Create the connection to EAST
In defining a site-to-site connection, you specify IPsec policy information (most of which is pre-configured as an IKE and ESP group) and the routing information for the two endpoints of the IPsec tunnel.
The local endpoint is the vRouter. The remote endpoint is the peer VPN gateway—this gateway can be another vRouter, or it can be another IPsec-compliant router, an IPsec-capable firewall, or a VPN concentrator. For each end of the tunnel, you define the IP address and subnet mask of the local and remote subnets or hosts.
In all, you must specify the following:
- IP address of the remote peer.
- Authentication mode that the peers use to authenticate one another. The vRouter supports peer authentication by pre-shared secret (pre-shared key, or PSK), so you must also supply the character string to use to generate the hashed key. Digital signatures and X.509 certificates are also supported.
- IKE group to use in the connection.
- ESP group to use in the connection.
- IP address on this vRouter to use for the tunnel. This IP address must be pre-configured on the interface that is enabled for VPN.
- Communicating subnet or host for each end of the tunnel. You can define multiple tunnels for each VPN peer, and each tunnel can use a different security policy.
When supplying a pre-shared secret, keep the following in mind:
A pre-shared secret, or pre-shared key (PSK), is a method of authentication. The secret, or key, is a character string agreed upon beforehand by both parties as the key for authenticating the session. It generates a hash such that each VPN endpoint can authenticate the other.
Note that the pre-shared secret, although an ordinary character string, is not a “password”. It actually generates a hashed key to form a fingerprint that proves the identity of each endpoint. This means that long, complex character strings are more secure than short strings. Choose complex pre-shared secrets and avoid short ones, which can be more easily compromised by an attack.
The pre-shared secret is not passed during IKE negotiation. It is configured on both sides, and must match on both sides.
A pre-shared secret is an example of symmetric cryptography: the key is the same on both sides. Symmetric encryption algorithms are less computationally intensive than asymmetric algorithms, and are, therefore, faster. However, in symmetric cryptography, the two communicating parties must exchange keys in advance. Doing this securely can be a problem.
A pre-shared secret and a digital signature are the most common methods of IKE authentication. A pre-shared secret is an easy and effective way to quickly set up authentication with little administrative overhead. However, it has several drawbacks.
- If a pre-shared key is captured and no one is aware of it, the attacker has access to your network as long as that key is in use.
- A pre-shared secret is manually configured, so it should be regularly changed. However, this task often falls off the list of busy network administrators. Using pre-shared key values with remote users is equivalent to giving them a password to your network.
The following example defines a site-to-site connection to EAST.
- This connection is configured with a single tunnel:
- Tunnel 1 communicates between 192.168.40.0/24 on WEST and 192.168.60.0/24 on EAST, using ESP group ESP-1W.
- WEST uses IP address 192.0.2.1 on dp0p1p2.
- EAST uses IP address 192.0.2.33 on dp0p1p1.
- The IKE group is IKE-1W.
- The authentication mode is pre-shared secret. The pre-shared secret is test_key_1.
To configure this connection, perform the following steps on vRouter WEST in configuration mode.
Create the node for EAST and set the authentication mode.
Navigate to the node for the peer for easier editing.
Provide the string that will be used to generate encryption keys.
Specify the default ESP group for all tunnels.
Specify the IKE group.
Identify the IP address on this Vyatta router to be used for this connection.
Create a tunnel configuration, and provide the local subnet for this tunnel.
Note: When configuring an IPsec site-to-site tunnel, if the local IP address is not configured for the configured local prefix subnet, IPsec fails to install the kernel route. A workaround is to configure the local IP address on a loopback or a data plane interface.
Provide the remote subnet for the tunnel.
Return to the top of the configuration tree.
Now commit the configuration.
View the configuration for the site-to-site connection.
View data plane interface dp0p1p2 address configuration. local-address is set to this address.