Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Create the connection to WEST

This task defines a site-to-site connection to WEST. In this example:

  • This connection is configured with a single tunnel:
    • Tunnel 1 communicates between 192.168.60.0/24 on EAST and 192.168.40.0/24 on WEST, using ESP group ESP-1E.
  • EAST uses IP address 192.0.2.33 on dp0p1p1.
  • WEST uses IP address 192.0.2.1 on dp0p1p2.
  • The IKE group is IKE-1E.
  • The authentication mode is pre-shared secret. The pre-shared secret is test_key_1.

To configure this connection, perform the following steps on EAST in configuration mode.

Table 1. Creating a site-to-site connection from EAST to WEST
Step Command

Create the node for WEST and set the authentication mode.

vyatta@EAST# set security vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret

Navigate to the node for the peer for easier editing.

vyatta@EAST# edit security vpn ipsec site-to-site peer 192.0.2.1

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Provide the string that will be used to generate encryption keys.

vyatta@EAST# set authentication pre-shared-secret test_key_1

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Specify the default ESP group for all tunnels.

vyatta@EAST# set default-esp-group ESP-1E

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Specify the IKE group.

vyatta@EAST# set ike-group IKE-1E

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Identify the IP address on this Vyatta router to be used for this connection.

vyatta@EAST# set local-address 192.0.2.33

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Create a tunnel configuration, and provide the local subnet for this tunnel.

vyatta@EAST# set tunnel 1 local prefix 192.168.60.0/24

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Provide the remote subnet for the tunnel.

vyatta@EAST# set tunnel 1 remote prefix 192.168.40.0/24

[edit security vpn ipsec site-to-site peer 
192.0.2.1]

Return to the top of the configuration tree.

vyatta@EAST# top

Now commit the configuration.

vyatta@EAST# commit

View the configuration for the site-to-site connection.

vyatta@EAST# show security vpn ipsec site-to-site peer 192.0.2.1

    authentication
        mode pre-shared-secret
        pre-shared-secret test_key_1
    }
    default-esp-group ESP-1E
    ike-group IKE-1E
    local-address 192.0.2.33
    tunnel 1 {
        local {
            prefix 192.168.60.0/24
        }
        remote {
            prefix 192.168.40.0/24
        }
    }

View data plane interface dp0p1p1 address configuration. local-address is set to this address.

vyatta@EAST# show interfaces dataplane dp0p1p1 address

 address 192.0.2.33/27