fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Vyatta - How to configure an IPSEC site to site VPN

Within this article we will show the necessary steps required to build a site to site IPSEC VPN.

The following example consists of the following encryption domain:

   Local  Remote
Peer  2.2.2.2  1.1.1.1
Endpoint  192.168.3.0/24  172.16.0.0/16

NAT

First of all 2 NAT rules are configured to ensure the traffic is not NAT`d.

set nat source rule 10 destination address '172.16.0.0/16'
set nat source rule 10 source address '192.168.3.0/24'
set nat source rule 10 outbound-interface 'eth3'
set nat source rule 10 'exclude'

set nat source rule 20 source address '172.16.0.0/16'
set nat source rule 20 destination address '192.168.3.0/24'
set nat source rule 20 outbound-interface 'eth3'
set nat source rule 20 'exclude'

Phase1/2 Policies

Next the Phase 1 and 2 policies are defined. It is worth noting that even if you do not specify PFS within your Phase 2 policy, PFS is still set by default.

set vpn ipsec ike-group IKE-POLICY lifetime '86400'
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-POLICY proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group '2'

set vpn ipsec esp-group ESP-POLICY lifetime '3600'
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-POLICY proposal 1 hash 'sha1'

Configure VPN

Next, the VPN is configured, i.e the previous policies are assigned, the shared secret is defined and the Proxy ID`s are set.

Note : If the remote peer has a dynamic IP address then change the peer IP to 0.0.0.0. 

set vpn ipsec ipsec-interfaces interface 'eth3'

set vpn ipsec site-to-site peer 1.1.1.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret 'abc123'
set vpn ipsec site-to-site peer 1.1.1.1 default-esp-group 'ESP-POLICY'
set vpn ipsec site-to-site peer 1.1.1.1 ike-group 'IKE-POLICY'
set vpn ipsec site-to-site peer 1.1.1.1 local-address '2.2.2.2'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 local prefix '192.168.3.0/24'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 remote prefix '172.16.0.0/16'

Firewall Rules

Finally the firewall rules are configured to ensure that only traffic between either endpoint is permitted.

set firewall name INSIDE rule 10 action 'accept'
set firewall name INSIDE rule 10 destination address '172.16.0.0/16'
set firewall name INSIDE rule 10 source address '192.168.3.0/24'
set firewall name INSIDE rule 20 action 'drop'

set firewall name OUTSIDE rule 10 action 'accept'
set firewall name OUTSIDE rule 10 ipsec 'match-ipsec'
set firewall name OUTSIDE rule 20 action 'drop'

set interfaces ethernet eth1 firewall in name 'INSIDE'
set interfaces ethernet eth3 firewall in name 'OUTSIDE'

Reference

For further reference please go to http://www.vyatta.com/downloads/documentation/VC6.5/Vyatta-VPN_6.5R1_v01.pdf

Tags: Vyatta, VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001