Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

IPsec RA VPN client (Vyatta NOS)

An example configuration for the Vyatta NOS IPsec RA VPN client.

Example configuration with IKEv2

set interfaces dataplane dp0s0 address 172.16.0.8/24
set security vpn ike make-before-break
set security vpn ipsec esp-group ESP1 proposal 1 encryption aes128gcm128
set security vpn ipsec esp-group ESP1 proposal 1 hash null
set security vpn ipsec ike-group IKE1 dead-peer-detection action clear
set security vpn ipsec ike-group IKE1 dead-peer-detection interval 60
set security vpn ipsec ike-group IKE1 ike-version 2
set security vpn ipsec ike-group IKE1 proposal 1 dh-group 19
set security vpn ipsec ike-group IKE1 proposal 1 encryption aes128gcm128
set security vpn ipsec ike-group IKE1 proposal 1 hash sha2_512
set security vpn ipsec remote-access-client profile CORPORATE authentication mode x509
set security vpn ipsec remote-access-client profile CORPORATE authentication x509 cert-file /config/auth/devcloud2.vpn.am.crt
set security vpn ipsec remote-access-client profile CORPORATE authentication x509 key file /config/auth/devcloud2.vpn.am.key
set security vpn ipsec remote-access-client profile CORPORATE backoff reconnect base 1
setTsecurity vpn ipsec remote-access-client profile CORPORATE backoff reconnect delay 20
set security vpn ipsec remote-access-client profile CORPORATE backoff servers base 1
set security vpn ipsec remote-access-client profile CORPORATE backoff servers delay 20
set security vpn ipsec remote-access-client profile CORPORATE esp-group ESP1
set security vpn ipsec remote-access-client profile CORPORATE ike-group IKE1
set security vpn ipsec remote-access-client profile CORPORATE server 10.10.2.3
set security vpn ipsec remote-access-client profile CORPORATE tunnel 1 local network 10.200.0.0/24
set security vpn ipsec remote-access-client profile CORPORATE tunnel 1 remote network 10.90.9.0/24
set security vpn x509 ca-certs /config/auth/root-ca.crt

This example configuration will result in an IPsec SA traffic selector installation like this:

(local) 10.200.0.0/24 === (remote) 10.90.9.0/24