home

White papers

Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers
Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Show On this page:

Show Page Sections

thumbnailWhite papers

IPsec use case: Remote access VPN (RA VPN)

IPsec RA VPN server considerations

An outline of configuration settings and operational tasks that you may need to consider for management of the IPsec RA VPN server.

Revoke RA VPN client access

An example of how to revoke an IPsec RA VPN client certificate.

Normally, a PKI/CA will revoke the client certificate. In a non-production test environment where you use self-signed certificates, you will need to manually revoke client certificates.
  1. Flush the certificate state caches on all IPsec RA VPN server instances.
    user@system:~$ clear vpn x509 status
  2. Terminate active client connections immediately, based on the client certificate subject.
    user@system:~$ reset vpn ipsec-remote-access-server profile <profile-name> peer <IP address, remote ID or certificate subject>

Create a VFP interface (to support firewall rules for client traffic)

An example of how to apply firewall rules on IPsec policy-based VPN traffic with Vyatta NOS.

To apply firewall rules on IPsec policy-based VPN traffic with Vyatta NOS you must first bind a 'virtual feature point' (VFP) interface to the IPsec RA VPN server profile tunnel.
Create and bind a VFP to an IPsec server profile tunnel.
user@system# set interfaces virtual-feature-point vfp1
user@system# set security vpn ipsec remote-access-server profile TENANT1 tunnel 1 local network 10.100.0.0/24
user@system# set security vpn ipsec remote-access-server profile TENANT1 tunnel 1 uses vfp1
You can now assign firewall rules to the VFP interface in the same way that you would for any other interface type.

Reduce the output of logs, for better performance

An example that shows how to set the IPsec logging to the 'minimal' mode.

By default, the IPsec daemon is verbose. This can be useful while you troubleshoot the initial installation or triage problems, but it is not optimal for performance.

For day-to-day production use, we recommend the minimal log mode. This reduces the output of log messages, but still provides relevant information.

Set the IPsec logging behavior to the minimal mode.
user@system# set security vpn ipsec logging log-modes minimal
Overall performance will be better with logging in minimal mode than in the default mode.

Make the CRL cache persistent

An example that shows how to set the system to cache CRL files on a persistent basis. This helps to avoid operational issues that arise when the system reboots.

If a public CA is in use you must download it in its entirety once a CRL expires, or the IKE control plane has been restarted.

By default you will lose this if the IKE control restarts or the system reboots. So we recommend that you make the CRL cache persistent.

Set the CRL cache to be persistent.
user@system# set security vpn x509 status crl cache
Note: CRL results get always cached in memory by the IKE control plane, unless clear vpn x509 status was called.

Disable OCSP/CRL revocation checks

When you don't use a PKI or CA, you don't need OSCP/CRL revocation checks. Use this setting to help set up the Vyatta NOS RA VPN solution in a simple non-production manner, for local testing purposes.

Set the server to disable OCSP/CRL revocation checks.
user@system# set security vpn x509 status crl disable
user@system# set security vpn x509 status ocsp disable
Vyatta NOS will not demand external components for the RA VPN solution.

Set 'make before break' mode

Renegotiation of tunnel parameters or capabilities that are in use can disrupt and break the connection. 'Make before break' mode exists as a means to prevent such disruption.

This mode changes the way that IKE authentication occurs. The system makes a copy of the existing IKE and CHILD SAs before renegotiation. Once renegotiation is complete, the system deletes the old SAs.

The advantage of this mode is that it avoids tunnel interruption during renegotiation. However, both sides of the tunnel connection must be configured to support it. By default, the system will clear all IKE and CHILD SAs before renegotiation. For RA VPN solutions, we recommend that you use make-before-break mode.

Set make before break mode.
user@system# set security vpn ike make-before-break

Last updated: June 28, 2022