Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

IPsec site-to-site VPN configuration example (Vyatta NOS)

Where Vyatta NOS is available on your cloud, you can use a configuration like this for IPsec site-to-site VPN on your WAN router.

set interfaces bonding dp0bond1 address 172.16.0.7/24
set interfaces bonding dp0bond0 address 10.200.0.1/24
# routing
set protocols static route 0.0.0.0/0 next-hop 172.16.0.254
# IKE and ESP settings
set security vpn ike make-before-break
set security vpn ipsec esp-group ESP1 lifetime 3600
set security vpn ipsec esp-group ESP1 proposal 1 encryption aes128gcm128
set security vpn ipsec esp-group ESP1 proposal 1 hash null
set security vpn ipsec ike-group IKE1 dead-peer-detection action clear
set security vpn ipsec ike-group IKE1 dead-peer-detection interval 60
set security vpn ipsec ike-group IKE1 ike-version 2
set security vpn ipsec ike-group IKE1 lifetime 14400
set security vpn ipsec ike-group IKE1 proposal 1 dh-group 19
set security vpn ipsec ike-group IKE1 proposal 1 encryption aes128gcm128
set security vpn ipsec ike-group IKE1 proposal 1 hash sha2_256
# Corporate Network VPN
set security vpn ipsec site-to-site peer corporate.vpn.am authentication id devcloud.vpn.am
set security vpn ipsec site-to-site peer corporate.vpn.am authentication mode x509
set security vpn ipsec site-to-site peer corporate.vpn.am authentication remote-id corporate.vpn.am
set security vpn ipsec site-to-site peer corporate.vpn.am authentication x509 ca-cert-file /config/auth/root-ca.crt
set security vpn ipsec site-to-site peer corporate.vpn.am authentication x509 cert-file /config/auth/devcloud1.vpn.am.crt
set security vpn ipsec site-to-site peer corporate.vpn.am authentication x509 key file /config/auth/devcloud1.vpn.am.key
set security vpn ipsec site-to-site peer corporate.vpn.am connection-type initiate
set security vpn ipsec site-to-site peer corporate.vpn.am default-esp-group ESP1
set security vpn ipsec site-to-site peer corporate.vpn.am ike-group IKE1
set security vpn ipsec site-to-site peer corporate.vpn.am local-address 10.10.2.3
set security vpn ipsec site-to-site peer corporate.vpn.am tunnel 1 local prefix 10.200.0.0/24
set security vpn ipsec site-to-site peer corporate.vpn.am tunnel 1 remote prefix 0.0.0.0/0
set security vpn x509 ca-certs /config/auth/crltest/root-ca.crt
# static mapping
set system static-host-mapping host-name corporate.vpn.am inet 10.10.2.3
set system static-host-mapping host-name crl.vpn.am inet 10.20.2.6