Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Configure WEST

This task defines configuration changes for a new site-to-site connection to EAST.

  • The main change is the IP address specification of the peer. This is set to the hostname for EAST: “east.company.com”. This is the hostname that is configured on EAST with the dynamic DNS provider. Because the IP address for EAST can be resolved, WEST can either initiate IPsec connections to, or receive IPsec connections from EAST.
  • The other important change is to configure auto-update so that if EAST's IP address changes, the IPsec connection to EAST will be restarted automatically.

To configure this connection, perform the following steps on WEST in configuration mode.

Table 1. Creating a site-to-site connection to a peer with a dynamic IP address and using dynamic DNS
Step Command

Delete the previous configuration.

vyatta@WEST# delete security vpn ipsec site-to-site peer 192.0.2.33

Create the node for EAST and set the authentication mode.

vyatta@WEST# set security vpn ipsec site-to-site peer east.company.com authentication mode pre-shared-secret

Navigate to the node for the peer for easier editing.

vyatta@WEST# edit security vpn ipsec site-to-site peer east.company.com

[edit security vpn ipsec site-to-site peer east.company.com]

Provide the string that will be used to generate encryption keys.

vyatta@WEST# set authentication pre-shared-secret test_key_1

[edit security vpn ipsec site-to-site peer east.company.com]

Specify the default ESP group for all tunnels.

vyatta@WEST# set default-esp-group ESP-1W

[edit security vpn ipsec site-to-site peer east.company.com]

Specify the IKE group.

vyatta@WEST# set ike-group IKE-1W

[edit security vpn ipsec site-to-site peer east.company.com]

Identify the IP address on this Vyatta router to be used for this connection.

vyatta@WEST# set local-address 192.0.2.1

[edit security vpn ipsec site-to-site peer east.company.com]

Create a tunnel configuration, and provide the local subnet for this tunnel.

vyatta@WEST# set tunnel 1 local prefix 192.168.40.0/24

[edit security vpn ipsec site-to-site peer east.company.com]

Provide the remote subnet for the tunnel.

vyatta@WEST# set tunnel 1 remote prefix 192.168.60.0/24

[edit security vpn ipsec site-to-site peer east.company.com]

Return to the top of the configuration tree.

vyatta@WEST# top

Commit the configuration.

vyatta@WEST# commit

View the configuration for the site-to-site connection.

vyatta@WEST# show security vpn ipsec site-to-site peer east.company.com

    authentication
        mode pre-shared-secret
        pre-shared-secret test_key_1
    }
    default-esp-group ESP-1W
    ike-group IKE-1W
    local-address 192.0.2.1
    tunnel 1 {
        local {
            prefix 192.168.40.0/24
        }
        remote {
            prefix 192.168.60.0/24
        }
    }

View data plane interface dp0p1p2 address configuration. local-address is set to this address.

vyatta@WEST# show interfaces dataplane dp0p1p2 address

 address 192.0.2.1/27

Specify that the IPsec connection should be refreshed every 60 seconds - in case the peer's IP address changes. If this happens, the new IP address will be resolved via the dynamic DNS service provider.

vyatta@WEST# set security vpn ipsec auto-update 60

[edit]

Commit the configuration.

vyatta@WEST# commit

View the configuration.

vyatta@WEST# show security vpn ipsec auto-update

 auto-update 60