Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Create the connection to EAST

In defining a site-to-site connection, you specify IPsec policy information (most of which is pre-configured as an IKE and ESP group) and the routing information for the two endpoints of the IPsec tunnel.

The local endpoint is the vRouter. The remote endpoint is the peer VPN gateway—this gateway can be another vRouter, or it can be another IPsec-compliant router, an IPsec-capable firewall, or a VPN concentrator. For each end of the tunnel, you define the IP address and subnet mask of the local and remote subnets or hosts.

In all, you must specify the following:

  • IP address of the remote peer.
  • Authentication mode that the peers use to authenticate one another. The vRouter supports peer authentication by pre-shared secret (pre-shared key, or PSK), so you must also supply the character string to use to generate the hashed key. Digital signatures and X.509 certificates are also supported.
  • IKE group to use in the connection.
  • ESP group to use in the connection.
  • IP address on this vRouter to use for the tunnel. This IP address must be pre-configured on the interface that is enabled for VPN.
  • Communicating subnet or host for each end of the tunnel. You can define multiple tunnels for each VPN peer, and each tunnel can use a different security policy.

When supplying a pre-shared secret, keep the following in mind:

A pre-shared secret, or pre-shared key (PSK), is a method of authentication. The secret, or key, is a character string agreed upon beforehand by both parties as the key for authenticating the session. It generates a hash such that each VPN endpoint can authenticate the other.

Note that the pre-shared secret, although an ordinary character string, is not a “password”. It actually generates a hashed key to form a fingerprint that proves the identity of each endpoint. This means that long, complex character strings are more secure than short strings. Choose complex pre-shared secrets and avoid short ones, which can be more easily compromised by an attack.

The pre-shared secret is not passed during IKE negotiation. It is configured on both sides, and must match on both sides.

A pre-shared secret is an example of symmetric cryptography: the key is the same on both sides. Symmetric encryption algorithms are less computationally intensive than asymmetric algorithms, and are, therefore, faster. However, in symmetric cryptography, the two communicating parties must exchange keys in advance. Doing this securely can be a problem.

A pre-shared secret and a digital signature are the most common methods of IKE authentication. A pre-shared secret is an easy and effective way to quickly set up authentication with little administrative overhead. However, it has several drawbacks.

  • If a pre-shared key is captured and no one is aware of it, the attacker has access to your network as long as that key is in use.
  • A pre-shared secret is manually configured, so it should be regularly changed. However, this task often falls off the list of busy network administrators. Using pre-shared key values with remote users is equivalent to giving them a password to your network.
Note: You should restrict the use of pre-shared keys to smaller, low-risk environments.

The following example defines a site-to-site connection to EAST.

  • This connection is configured with a single tunnel:
    • Tunnel 1 communicates between on WEST and on EAST, using ESP group ESP-1W.
  • WEST uses IP address on dp0p1p2.
  • EAST uses IP address on dp0p1p1.
  • The IKE group is IKE-1W.
  • The authentication mode is pre-shared secret. The pre-shared secret is test_key_1.

To configure this connection, perform the following steps on vRouter WEST in configuration mode.

Table 1. Creating a site-to-site connection from WEST to EAST
Step Command

Create the node for EAST and set the authentication mode.

vyatta@WEST# set security vpn ipsec site-to-site peer authentication mode pre-shared-secret

Navigate to the node for the peer for easier editing.

vyatta@WEST# edit security vpn ipsec site-to-site peer

[edit security vpn ipsec site-to-site peer]

Provide the string that will be used to generate encryption keys.

vyatta@WEST# set authentication pre-shared-secret test_key_1

[edit security vpn ipsec site-to-site peer]

Specify the default ESP group for all tunnels.

vyatta@WEST# set default-esp-group ESP-1W

[edit security vpn ipsec site-to-site peer]

Specify the IKE group.

vyatta@WEST# set ike-group IKE-1W

[edit security vpn ipsec site-to-site peer]

Identify the IP address on this Vyatta router to be used for this connection.

vyatta@WEST# set local-address

[edit security vpn ipsec site-to-site peer]

Create a tunnel configuration, and provide the local subnet for this tunnel.

Note: When configuring an IPsec site-to-site tunnel, if the local IP address is not configured for the configured local prefix subnet, IPsec fails to install the kernel route. A workaround is to configure the local IP address on a loopback or a data plane interface.
vyatta@WEST# set tunnel 1 local prefix

[edit security vpn ipsec site-to-site peer]

Provide the remote subnet for the tunnel.

vyatta@WEST# set tunnel 1 remote prefix

[edit security vpn ipsec site-to-site peer]

Return to the top of the configuration tree.

vyatta@WEST# top

Now commit the configuration.

vyatta@WEST# commit

View the configuration for the site-to-site connection.

vyatta@WEST# show security vpn ipsec site-to-site peer

        mode pre-shared-secret
        pre-shared-secret test_key_1
    default-esp-group ESP-1W
    ike-group IKE-1W
    tunnel 1 {
        local {
        remote {

View data plane interface dp0p1p2 address configuration. local-address is set to this address.

vyatta@WEST# show interfaces dataplane dp0p1p2 address