.18.201.10'
|
||||
set vpn ipsec site-to-site peer 172.18.201.10 connection-type 'initiate'
|
||||
set vpn ipsec site-to-site peer 172.18.201.10 ike-group 'IKEv2_DEFAULT'
|
||||
set vpn ipsec site-to-site peer 172.18.201.10 ikev2-reauth 'inherit'
|
||||
set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10'
|
||||
set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10'
|
||||
set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT'
|
||||
|
||||
.. _RFC3031: https://tools.ietf.org/html/rfc3021
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user