home

White papers

Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers
Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Show On this page:

thumbnailWhite papers

Configure the IPsec site-to-site VPN (Fedora/RHEL/Centos)

Initiate the IPsec site-to-site VPN tunnel (Fedora/RHEL/Centos)

An example of how to initiate a tunnel connection that you've already configured.

  1. Create the tunnel connection.
    $ swanctl -c
  2. Initiate the tunnel connection.
    $ swanctl -i -c tunnel-1 -i devcloud1
    [IKE] initiating IKE_SA devcloud1[1] to 169.61.111.164
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N
(REDIR_SUP) ]
[NET] sending packet: from 172.16.0.4[500] to 10.10.2.3[500] (264 bytes)
[NET] received packet: from 10.10.2.3[500] to 172.16.0.4[500] (341 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
[IKE] local host is behind NAT, sending keep alives
[IKE] received cert request for "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test
Root CA"
[IKE] received cert request for "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test
Root CA"
[IKE] received 2 cert requests for an unknown ca
[IKE] sending cert request for "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test
Root CA"
[IKE] authentication of 'devcloud1.vpn.am' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] sending end entity cert "C=UK, O=RAVPNWhitePaper, CN=devcloud1.vpn.am"
[IKE] establishing CHILD_SA tunnel-1{1}
[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N
(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(M
SG_ID_SYN_SUP) ]
[NET] sending packet: from 172.16.0.4[4500] to 10.10.2.3[4500] (1607 bytes)
[NET] received packet: from 10.10.2.3[4500] to 172.16.0.4[4500] (1500 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
[IKE] received end entity cert "C=UK, O=RAVPNWhitePaper, CN=server.vpn.am"
[CFG] using certificate "C=UK, O=RAVPNWhitePaper, CN=server.vpn.am"
[CFG] using trusted ca certificate "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper
Test Root CA"
[CFG] checking certificate status of "C=UK, O=RAVPNWhitePaper, CN=server.vpn.am"
[CFG] fetching crl from 'http://crl.vpn.am/ca/root-ca.crl' ...
[CFG] using trusted certificate "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test
Root CA"
[CFG] crl correctly signed by "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test
Root CA"
[CFG] crl is valid: until Jan 28 03:04:53 2020
[CFG] certificate status is good
[CFG] reached self-signed root ca with a path length of 0
[IKE] authentication of 'hub.vpn.am' with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] IKE_SA spoke3[1] established between 172.16.0.4[devcloud1.vpn.am]...10.10.2.3[server.vpn.am]
[IKE] scheduling rekeying in 13313s
[IKE] maximum IKE_SA lifetime 14753s
[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
[IKE] CHILD_SA spoke3-vti{1} established with SPIs c75e729c_i c2f7bd8a_o and TS 10.200.0.0/24 === 0.0.0.0/0
[IKE] received AUTH_LIFETIME of 13581s, scheduling reauthentication in 12141s
initiate completed successfully

Last updated: June 28, 2022

Related Articles: