Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

IPsec site-to-site corporate VPN router network example

An example IPsec site-to-site VPN topology that we use as the basis for all examples in this section.

Figure 1. IPsec site-to-site corporate VPN network topology example diagram

IPsec site-to-site corporate VPN router example configuration

set interfaces bonding dp0bond0 address 10.100.1.1/24
set interfaces bonding dp0bond1 address 10.10.2.3/29
set interfaces bonding dp0bond2 address 172.16.1.10/24
# We add VFP interfaces and firewalling in this scenario
# Each peer (former openvpn client) is using dedicated vfp interface
set interfaces loopback lo1 address 169.255.1.1/32
set interfaces virtual-feature-point vfp1 firewall in outof_vfp1
set interfaces virtual-feature-point vfp1 firewall out into_vfp1
set interfaces virtual-feature-point vfp1 ip unnumbered donor-interface lo1
set interfaces virtual-feature-point vfp4 firewall in outof_vfp4
set interfaces virtual-feature-point vfp4 firewall out into_vfp4
set interfaces virtual-feature-point vfp4 ip unnumbered donor-interface lo1
# routing
set protocols static route 0.0.0.0/0 next-hop 10.10.2.1
set protocols static route 10.90.9.0/24 next-hop 10.100.1.2/24
# A generic accept rule to demonstrate usage of firewall
set security firewall name into_vfp1 rule 10 action accept
set security firewall name into_vfp4 rule 10 action accept
set security firewall name outof_vfp1 rule 10 action accept
set security firewall name outof_vfp4 rule 10 action accept
# IKE and ESP settings
set security vpn ike make-before-break
set security vpn ipsec esp-group ESP1 lifetime 3600
set security vpn ipsec esp-group ESP1 proposal 1 encryption aes128gcm128
set security vpn ipsec esp-group ESP1 proposal 1 hash null
set security vpn ipsec ike-group IKE1 dead-peer-detection action clear
set security vpn ipsec ike-group IKE1 dead-peer-detection interval 60
set security vpn ipsec ike-group IKE1 ike-version 2
set security vpn ipsec ike-group IKE1 lifetime 14400
set security vpn ipsec ike-group IKE1 proposal 1 dh-group 19
set security vpn ipsec ike-group IKE1 proposal 1 encryption aes128gcm128
set security vpn ipsec ike-group IKE1 proposal 1 hash sha2_256
# Developer Cloud 1
set security vpn ipsec site-to-site peer devcloud1.vpn.am authentication id corporate.vpn.am
set security vpn ipsec site-to-site peer devcloud1.vpn.am authentication mode x509
set security vpn ipsec site-to-site peer devcloud1.vpn.am authentication remote-id devcloud1.vpn.am
set security vpn ipsec site-to-site peer devcloud1.vpn.am authentication x509 ca-cert-file /config/auth/root-ca.crt
set security vpn ipsec site-to-site peer devcloud1.vpn.am authentication x509 cert-file /config/auth/server.vpn.am.crt
set security vpn ipsec site-to-site peer devcloud1.vpn.am authentication x509 key file /config/auth/server.vpn.am.key
set security vpn ipsec site-to-site peer devcloud1.vpn.am connection-type respond
set security vpn ipsec site-to-site peer devcloud1.vpn.am default-esp-group ESP1
set security vpn ipsec site-to-site peer devcloud1.vpn.am ike-group IKE1
set security vpn ipsec site-to-site peer devcloud1.vpn.am local-address 10.10.2.3

# Traffic selectors deliberately are selected to be different for clients to demonstrrate various options
# client 1 traffic selector allows everything from remote client

set security vpn ipsec site-to-site peer devcloud1.vpn.am tunnel 1 local prefix 0.0.0.0/0
set security vpn ipsec site-to-site peer devcloud1.vpn.am tunnel 1 remote prefix 10.200.0.0/24
set security vpn ipsec site-to-site peer devcloud1.vpn.am tunnel 1 uses vfp1
# Developer Cloud 2
# Identity match is based on certificate
set security vpn ipsec site-to-site peer devcloud2.vpn.am authentication id C=UK,CN=server.vpn.am
set security vpn ipsec site-to-site peer devcloud2.vpn.am authentication mode x509
set security vpn ipsec site-to-site peer devcloud2.vpn.am authentication remote-id C=UK,CN=devcloud2.vpn.am
set security vpn ipsec site-to-site peer devcloud2.vpn.am authentication x509 ca-cert-file /config/auth/root-ca.crt
set security vpn ipsec site-to-site peer devcloud2.vpn.am authentication x509 cert-file /config/auth/server.vpn.am.crt
set security vpn ipsec site-to-site peer devcloud2.vpn.am authentication x509 key file /config/auth/server.vpn.am.key
set security vpn ipsec site-to-site peer devcloud2.vpn.am connection-type respond
set security vpn ipsec site-to-site peer devcloud2.vpn.am default-esp-group ESP1
set security vpn ipsec site-to-site peer devcloud2.vpn.am ike-group IKE1
set security vpn ipsec site-to-site peer devcloud2.vpn.am local-address 10.10.2.3

# client2 - traffic selectors allow everything and pushes more specific route for workstations
# and a route to a single corporate application (DNS) server
set security vpn ipsec site-to-site peer devcloud2.vpn.am tunnel 1 local prefix 0.0.0.0/0
set security vpn ipsec site-to-site peer devcloud2.vpn.am tunnel 1 remote prefix 10.210.0.0/24
set security vpn ipsec site-to-site peer devcloud2.vpn.am tunnel 1 uses vfp4
set security vpn ipsec site-to-site peer devcloud2.vpn.am tunnel 2 local prefix 10.90.9.0/24
set security vpn ipsec site-to-site peer devcloud2.vpn.am tunnel 2 remote prefix 10.210.0.0/24
set security vpn ipsec site-to-site peer devcloud2.vpn.am tunnel 2 uses vfp4
set security vpn ipsec site-to-site peer devcloud2.vpn.am tunnel 3 local prefix 172.16.1.1/32
set security vpn ipsec site-to-site peer devcloud2.vpn.am tunnel 3 remote prefix 10.210.0.0/24
set security vpn ipsec site-to-site peer devcloud2.vpn.am tunnel 3 uses vfp4
set security vpn x509 ca-certs /config/auth/root-ca.crt
# static mapping
set system static-host-mapping host-name devcloud1.vpn.am inet 10.20.2.2
set system static-host-mapping host-name devcloud2.vpn.am inet 10.20.2.2
set system static-host-mapping host-name crl.vpn.am inet 10.20.2.6