Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Modify WEST's connection to EAST

This task modifies the connection from WEST to EAST to use X.509 certificates for authentication. In this example:

  • The authentication mode is changed from pre-shared secret to X.509 certificates.
  • The certificate for the peer is identified using its Distinguished Name information. This is the information prompted for when creating the certificate signing request (CSR) file on the peer.
  • The locations of the CA certificate, the server certificate, and the private key file for the server are specified.

To modify the site-to-site connection to use X.509 certificate authentication, perform the following steps:

Table 1. Configure WEST for x.509 certificate authentication
Step Command

Remove the pre-shared key.

vyatta@WEST# delete security vpn ipsec site-to-site peer 192.0.2.33 authentication pre-shared-secret

Change the authentication mode.

vyatta@WEST# set security vpn ipsec site-to-site peer 192.0.2.33 authentication mode x509

Specify the 'distinguished name' of the certificate for the peer.

vyatta@WEST# set security vpn ipsec site-to-site peer 192.0.2.33 authentication remote-id “C=US, ST=CA, O=ABC Company, CN=east, emailAddress=root@abc.com”

Specify the location of the CA certificate.

vyatta@WEST# set security vpn ipsec site-to-site peer 192.0.2.33 authentication x509 ca-cert-file /config/auth/ca.crt

Specify the location of the server certificate.

vyatta@WEST# set security vpn ipsec site-to-site peer 192.0.2.33 authentication x509 cert-file /config/auth/west.crt

Specify the location of the server key file.

vyatta@WEST# set security vpn ipsec site-to-site peer 192.0.2.33 authentication x509 key file /config/auth/west.key

Specify the password for the server key file.

vyatta@WEST# set security vpn ipsec site-to-site peer 192.0.2.33 authentication x509 key password testpwd-west

Commit the configuration.

vyatta@WEST# commit

View the modified configuration for the site-to-site connection.

vyatta@WEST# show security vpn ipsec site-to-site peer 192.0.2.33

    authentication {
        mode x509
        remote-id “C=US, ST=CA, O=ABC Company, CN=east, 
                    emailAddress=root@abc.com”
        x509 {
            ca-cert-file /config/auth/ca.crt
            cert-file /config/auth/west.crt
            key {
                file /config/auth/west.key
                password testpwd-west
            }
        }
    }
    default-esp-group ESP-1W
    ike-group IKE-1W
    local-address 192.0.2.1
    tunnel 1 {
        local {
            prefix 192.168.40.0/24
        }
        remote {
            prefix 192.168.60.0/24
        }
    }

View data plane interface dp0p1p2 address configuration. local-address is set to this address.

vyatta@WEST# show interfaces dataplane dp0p1p2 address address 192.0.2.1/27