home

White papers

Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers
Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Show On this page:

thumbnailWhite papers

IPsec use case: Site-to-site VPN

IPsec site-to-site VPN configuration example (Vyatta NOS)

Where Vyatta NOS is available on your cloud, you can use a configuration like this for IPsec site-to-site VPN on your WAN router.

set interfaces bonding dp0bond1 address 172.16.0.7/24
set interfaces bonding dp0bond0 address 10.200.0.1/24
# routing
set protocols static route 0.0.0.0/0 next-hop 172.16.0.254
# IKE and ESP settings
set security vpn ike make-before-break
set security vpn ipsec esp-group ESP1 lifetime 3600
set security vpn ipsec esp-group ESP1 proposal 1 encryption aes128gcm128
set security vpn ipsec esp-group ESP1 proposal 1 hash null
set security vpn ipsec ike-group IKE1 dead-peer-detection action clear
set security vpn ipsec ike-group IKE1 dead-peer-detection interval 60
set security vpn ipsec ike-group IKE1 ike-version 2
set security vpn ipsec ike-group IKE1 lifetime 14400
set security vpn ipsec ike-group IKE1 proposal 1 dh-group 19
set security vpn ipsec ike-group IKE1 proposal 1 encryption aes128gcm128
set security vpn ipsec ike-group IKE1 proposal 1 hash sha2_256
# Corporate Network VPN
set security vpn ipsec site-to-site peer corporate.vpn.am authentication id devcloud.vpn.am
set security vpn ipsec site-to-site peer corporate.vpn.am authentication mode x509
set security vpn ipsec site-to-site peer corporate.vpn.am authentication remote-id corporate.vpn.am
set security vpn ipsec site-to-site peer corporate.vpn.am authentication x509 ca-cert-file /config/auth/root-ca.crt
set security vpn ipsec site-to-site peer corporate.vpn.am authentication x509 cert-file /config/auth/devcloud1.vpn.am.crt
set security vpn ipsec site-to-site peer corporate.vpn.am authentication x509 key file /config/auth/devcloud1.vpn.am.key
set security vpn ipsec site-to-site peer corporate.vpn.am connection-type initiate
set security vpn ipsec site-to-site peer corporate.vpn.am default-esp-group ESP1
set security vpn ipsec site-to-site peer corporate.vpn.am ike-group IKE1
set security vpn ipsec site-to-site peer corporate.vpn.am local-address 10.10.2.3
set security vpn ipsec site-to-site peer corporate.vpn.am tunnel 1 local prefix 10.200.0.0/24
set security vpn ipsec site-to-site peer corporate.vpn.am tunnel 1 remote prefix 0.0.0.0/0
set security vpn x509 ca-certs /config/auth/crltest/root-ca.crt
# static mapping
set system static-host-mapping host-name corporate.vpn.am inet 10.10.2.3
set system static-host-mapping host-name crl.vpn.am inet 10.20.2.6

Last updated: June 28, 2022

Related Articles: