Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Site-to-site mode with TLS

When TLS is used in site-to-site mode, the vRouter configuration is the same as described in the previous section, except that you must configure TLS-related options instead of the shared-secret-key-file option. As previously discussed, one endpoint takes the passive role and the other takes the active role.

Each endpoint must also have the following files, which are required for the TLS protocol.

  • Certificate Authority (CA) certificate file: This file contains the certificate of the CA, which is used to validate the certificate of the other endpoint.
  • Host certificate file: This file contains the certificate of the endpoint, which is presented to the other endpoint during the TLS negotiation.
  • Host key file: This file contains the private key of the endpoint, which is kept secret from anybody else.
  • Certificate revocation list (CRL) file: (Optional) This file contains a list of certificates that have been revoked, which prevent endpoints with these certificates from establishing a VPN tunnel.
  • DH parameters file: (Only needed by the passive endpoint) This file contains Diffie Hellman parameters that are required only by the endpoint taking the passive role in the TLS negotiation.

More information about these files is available in the OpenVPN documentation.

The configuration that follows corresponds to the configuration for the example in the previous section. Assume that the necessary files have been generated and distributed to each endpoint and that V1 and V2 are passive and active, respectively.

To configure V1 for a site-to-site VPN with TLS, perform the following steps in configuration mode.

Table 1. V1 OpenVPN configuration: site-to-site with TLS
Step Command

Create the vtun0 configuration node.

vyatta@V1# set interfaces openvpn vtun0

Set the local IP address of the VPN tunnel.

vyatta@V1# set interfaces openvpn vtun0 local-address 192.168.200.1

Set the OpenVPN mode.

vyatta@V1# set interfaces openvpn vtun0 mode site-to-site

Set the remote IP address of the VPN tunnel.

vyatta@V1# set interfaces openvpn vtun0 remote-address 192.168.200.2

Specify the physical IP address of the remote host.

vyatta@V1# set interfaces openvpn vtun0 remote-host 87.65.43.21

Set the role of this endpoint.

vyatta@V1# set interfaces openvpn vtun0 tls role passive

Specify the location of the CA certificate file.

vyatta@V1# set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt

Specify the location of the host certificate file.

vyatta@V1# set interfaces openvpn vtun0 tls cert-file /config/auth/V1.crt

Specify the location of the CRL parameters file.

vyatta@V1# set interfaces openvpn vtun0 tls crl-file /config/auth/crl.pem

Specify the location of the DH file.

vyatta@V1# set interfaces openvpn vtun0 tls dh-file /config/auth/dh1024.pem

Specify the location of the host key file.

vyatta@V1# set interfaces openvpn vtun0 tls key-file /config/auth/V1.key

Commit the change.

vyatta@V1# commit

Show the OpenVPN configuration.

vyatta@V1# show interfaces openvpn vtun0
 local-address 192.168.200.1
 mode site-to-site
 remote-address 192.168.200.2
 remote-host 87.65.43.21
 tls {
    role passive
    ca-cert-file /config/auth/ca.crt
    cert-file /config/auth/V1.crt
    crl-file /config/auth/cr1.pem
    dh-file /config/auth/dh1024.pem
    key-file /config/auth/V1.key
 }

Note that the configuration is the same as in the previous section except that the shared-secret-key-file option has been replaced by tls options. The V1 endpoint takes the passive role, so the dh-file option is required. The crl-file option is also specified in this example.

To configure V2 for a site-to-site VPN with TLS, perform the following steps in configuration mode.

Table 2. V2 OpenVPN configuration: site-to-site with TLS
Step Command

Create the vtun0 configuration node.

vyatta@V2# set interfaces openvpn vtun0

Set the local IP address of the VPN tunnel.

vyatta@V2# set interfaces openvpn vtun0 local-address 192.168.200.2

Set the OpenVPN mode.

vyatta@V2# set interfaces openvpn vtun0 mode site-to-site

Set the remote IP address of the VPN tunnel.

vyatta@V2# set interfaces openvpn vtun0 remote-address 192.168.200.1

Specify the physical IP address of the remote host.

vyatta@V2# set interfaces openvpn vtun0 remote-host 12.34.56.78

Set the role of this endpoint.

vyatta@V2# set interfaces openvpn vtun0 tls role active

Specify the location of the CA certificate file.

vyatta@V2#set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt

Specify the location of the host certificate file.

vyatta@V2# set interfaces openvpn vtun0 tls cert-file /config/auth/V2.crt

Specify the location of the host key file.

vyatta@V2# set interfaces openvpn vtun0 tls key-file /config/auth/V2.key

Commit the change.

vyatta@V2# commit

Show the OpenVPN configuration.

vyatta@V2# show interfaces openvpn vtun0
 local-address 192.168.200.2
 mode site-to-site
 remote-address 192.168.200.1
 remote-host 12.34.56.78
 tls {
    role active
    ca-cert-file /config/auth/ca.crt
    cert-file /config/auth/V2.crt
    key-file /config/auth/V2.key
 }

The configuration is the same as in the previous example except that the tls option is specified; the crl-file option is not specified; and, because the V2 endpoint takes the active role, the dh-file option is not needed.