Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Modify EAST's connection to WEST

This task modifies the connection from EAST to WEST to use X.509 certificates for authentication.

In this example:

  • The authentication mode is changed from pre-shared secret to X.509 certificates.
  • The certificate for the peer is identified using its 'distinguished name' information. This is the information prompted for when creating the certificate signing request (CSR) file.
  • The locations of the CA certificate, the server certificate, and the private key file for the server are specified.

To modify the site-to-site connection to use X.509 certificate authentication, perform the following steps:

Table 1. Configure EAST for x.509 certificate authentication
Step Command

Remove the pre-shared key.

vyatta@EAST# delete security vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret

Change the authentication mode.

vyatta@EAST# set security vpn ipsec site-to-site peer 192.0.2.1 authentication mode x509

Specify the 'distinguished name' of the certificate for the peer.

vyatta@EAST# set security vpn ipsec site-to-site peer 192.0.2.1 authentication remote-id “C=US, ST=CA, O=ABC Company, CN=west, emailAddress=root@abc.com”

Specify the location of the CA certificate.

vyatta@EAST# set security vpn ipsec site-to-site peer 192.0.2.1 authentication x509 ca-cert-file /config/auth/ca.crt

Specify the location of the server certificate.

vyatta@EAST# set security vpn ipsec site-to-site peer 192.0.2.1 authentication x509 cert-file /config/auth/east.crt

Specify the location of the server key file.

vyatta@EAST# set security vpn ipsec site-to-site peer 192.0.2.1 authentication x509 key file /config/auth/east.key

Specify the password for the server key file.

vyatta@EAST# set security vpn ipsec site-to-site peer 192.0.2.1 authentication x509 key password testpwd-east

Commit the configuration.

vyatta@EAST# commit

View the modified configuration for the site-to-site connection.

vyatta@EAST# show security vpn ipsec site-to-site peer 192.0.2.1

    authentication {
        mode x509
        remote-id “C=US, ST=CA, O=ABC Company, CN=west, 
                    emailAddress=root@abc.com”
        x509 {
            ca-cert-file /config/auth/ca.crt
            cert-file /config/auth/east.crt
            key {
                file /config/auth/east.key
                password testpwd-east
            }
        }
    }

View data plane interface dp0p1p1 address configuration. local-address is set to this address.

vyatta@EAST# show interfaces dataplane dp0p1p1 address address 192.0.2.33/27