Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Initiate the IPsec site-to-site VPN tunnel (Fedora/RHEL/Centos)

An example of how to initiate a tunnel connection that you've already configured.

  1. Create the tunnel connection.
    $ swanctl -c
  2. Initiate the tunnel connection.
    $ swanctl -i -c tunnel-1 -i devcloud1
    [IKE] initiating IKE_SA devcloud1[1] to 169.61.111.164
    [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N
    (REDIR_SUP) ]
    [NET] sending packet: from 172.16.0.4[500] to 10.10.2.3[500] (264 bytes)
    [NET] received packet: from 10.10.2.3[500] to 172.16.0.4[500] (341 bytes)
    [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
    [CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
    [IKE] local host is behind NAT, sending keep alives
    [IKE] received cert request for "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test
    Root CA"
    [IKE] received cert request for "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test
    Root CA"
    [IKE] received 2 cert requests for an unknown ca
    [IKE] sending cert request for "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test
    Root CA"
    [IKE] authentication of 'devcloud1.vpn.am' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
    [IKE] sending end entity cert "C=UK, O=RAVPNWhitePaper, CN=devcloud1.vpn.am"
    [IKE] establishing CHILD_SA tunnel-1{1}
    [ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N
    (ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(M
    SG_ID_SYN_SUP) ]
    [NET] sending packet: from 172.16.0.4[4500] to 10.10.2.3[4500] (1607 bytes)
    [NET] received packet: from 10.10.2.3[4500] to 172.16.0.4[4500] (1500 bytes)
    [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
    [IKE] received end entity cert "C=UK, O=RAVPNWhitePaper, CN=server.vpn.am"
    [CFG] using certificate "C=UK, O=RAVPNWhitePaper, CN=server.vpn.am"
    [CFG] using trusted ca certificate "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper
    Test Root CA"
    [CFG] checking certificate status of "C=UK, O=RAVPNWhitePaper, CN=server.vpn.am"
    [CFG] fetching crl from 'http://crl.vpn.am/ca/root-ca.crl' ...
    [CFG] using trusted certificate "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test
    Root CA"
    [CFG] crl correctly signed by "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test
    Root CA"
    [CFG] crl is valid: until Jan 28 03:04:53 2020
    [CFG] certificate status is good
    [CFG] reached self-signed root ca with a path length of 0
    [IKE] authentication of 'hub.vpn.am' with RSA_EMSA_PKCS1_SHA2_256 successful
    [IKE] IKE_SA spoke3[1] established between 172.16.0.4[devcloud1.vpn.am]...10.10.2.3[server.vpn.am]
    [IKE] scheduling rekeying in 13313s
    [IKE] maximum IKE_SA lifetime 14753s
    [CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
    [IKE] CHILD_SA spoke3-vti{1} established with SPIs c75e729c_i c2f7bd8a_o and TS 10.200.0.0/24 === 0.0.0.0/0
    [IKE] received AUTH_LIFETIME of 13581s, scheduling reauthentication in 12141s
    initiate completed successfully