Site-to-site mode with preshared secret
The following figure shows site-to-site VPN configured with preshared secret.
In this example:
- The physical IP addresses for V1 and V2 are 12.34.56.78 and 87.65.43.21, respectively.
- The tunnel IP addresses for V1 and V2 are 192.168.200.1 and 192.168.200.2, respectively.
- The subnet to be accessed from V1 (through V2 over the VPN) is 192.168.100.0/24.
- The subnet to be accessed on V2 (through V1 over the VPN) is 192.168.101.0/24.
To configure an OpenVPN tunnel, you create an interface of the openvpn type. The interface name is in the form of vtunnum; for example, vtun0, vtun1, and so on.
In addition, you must add a static interface route to direct traffic for the remote subnet through the vtun0 tunnel interface. For information on setting up static routes, see .
To configure the V1 endpoint, perform the following steps in configuration mode.
Step | Command |
---|---|
Create the vtun0 configuration node. |
|
Set the tunnel IP address for the local endpoint. |
|
Set the OpenVPN mode to site-to-site. |
|
Set the tunnel IP address of the remote endpoint. |
|
Specify the physical IP address of the remote host. |
|
Specify the location of the file containing the preshared secret. |
|
Commit the change. |
|
Show the OpenVPN configuration. |
|
To configure a static route to access the remote subnet through the OpenVPN tunnel, perform the following steps in configuration mode.
Step | Command |
---|---|
Create the static route to access the remote subnet through the OpenVPN tunnel. |
|
Commit the change. |
|
Show the static routing configuration. |
|
The V2 VPN endpoint is identical to the V1 endpoint, except that local and remote tunnel IP addresses are reversed. To configure the V2 endpoint, perform the following steps in configuration mode.
Step | Command |
---|---|
Create the vtun0 configuration node. |
|
Set the tunnel IP address for the local endpoint. |
|
Set the OpenVPN mode to site-to-site. |
|
Set the tunnel IP address of the remote endpoint. |
|
Specify the physical IP address of the remote host. |
|
Specify the location of the file containing the preshared secret. |
|
Commit the change. |
|
Show the OpenVPN configuration. |
|
Again, the shared secret file (created by generating the key with the generate openvpn key command on one system and then copying the key to the other system) must be the same on both endpoints (the path need not be the same, but the content must be). Note also that the remote-host option is required only on one of the endpoints; that is, the site-to-site tunnel can be established as long as even one endpoint has enough information to contact the other.
To configure a static route to access the remote subnet through the OpenVPN tunnel, perform the following steps in configuration mode.
Step | Command |
---|---|
Create the static route to access the remote subnet through the OpenVPN tunnel. |
|
Commit the change. |
|
Show the static routing configuration. |
|