Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Configure an ESP group on WEST

Encapsulated Security Payload (ESP) is an authentication protocol that provides authentication for IP packets, and it also encrypts them.

The ESP protocol negotiates a unique number for the session connection, called the Security Parameter Index (SPI). It also starts a numbering sequence for the packets and negotiates the hashing algorithm that authenticates packets.

The vRouter allows you to pre-define multiple ESP configurations. Each configuration is known as an ESP group. An ESP group includes the Phase 2 proposals, which contain the parameters that are needed to negotiate an IPsec security association:

  • Cipher to encrypt user data across the IPsec tunnel
  • Hashing function to authenticate packets in the IPsec tunnel
  • Lifetime of the IPsec security association

This task creates ESP group ESP-1W on vRouter WEST. This ESP group contains two proposals:

  • Proposal 1 uses AES-256 as the encryption cipher and SHA-1 as the hash algorithm
  • Proposal 2 uses Triple-DES as the encryption cipher and MD5 as the hash algorithm

The lifetime of a proposal from this ESP group is set to 1800 seconds.

To create this ESP group, perform the following steps on WEST in configuration mode.

Table 1. Configuring an ESP group on vRouter WEST
Step Command

Create the configuration node for proposal 1 of ESP group ESP-1W.

vyatta@WEST# set security vpn ipsec esp-group ESP-1W proposal 1

Set the encryption cipher for proposal 1.

vyatta@WEST# set security vpn ipsec esp-group ESP-1W proposal 1 encryption aes256

Set the hash algorithm for proposal 1.

vyatta@WEST# set security vpn ipsec esp-group ESP-1W proposal 1 hash sha1

Set the encryption cipher for proposal 2. This also creates the configuration node for proposal 2 of ESP group ESP-1W.

vyatta@WEST# set security vpn ipsec esp-group ESP-1W proposal 2 encryption 3des

Set the hash algorithm for proposal 2.

vyatta@WEST# set security vpn ipsec esp-group ESP-1W proposal 2 hash md5

Set the lifetime for the whole ESP group.

vyatta@WEST# set security vpn ipsec esp-group ESP-1W lifetime 1800

View the configuration for the ESP group. Don't commit yet.

vyatta@WEST# show security vpn ipsec esp-group ESP-1W

    proposal 1 {
        encryption aes256
        hash sha1
    }
    proposal 2 {
        encryption 3des
        hash md5
    }
    lifetime 1800