Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Creating a site-to-site IPsec VPN connection

This section details how to create a site-to-site IPsec VPN connection between the NAT devices in separate VPCs.

In this example, a site-to-site IPsec VPN connection is created between the NAT devices in separate VPCs. In the example, it is assumed that Vyatta NAT instances and instances within private subnets have been created within the VPCs according to the steps in Creating a NAT device. The following diagram shows the configuration.

Figure 1. VPC configuration

To allow inbound Internet Key Exchange (IKE), Encapsulating Security Payload (ESP), and IPsec NAT-T, add three rules to the default VPC security group in each VPC. The first inbound rule (for IKE) allows UDP traffic on port 500 from any source (0.0.0.0/0). The second inbound rule (for ESP) is a Custom protocol rule and allows IP protocol 50 traffic from any source (0.0.0.0/0). The third inbound rule (for IPsec NAT-T) allows UDP traffic on port 4500 from any source (0.0.0.0/0). Refer to Modify the default security group as a reference.

To provide an IPsec VPN endpoint on the R1 NAT device, configure the device as follows:

vyatta@vyatta:~$ show security vpn

vpn {
        ipsec {
                esp-group ESP-1W {
                        lifetime 1800
                        proposal 1 {
                                encryption aes256
                        }
                        proposal 2 {
                                encryption 3des
                                hash md5
                        }
                }
                ike-group IKE-1W {
                        lifetime 3600
                        proposal 1 {
                                encryption aes256
                        }
                        proposal 2
                }
                nat-networks {
                        allowed-network 0.0.0.0/0 {
                                exclude 10.0.0.0/16
                        }
                }
                nat-traversal enable
                site-to-site {
                        peer 52.64.93.132 {
                                authentication {
                                        id @router1
                                        pre-shared-secret test123
                                        remote-id @router2
                                }
                                default-esp-group ESP-1W
                                ike-group IKE-1W
                                local-address 10.0.0.183
                                tunnel 1 {
                                        local {
                                                prefix 10.0.0.0/16
                                        }
                                        remote {
                                                prefix 172.16.0.0/16
                                        }
                                }
                        }
                }
        }
 }

To provide an IPsec VPN endpoint on the R2 NAT device, configure the device as follows:

vyatta@vyatta# show security vpn

vpn {
        ipsec {
                esp-group ESP-1E {
                        lifetime 1800
                        proposal 1 {
                                encryption aes256
                        }
                        proposal 2 {
                                encryption 3des
                                hash md5
                        }
                }
                ike-group IKE-1E {
                        lifetime 3600
                        proposal 1 {
                                encryption aes256
                        }
                        proposal 2
                }
                nat-networks {
                        allowed-network 0.0.0.0/0 {
                                exclude 172.16.0.0/16
                        }
                }
                nat-traversal enable
                site-to-site {
                        peer 52.68.44.119 {
                                authentication {
                                        id @router2
                                        pre-shared-secret test123
                                        remote-id @router1
                                }
                                default-esp-group ESP-1E
                                ike-group IKE-1E
                                local-address 172.16.0.10
                                tunnel 1 {
                                        local {
                                                prefix 172.16.0.0/16
                                        }
                                        remote {
                                                prefix 10.0.0.0/16
                                        }
                                }
                        }
                }
        }
 }
[edit]

Test the configuration by pinging a device in one private subnet (10.0.1.20) from a device in the other private subnet (172.16.1.20).

vyatta@vyatta:~$ ping 10.0.1.20

PING 10.0.1.20 (10.0.1.20) 56(84) bytes of data.
64 bytes from 10.0.1.20: icmp_req=1 ttl=64 time=0.439 ms
64 bytes from 10.0.1.20: icmp_req=2 ttl=64 time=0.572 ms
64 bytes from 10.0.1.20: icmp_req=3 ttl=64 time=0.430 ms
64 bytes from 10.0.1.20: icmp_req=4 ttl=64 time=0.448 ms
^C
--- 10.0.1.20 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.430/0.472/0.572/0.059 ms
vyatta@vyatta:~$

While this example shows a site-to-site IPsec VPN connection between sites in two different VPCs, the sites can also be located in non-VPC locations (for example, a branch office or a data center).

For further information on IPsec VPN configuration, refer to Ciena Vyatta Network OS IPsec Site-to-Site VPN Configuration Guide.