Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 41

Example 2‐15 Configure WEST for X.509 certificate authentication

Specify the location of the CA vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
certificate. authentication x509 ca‐cert‐file /config/auth/ca.crt

Specify the location of the vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
server certificate. authentication x509 cert‐file /config/auth/west.crt

Specify the location of the vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
server key file. authentication x509 key file /config/auth/west.key

Specify the password for the vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
server key file. authentication x509 key password testpwd‐west

Commit the configuration. vyatta@WEST# commit

View the modified configuration vyatta@WEST# show vpn ipsec site‐to‐site peer 192.0.2.33
for the site‐to‐site connection. authentication {
mode x509
remote‐id “C=US, ST=CA, O=ABC Company, CN=east,
[email protected]”
x509 {
ca‐cert‐file /config/auth/ca.crt
cert‐file /config/auth/west.crt
key {
file /config/auth/west.key
password testpwd‐west
}
}
}
default‐esp‐group ESP‐1W
ike‐group IKE‐1W
local‐address 192.0.2.1
tunnel 1 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.60.0/24
}
}

View IPsec interface vyatta@WEST# show vpn ipsec ipsec‐interfaces

configuration. interface eth1

View Ethernet interface eth1 vyatta@WEST# show interfaces ethernet eth1 address
address configuration. address 192.0.2.1/27
local‐address is set to this
address.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 42

Modify EAST’s Connection to WEST

Example 2-16 modifies the connection from EAST to WEST to use X.509 certificates
for authentication.
In this example:
• The authentication mode is changed from pre-shared secret to X.509 certificates.
• The certificate for the peer is identified using its ‘distinguished name’ information.
This is the information prompted for when creating the certificate signing request
(CSR) file.
• The locations of the CA certificate, the server certificate, and the private key file for
the server are specified.
To modify the site-to-site connection to use X.509 certificate authentication, perform the
following steps:
Example 2‐16 Configure EAST for X.509 certificate authentication

Step Command
Remove the pre‐shared key. vyatta@EAST# delete vpn ipsec site‐to‐site peer 192.0.2.1
authentication pre‐shared‐secret

Change the authentication vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
mode authentication mode x509

Specify the ‘distinguished name’ vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
of the certificate for the peer. authentication remote‐id “C=US, ST=CA, O=ABC Company,
CN=west, [email protected]”

Specify the location of the CA vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
certificate. authentication x509 ca‐cert‐file /config/auth/ca.crt

Specify the location of the vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
server certificate. authentication x509 cert‐file /config/auth/east.crt

Specify the location of the vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
server key file. authentication x509 key file /config/auth/east.key

Specify the password for the vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
server key file. authentication x509 key password testpwd‐east

Commit the configuration. vyatta@EAST# commit

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 43

Example 2‐16 Configure EAST for X.509 certificate authentication

View the modified configuration vyatta@EAST# show vpn ipsec site‐to‐site peer 192.0.2.1
for the site‐to‐site connection. authentication {
mode x509
remote‐id “C=US, ST=CA, O=ABC Company,
CN=west, [email protected]”
x509 {
ca‐cert‐file /config/auth/ca.crt
cert‐file /config/auth/east.crt
key {
file /config/auth/east.key
password testpwd‐east
}
}
}
default‐esp‐group ESP‐1E
ike‐group IKE‐1E
local‐address 192.0.2.33
tunnel 1 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.40.0/24
}
}

View IPsec interface vyatta@EAST# show vpn ipsec ipsec‐interfaces

configuration. interface eth0

View Ethernet interface eth0 vyatta@EAST# show interfaces ethernet eth0 address
address configuration. address 192.0.2.33/27
local‐address is set to this
address.

Defining a VPN Connection to a Peer with a Dynamic

IP Address
This section presents the following topics:
• Configure WEST
• Configure EAST
This section presents a sample configuration for a connection between WEST and
EAST, where EAST has a dynamic IP address (it is configured as a DHCP client). In this
example:

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 44

• EAST has a dynamic IP address from WEST’s point of view.

• WEST retains its fixed IP address.
When you have finished, these systems will be configured as shown in Figure 2-2.

Figure 2‐2 IPsec VPN connection with dynamic IP address

VPN Tunnel

eth0 eth1 eth0 eth1

192.168.40.0/24 192.168.60.0/24
.5 .1 .30 .62 dynamic .8

WEST 192.0.2.0/27 192.0.2.32/27 EAST

Before you begin:

• This example assumes that you have already configured a basic site-to-site
connection using a preshared key between WEST and EAST, as explained in the
section “Configuring a Basic Site-to-Site Connection” on page 20“. Only the
relevant changes to that configuration are presented here.

Configure WEST
Example 2-17 defines configuration changes for a new site-to-site connection to
EAST.
• The main change is the IP address specification of the peer. This is set to 0.0.0.0 to
represent “any” IP address. Because the IP address of the peer is unknown, WEST
will not initiate connections to the peer. It will only receive connections from the
peer.
To configure this connection, perform the following steps on WEST in configuration
mode.
Example 2‐17 Creating a site‐to‐site connection to a peer with a dynamic IP address

Step Command

Delete the previous vyatta@WEST# delete vpn ipsec site‐to‐site peer 192.0.2.33
configuration.

Create the node for EAST and set vyatta@WEST# set vpn ipsec site‐to‐site peer 0.0.0.0
the authentication mode. authentication mode pre‐shared‐secret

Navigate to the node for the vyatta@WEST# edit vpn ipsec site‐to‐site peer 0.0.0.0
peer for easier editing. [edit vpn ipsec site‐to‐site peer 0.0.0.0]

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 45

Example 2‐17 Creating a site‐to‐site connection to a peer with a dynamic IP address

Provide the string that will be vyatta@WEST# set authentication pre‐shared‐secret test_key_1
used to generate encryption [edit vpn ipsec site‐to‐site peer 0.0.0.0]
keys.

Specify the default ESP group for vyatta@WEST# set default‐esp‐group ESP‐1W
all tunnels. [edit vpn ipsec site‐to‐site peer 0.0.0.0]

Specify the IKE group. vyatta@WEST# set ike‐group IKE‐1W

[edit vpn ipsec site‐to‐site peer 0.0.0.0]

Identify the IP address on this vyatta@WEST# set local‐address 192.0.2.1

Vyatta system to be used for this [edit vpn ipsec site‐to‐site peer 0.0.0.0]
connection.

Create a tunnel configuration, vyatta@WEST# set tunnel 1 local prefix 192.168.40.0/24

and provide the local subnet for [edit vpn ipsec site‐to‐site peer 0.0.0.0]
this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 1 remote prefix 192.168.60.0/24
the tunnel. [edit vpn ipsec site‐to‐site peer 0.0.0.0]

Return to the top of the vyatta@WEST# top

configuration tree.

Commit the configuration. vyatta@WEST# commit

View the configuration for the vyatta@WEST# show vpn ipsec site‐to‐site peer 0.0.0.0
site‐to‐site connection. authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
}
default‐esp‐group ESP‐1W
ike‐group IKE‐1W
local‐address 192.0.2.1
tunnel 1 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.60.0/24
}
}

View IPsec interface vyatta@WEST# show vpn ipsec ipsec‐interfaces

configuration. interface eth1

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 46

Example 2‐17 Creating a site‐to‐site connection to a peer with a dynamic IP address

View Ethernet interface vyatta@WEST# show interfaces ethernet eth1

eth1 address configuration. address address 192.0.2.1/27
local‐address is set to this
address.

Configure EAST
The connection from EAST to WEST only requires a minor change from that configured
in the section “Configuring a Basic Site-to-Site Connection” on page 20.
• WEST retains its fixed IP, so no modification is required to the remote peer IP
address.
• EAST has a dynamic local IP, so that must change. The dhcp-interface option
specifies the DHCP client interface.
To configure this connection, perform the following steps on EAST in configuration
mode.
Example 2‐18 Specify that the local IP is dynamic.

Step Command
Remove the existing vyatta@EAST# delete vpn ipsec site‐to‐site peer 192.0.2.1
local‐address configuration so local‐address
that doesn’t conflict with the [edit]
dhcp‐interface configuration
that will be set.

Specify the DHCP client interface vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
to use for the connection. dhcp‐interface eth0
[edit]

Commit the configuration. vyatta@EAST# commit

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 47

Example 2‐18 Specify that the local IP is dynamic.

View the configuration for vyatta@EAST# show vpn ipsec site‐to‐site peer
the site‐to‐site connection. 192.0.2.1 authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
}
default‐esp‐group ESP‐1E
dhcp‐interface eth0
ike‐group IKE‐1E
tunnel 1 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.40.0/24
}
}

View IPsec interface vyatta@EAST# show vpn ipsec ipsec‐interfaces

configuration. interface eth0

View Ethernet interface eth0 vyatta@EAST# show interfaces ethernet eth0

address configuration. It is set to address dhcp
dhcp which configures it as a
DHCP client. This is the setting
required by dhcp‐interface.

Defining a VPN Connection to a Peer Using Dynamic DNS

This section presents the following topics:
• Configure WEST
• Configure EAST
This section presents a sample configuration for a connection between WEST and
EAST, where EAST has a dynamic IP address (it is configured as a DHCP client) and is
configured for dynamic DNS. In this example:
• EAST has a dynamic IP address from WEST’s point of view but WEST can initiate
connections to EAST because EAST’s hostname remains constant even though its
IP address may change.
• WEST retains its fixed IP address.
When you have finished, these systems will be configured as shown in Figure 2-3.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 48

Figure 2‐3 IPsec VPN connection with dynamic IP address and dynamic DNS

VPN Tunnel
hostname:
east.company.com

eth0 eth1 eth0 eth1

192.168.40.0/24 192.168.60.0/24
.5 .1 .30 .62 dynamic .8

WEST 192.0.2.0/27 192.0.2.32/27 EAST

Before you begin:

• This example assumes that you have already configured a basic site-to-site
connection using a preshared key between WEST and EAST, as explained in the
section “Configuring a Basic Site-to-Site Connection” on page 20“. Only the
relevant changes to that configuration are presented here.

Configure WEST
Example 2-19 defines configuration changes for a new site-to-site connection to
EAST.
• The main change is the IP address specification of the peer. This is set to the
hostname for EAST: “east.company.com”. This is the hostname that is configured
on EAST with the dynamic DNS provider. Because the IP address for EAST can be
resolved, WEST can either initiate IPsec connections to, or receive IPsec
connections from EAST.
• The other important change is to configure auto-update so that if EAST’s IP
address changes, the IPsec connection to EAST will be restarted automatically.
To configure this connection, perform the following steps on WEST in configuration
mode.
Example 2‐19 Creating a site‐to‐site connection to a peer with a dynamic IP address and using dynamic
DNS

Step Command

Delete the previous vyatta@WEST# delete vpn ipsec site‐to‐site peer 192.0.2.33
configuration.

Create the node for EAST and set vyatta@WEST# set vpn ipsec site‐to‐site peer east.company.com
the authentication mode. authentication mode pre‐shared‐secret

Navigate to the node for the vyatta@WEST# edit vpn ipsec site‐to‐site peer
peer for easier editing. east.company.com
[edit vpn ipsec site‐to‐site peer east.company.com]

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 49

Example 2‐19 Creating a site‐to‐site connection to a peer with a dynamic IP address and using dynamic
DNS

Provide the string that will be vyatta@WEST# set authentication pre‐shared‐secret test_key_1
used to generate encryption [edit vpn ipsec site‐to‐site peer east.company.com]
keys.

Specify the default ESP group for vyatta@WEST# set default‐esp‐group ESP‐1W
all tunnels. [edit vpn ipsec site‐to‐site peer east.company.com]

Specify the IKE group. vyatta@WEST# set ike‐group IKE‐1W

[edit vpn ipsec site‐to‐site peer east.company.com]

Identify the IP address on this vyatta@WEST# set local‐address 192.0.2.1

Vyatta system to be used for this [edit vpn ipsec site‐to‐site peer east.company.com]
connection.

Create a tunnel configuration, vyatta@WEST# set tunnel 1 local prefix 192.168.40.0/24

and provide the local subnet for [edit vpn ipsec site‐to‐site peer east.company.com]
this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 1 remote prefix 192.168.60.0/24
the tunnel. [edit vpn ipsec site‐to‐site peer east.company.com]

Return to the top of the vyatta@WEST# top

configuration tree.

Commit the configuration. vyatta@WEST# commit

View the configuration for the vyatta@WEST# show vpn ipsec site‐to‐site peer
site‐to‐site connection. east.company.com
authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
}
default‐esp‐group ESP‐1W
ike‐group IKE‐1W
local‐address 192.0.2.1
tunnel 1 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.60.0/24
}
}

View IPsec interface vyatta@WEST# show vpn ipsec ipsec‐interfaces

configuration. interface eth1

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 50

Example 2‐19 Creating a site‐to‐site connection to a peer with a dynamic IP address and using dynamic
DNS

View Ethernet interface vyatta@WEST# show interfaces ethernet eth1

eth1 address configuration. address address 192.0.2.1/27
local‐address is set to this
address.

Specify that the IPsec vyatta@WEST# set vpn ipsec auto‐update

connection should be refreshed 60 [edit]
every 60 seconds ‐ in case the
peer’s IP address changes. If
this happens the new IP
address will be resolved via the
dynamic DNS service provider.

Commit the configuration. vyatta@WEST# commit

View the configuration. vyatta@WEST# show vpn ipsec auto‐update

auto‐update 60

Configure EAST
The connection from EAST to WEST only requires a minor change from that configured
in the section “Configuring a Basic Site-to-Site Connection” on page 20.
• WEST retains its fixed IP, so no modification is required to the remote peer IP
address.
• EAST has a dynamic local IP, so that must change. The dhcp-interface option
specifies the DHCP client interface.
• EAST is also configured for dynamic DNS, in this case with service provider
DynDNS. See the “Configuring Dynamic DNS” section in the Vyatta Services
Reference Guide for details on configuring a system for dynamic DNS.
To configure this connection, perform the following steps on EAST in configuration
mode.
Example 2‐20 Specify that the local IP is dynamic.

Step Command
Remove the existing vyatta@EAST# delete vpn ipsec site‐to‐site peer 192.0.2.1
local‐address configuration so local‐address
that doesn’t conflict with the [edit]
dhcp‐interface configuration
that will be set.

Specify the DHCP client interface vyatta@EAST# set vpn ipsec site‐to‐site peer
to use for the connection. 192.0.2.1 dhcp‐interface eth0
[edit]
VPN 6.5R1 v01
Vyatta