IPsec RA VPN server considerations
An outline of configuration settings and operational tasks that you may need to consider for management of the IPsec RA VPN server.
Revoke RA VPN client access
An example of how to revoke an IPsec RA VPN client certificate.
Create a VFP interface (to support firewall rules for client traffic)
An example of how to apply firewall rules on IPsec policy-based VPN traffic with Vyatta NOS.
user@system# set interfaces virtual-feature-point vfp1
user@system# set security vpn ipsec remote-access-server profile TENANT1 tunnel 1 local network 10.100.0.0/24
user@system# set security vpn ipsec remote-access-server profile TENANT1 tunnel 1 uses vfp1
Reduce the output of logs, for better performance
An example that shows how to set the IPsec logging to the 'minimal' mode.
By default, the IPsec daemon is verbose. This can be useful while you troubleshoot the initial installation or triage problems, but it is not optimal for performance.
For day-to-day production use, we recommend the minimal log mode. This reduces the output of log messages, but still provides relevant information.
user@system# set security vpn ipsec logging log-modes minimal
Make the CRL cache persistent
An example that shows how to set the system to cache CRL files on a persistent basis. This helps to avoid operational issues that arise when the system reboots.
If a public CA is in use you must download it in its entirety once a CRL expires, or the IKE control plane has been restarted.
By default you will lose this if the IKE control restarts or the system reboots. So we recommend that you make the CRL cache persistent.
user@system# set security vpn x509 status crl cache
clear vpn x509 status
was called.Disable OCSP/CRL revocation checks
When you don't use a PKI or CA, you don't need OSCP/CRL revocation checks. Use this setting to help set up the Vyatta NOS RA VPN solution in a simple non-production manner, for local testing purposes.
user@system# set security vpn x509 status crl disable
user@system# set security vpn x509 status ocsp disable
Set 'make before break' mode
Renegotiation of tunnel parameters or capabilities that are in use can disrupt and break the connection. 'Make before break' mode exists as a means to prevent such disruption.
This mode changes the way that IKE authentication occurs. The system makes a copy of the existing IKE and CHILD SAs before renegotiation. Once renegotiation is complete, the system deletes the old SAs.
The advantage of this mode is that it avoids tunnel interruption during renegotiation. However, both sides of the tunnel connection must be configured to support it. By default, the system will clear all IKE and CHILD SAs before renegotiation. For RA VPN solutions, we recommend that you use make-before-break
mode.
user@system# set security vpn ike make-before-break