Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Create the connection to WEST

This task defines a site-to-site connection to WEST. In this example:

  • This connection is configured with a single tunnel:
    • Tunnel 1 communicates between 192.168.60.0/24 on EAST and 192.168.40.0/24 on WEST, using ESP group ESP-1E.
  • EAST uses IP address 192.0.2.33 on dp0p1p1.
  • WEST uses IP address 192.0.2.1 on dp0p1p2.
  • The IKE group is IKE-1E.
  • The authentication mode is pre-shared secret. The pre-shared secret is test_key_1.

To configure this connection, perform the following steps on EAST in configuration mode.

Table 1. Creating a site-to-site connection from EAST to WEST
Step Command

Create the node for WEST and set the authentication mode.

vyatta@EAST# set security vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret

Navigate to the node for the peer for easier editing.

vyatta@EAST# edit security vpn ipsec site-to-site peer 192.0.2.1

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Provide the string that will be used to generate encryption keys.

vyatta@EAST# set authentication pre-shared-secret test_key_1

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Specify the default ESP group for all tunnels.

vyatta@EAST# set default-esp-group ESP-1E

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Specify the IKE group.

vyatta@EAST# set ike-group IKE-1E

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Identify the IP address on this Vyatta router to be used for this connection.

vyatta@EAST# set local-address 192.0.2.33

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Create a tunnel configuration, and provide the local subnet for this tunnel.

vyatta@EAST# set tunnel 1 local prefix 192.168.60.0/24

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Provide the remote subnet for the tunnel.

vyatta@EAST# set tunnel 1 remote prefix 192.168.40.0/24

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Return to the top of the configuration tree.

vyatta@EAST# top

Now commit the configuration.

vyatta@EAST# commit

View the configuration for the site-to-site connection.

vyatta@EAST# show security vpn ipsec site-to-site peer 192.0.2.1

    authentication
        mode pre-shared-secret
        pre-shared-secret test_key_1
    }
    default-esp-group ESP-1E
    ike-group IKE-1E
    local-address 192.0.2.33
    tunnel 1 {
        local {
            prefix 192.168.60.0/24
        }
        remote {
            prefix 192.168.40.0/24
        }
    }

View data plane interface dp0p1p1 address configuration. local-address is set to this address.

vyatta@EAST# show interfaces dataplane dp0p1p1 address

 address 192.0.2.33/27