Given that you have two Vyatta5600, one is TOK02, the other is SNG02 as shown by the figure 1 bellow. I'm gonna show how to establish site-to-site IPsecVPN between 'tokvyatta' and 'sngvyatta'.
figure 1.
Note : All subnet and IP address are provisional, different from ones I used. Providing that you configure IPsecVPN based on this article, you should replace them as appropriate.
0. Prerequisite
Before getting started, there a few things you should do preliminarily.
- Both data plane interface used for IPsec VPN must be configured already. In my case, both interfaces are configured as 'dp0bond1'.
Note : These IP addresses are provisional, different from ones I used.
tokvyatta
set interface bonding dp0bond1 address '161.202.0.1/27'
sngvyattaset interface bonding dp0bond1 address '119.81.0.1/27'
- Subnet to be configured as local/remote 'prefix' should be associated with Vyatta beforehand.
1. Set the IKE group for phase 1
First of all, you can configure parameter used for IKE phase1 negotiation. I configured it as 'ESP-1E'.
In my case, I configure parameters as followings.
- SHA-1 : Cipher to encrypt packets during IKE phase 1
- AES-256 : Hash argorithm to authenticate during IKE phase 1
Actually, you can configure multiple set of these parameter as "proposal". In my case, I only configure one proposal called "proposal 1".
And you might wanna set lifetime which is the duration of the ISAKKP SA. If lifetime of the ISAKMP SA expires, a new Phase 1 negotiation will take place. Then new encryption, hash, and keying imformation is established in a new pair of ISAKMP SAs. In this case, lifetime is set to '3600'
tokvyatta
set security vpn ipsec ike-group IKE-1E lifetime '3600'
set security vpn ipsec ike-group IKE-1E proposal 1 dh-group '2'
set security vpn ipsec ike-group IKE-1E proposal 1 encryption 'aes256'
set security vpn ipsec ike-group IKE-1E proposal 1 hash 'sha1'
sngvyatta
set security vpn ipsec ike-group IKE-1E lifetime '3600'
set security vpn ipsec ike-group IKE-1E proposal 1 dh-group '2'
set security vpn ipsec ike-group IKE-1E proposal 1 encryption 'aes256'
set security vpn ipsec ike-group IKE-1E proposal 1 hash 'sha1'
2. Configure ESP group
ESP, Encapsulated Security Payload is a protocol which provides authentication and encryption for IP packet. In my case, I configured parameter as following.
- AES-256 : Cipher to encrypt user data across the IPsec tunnel
- SHA-1 : Hashing function to authenticate packets in the IPsec tunnel
tokvyatta
set security vpn ipsec esp-group ESP-1E compression 'disable'
set security vpn ipsec esp-group ESP-1E lifetime '1800'
set security vpn ipsec esp-group ESP-1E mode 'tunnel'
set security vpn ipsec esp-group ESP-1E pfs 'enable'
set security vpn ipsec esp-group ESP-1E proposal 1 encryption 'aes256'
set security vpn ipsec esp-group ESP-1E proposal 1 hash 'sha1'
sngvyatta
set security vpn ipsec esp-group ESP-1E compression 'disable'
set security vpn ipsec esp-group ESP-1E lifetime '1800'
set security vpn ipsec esp-group ESP-1E mode 'tunnel'
set security vpn ipsec esp-group ESP-1E pfs 'enable'
set security vpn ipsec esp-group ESP-1E proposal 1 encryption 'aes256'
set security vpn ipsec esp-group ESP-1E proposal 1 hash 'sha1'
3. Define site-to-site connection
Here, you are supposed to set plenty of parameter as bellow. But hang in there, Every cloud has a silver lining.
- IP address of the remote router.
- Authentication mode that the peers use to authenticate one another. Apparently, Vyatta5600 supports 'pre-shared-secret', 'rsa', 'x509'. Incidentally, you can check these with command line interface as bellow.
In my case, I will use "pre-shared secret key(PSK)", which means The secret key which is character string should be agreed upon beforehand by both parties. Note that 'pre-shared secret' is not a "password". It will be utilized to generate hashed key to form a fingerprint that proves the identity of each end point. Therefore, the longer and more complex character strings is, the more secure it become and prevent from being compromised. In this example, I'll use 'secret-string' which is not good example.vyatta@tokvyatta1# set security vpn ipsec site-to-site peer 119.81.0.1 authentication mode Possible Completions: pre-shared-secret Use pre-shared secret key rsa Use RSA key x509 Use X.509 certificate [edit] vyatta@tokvyatta1#
- IKE group which you can select from what you configured in 1. Set the IKE group for phase 1
- ESP-group wihich you can selecvt from what you configured in 2. Configure ESP group
tokvyatta
set security vpn ipsec site-to-site peer 119.81.00.1 authentication mode 'pre-shared-secret'
set security vpn ipsec site-to-site peer 119.81.00.1 authentication pre-shared-secret 'secret-string'
set security vpn ipsec site-to-site peer 119.81.00.1 connection-type 'initiate'
set security vpn ipsec site-to-site peer 119.81.00.1 default-esp-group 'ESP-1E'
set security vpn ipsec site-to-site peer 119.81.00.1 ike-group 'IKE-1E'
set security vpn ipsec site-to-site peer 119.81.00.1 local-address '161.202.00.1'
set security vpn ipsec site-to-site peer 119.81.00.1 tunnel 1 allow-nat-networks 'disable'
set security vpn ipsec site-to-site peer 119.81.00.1 tunnel 1 allow-public-networks 'disable'
set security vpn ipsec site-to-site peer 119.81.00.1 tunnel 1 local prefix '161.202.60.0/29'
set security vpn ipsec site-to-site peer 119.81.00.1 tunnel 1 remote prefix '119.81.40.0/29'
sngvyatta
set security vpn ipsec site-to-site peer 161.202.0.1 authentication mode 'pre-shared-secret'
set security vpn ipsec site-to-site peer 161.202.0.1 authentication pre-shared-secret 'secret-string'
set security vpn ipsec site-to-site peer 161.202.0.1 connection-type 'initiate'
set security vpn ipsec site-to-site peer 161.202.0.1 default-esp-group 'ESP-1E'
set security vpn ipsec site-to-site peer 161.202.0.1 ike-group 'IKE-1E'
set security vpn ipsec site-to-site peer 161.202.0.1 local-address '119.81.77.189'
set security vpn ipsec site-to-site peer 161.202.0.1 tunnel 1 allow-nat-networks 'disable'
set security vpn ipsec site-to-site peer 161.202.0.1 tunnel 1 allow-public-networks 'disable'
set security vpn ipsec site-to-site peer 161.202.0.1 tunnel 1 local prefix '119.81.40.0/29'
set security vpn ipsec site-to-site peer 161.202.0.1 tunnel 1 remote prefix '161.202.60.0/29'
4. Confirm the establishment of IPsecVPN
At first, you might wanna check IKE(ISAKMP) security associations shown by following.
show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
119.81.00.1 161.202.00.1
State Encrypt Hash D-H Grp A-Time L-Time IKEv
----- ------------ -------- ------- ------ ------ ----
up aes256 sha1 2 0 3600 1
Secondly, you can check active IPsec security associations as bellow.
show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
119.81.00.1 161.202.00.1
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
1 6 up 0.0/0.0 aes256 sha1 2 21906 1800
vyatta@sinvyatta1:~$