Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Create the connection to EAST

In defining a site-to-site connection, you specify IPsec policy information (most of which is pre-configured as an IKE and ESP group) and the routing information for the two endpoints of the IPsec tunnel.

The local endpoint is the vRouter. The remote endpoint is the peer VPN gateway—this gateway can be another vRouter, or it can be another IPsec-compliant router, an IPsec-capable firewall, or a VPN concentrator. For each end of the tunnel, you define the IP address and subnet mask of the local and remote subnets or hosts.

In all, you must specify the following:

  • IP address of the remote peer.
  • Authentication mode that the peers use to authenticate one another. The vRouter supports peer authentication by pre-shared secret (pre-shared key, or PSK), so you must also supply the character string to use to generate the hashed key. Digital signatures and X.509 certificates are also supported.
  • IKE group to use in the connection.
  • ESP group to use in the connection.
  • IP address on this vRouter to use for the tunnel. This IP address must be pre-configured on the interface that is enabled for VPN.
  • Communicating subnet or host for each end of the tunnel. You can define multiple tunnels for each VPN peer, and each tunnel can use a different security policy.

When supplying a pre-shared secret, keep the following in mind:

A pre-shared secret, or pre-shared key (PSK), is a method of authentication. The secret, or key, is a character string agreed upon beforehand by both parties as the key for authenticating the session. It generates a hash such that each VPN endpoint can authenticate the other.

Note that the pre-shared secret, although an ordinary character string, is not a “password”. It actually generates a hashed key to form a fingerprint that proves the identity of each endpoint. This means that long, complex character strings are more secure than short strings. Choose complex pre-shared secrets and avoid short ones, which can be more easily compromised by an attack.

The pre-shared secret is not passed during IKE negotiation. It is configured on both sides, and must match on both sides.

A pre-shared secret is an example of symmetric cryptography: the key is the same on both sides. Symmetric encryption algorithms are less computationally intensive than asymmetric algorithms, and are, therefore, faster. However, in symmetric cryptography, the two communicating parties must exchange keys in advance. Doing this securely can be a problem.

A pre-shared secret and a digital signature are the most common methods of IKE authentication. A pre-shared secret is an easy and effective way to quickly set up authentication with little administrative overhead. However, it has several drawbacks.

  • If a pre-shared key is captured and no one is aware of it, the attacker has access to your network as long as that key is in use.
  • A pre-shared secret is manually configured, so it should be regularly changed. However, this task often falls off the list of busy network administrators. Using pre-shared key values with remote users is equivalent to giving them a password to your network.
Note: You should restrict the use of pre-shared keys to smaller, low-risk environments.

The following example defines a site-to-site connection to EAST.

  • This connection is configured with a single tunnel:
    • Tunnel 1 communicates between 192.168.40.0/24 on WEST and 192.168.60.0/24 on EAST, using ESP group ESP-1W.
  • WEST uses IP address 192.0.2.1 on dp0p1p2.
  • EAST uses IP address 192.0.2.33 on dp0p1p1.
  • The IKE group is IKE-1W.
  • The authentication mode is pre-shared secret. The pre-shared secret is test_key_1.

To configure this connection, perform the following steps on vRouter WEST in configuration mode.

Table 1. Creating a site-to-site connection from WEST to EAST
Step Command

Create the node for EAST and set the authentication mode.

vyatta@WEST# set security vpn ipsec site-to-site peer 192.0.2.33 authentication mode pre-shared-secret

Navigate to the node for the peer for easier editing.

vyatta@WEST# edit security vpn ipsec site-to-site peer 192.0.2.33

[edit security vpn ipsec site-to-site peer 192.0.2.33]

Provide the string that will be used to generate encryption keys.

vyatta@WEST# set authentication pre-shared-secret test_key_1

[edit security vpn ipsec site-to-site peer 192.0.2.33]

Specify the default ESP group for all tunnels.

vyatta@WEST# set default-esp-group ESP-1W

[edit security vpn ipsec site-to-site peer 192.0.2.33]

Specify the IKE group.

vyatta@WEST# set ike-group IKE-1W

[edit security vpn ipsec site-to-site peer 192.0.2.33]

Identify the IP address on this Vyatta router to be used for this connection.

vyatta@WEST# set local-address 192.0.2.1

[edit security vpn ipsec site-to-site peer 192.0.2.33]

Create a tunnel configuration, and provide the local subnet for this tunnel.

Note: When configuring an IPsec site-to-site tunnel, if the local IP address is not configured for the configured local prefix subnet, IPsec fails to install the kernel route. A workaround is to configure the local IP address on a loopback or a data plane interface.
vyatta@WEST# set tunnel 1 local prefix 192.168.40.0/24

[edit security vpn ipsec site-to-site peer 192.0.2.33]

Provide the remote subnet for the tunnel.

vyatta@WEST# set tunnel 1 remote prefix 192.168.60.0/24

[edit security vpn ipsec site-to-site peer 192.0.2.33]

Return to the top of the configuration tree.

vyatta@WEST# top

Now commit the configuration.

vyatta@WEST# commit

View the configuration for the site-to-site connection.

vyatta@WEST# show security vpn ipsec site-to-site peer 192.0.2.33

    authentication
        mode pre-shared-secret
        pre-shared-secret test_key_1
    }
    default-esp-group ESP-1W
    ike-group IKE-1W
    local-address 192.0.2.1
    tunnel 1 {
        local {
            prefix 192.168.40.0/24
        }
        remote {
            prefix 192.168.60.0/24
        }
    }

View data plane interface dp0p1p2 address configuration. local-address is set to this address.

vyatta@WEST# show interfaces dataplane dp0p1p2 address

 address 192.0.2.1/27