Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 61

To configure this connection, perform the following steps on WEST in configuration

mode.
Example 2‐26 Adding tunnels to the connection to EAST

Step Command

Navigate to the configuration vyatta@WEST# edit vpn ipsec site‐to‐site peer [Link]
node for EAST for easier editing [edit vpn ipsec site‐to‐site peer [Link]]

Create the configuration node vyatta@WEST# set tunnel 2 local prefix [Link]/24
for tunnel 2, and provide the [edit vpn ipsec site‐to‐site peer [Link]]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 2 remote prefix [Link]/24
tunnel 2. [edit vpn ipsec site‐to‐site peer [Link]]

Create the configuration node vyatta@WEST# set tunnel 3 local prefix [Link]/24
for tunnel 3, and provide the [edit vpn ipsec site‐to‐site peer [Link]]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 3 remote prefix [Link]/24
tunnel 3. [edit vpn ipsec site‐to‐site peer [Link]]

Specify the ESP group for vyatta@WEST# set tunnel 3 esp‐group ESP‐2W
tunnel 3. [edit vpn ipsec site‐to‐site peer [Link]]

Create the configuration node vyatta@WEST# set tunnel 4 local prefix [Link]/24
for tunnel 4, and provide the [edit vpn ipsec site‐to‐site peer [Link]]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 4 remote prefix [Link]/24
tunnel 4. [edit vpn ipsec site‐to‐site peer [Link]]

Specify the ESP group for vyatta@WEST# set tunnel 4 esp‐group ESP‐2W
tunnel 4. [edit vpn ipsec site‐to‐site peer [Link]]

Return to the top of the vyatta@WEST# top

configuration tree.

Commit the configuration. vyatta@WEST# commit

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 62

Example 2‐26 Adding tunnels to the connection to EAST

View the configuration for vyatta@WEST# show vpn ipsec site‐to‐site peer
the site‐to‐site connection. [Link] authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
}
default‐esp‐group ESP‐1W
ike‐group IKE‐1W
local‐address [Link]
tunnel 1 {
local {
prefix [Link]/24
}
remote {
prefix [Link]/24
}
}
tunnel 2 {
local {
prefix [Link]/24
}
remote {
prefix [Link]/24
}
}
tunnel 3 {
esp‐group ESP‐2W
local {
prefix [Link]/24
}
remote {
prefix [Link]/24
}
}
tunnel 4 {
esp‐group ESP‐2W
local {
prefix [Link]/24
}
remote {
prefix [Link]/24
}
}

View IPsec interface vyatta@WEST# show vpn ipsec ipsec‐interfaces

configuration. interface eth1

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 63

Example 2‐26 Adding tunnels to the connection to EAST

View Ethernet interface vyatta@WEST# show interfaces ethernet eth1

eth1 address configuration. address address [Link]/27
local‐address is set to this
address.

CREATING THE CONNECTION TO SOUTH

Example 2-27 defines a site-to-site connection from WEST to SOUTH.
• The connection has four tunnels:
— Tunnel 1 communicates between [Link]/24 on WEST and
[Link]/24 on SOUTH, and uses the default ESP group ESP-1W.
— Tunnel 2 communicates between [Link]/24 on WEST and
[Link]/24 on SOUTH, and uses the default ESP group ESP-1W.
— Tunnel 3 communicates between [Link]/24 on WEST and
[Link]/24 on SOUTH, and uses the default ESP group ESP-1W.
— Tunnel 4 communicates between [Link]/24 on WEST and
[Link]/24 on SOUTH, and uses the default ESP group ESP-1W.
• WEST uses IP address [Link] on eth1.
• SOUTH uses IP address [Link] on eth0.
• The IKE group is IKE-1W
• The preshared secret is “test_key_2”.
To configure this connection, perform the following steps on WEST in configuration
mode.
Example 2‐27 Creating a site‐to‐site connection from WEST to SOUTH

Step Command
Create the node for SOUTH and vyatta@WEST# set vpn ipsec site‐to‐site peer [Link]
set the authentication mode authentication mode pre‐shared‐secret

Navigate to the node for the vyatta@WEST# edit vpn ipsec site‐to‐site peer [Link]
peer for easier editing [edit vpn ipsec site‐to‐site peer [Link]]

Provide the string that will be vyatta@WEST# set authentication pre‐shared‐secret test_key_2
used to generate encryption [edit vpn ipsec site‐to‐site peer [Link]]
keys.

Specify the default ESP group for vyatta@WEST# set default‐esp‐group ESP‐1W
all tunnels. [edit vpn ipsec site‐to‐site peer [Link]]

Specify the IKE group. vyatta@WEST# set ike‐group IKE‐1W

[edit vpn ipsec site‐to‐site peer [Link]]

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 64

Example 2‐27 Creating a site‐to‐site connection from WEST to SOUTH

Identify the IP address on this vyatta@WEST# set local‐address [Link]

Vyatta system to be used for this [edit vpn ipsec site‐to‐site peer [Link]]
connection.

Create the configuration node vyatta@WEST# set tunnel 1 local prefix [Link]/24
for tunnel 1, and provide the [edit vpn ipsec site‐to‐site peer [Link]]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 1 remote prefix [Link]/24
tunnel 1. [edit vpn ipsec site‐to‐site peer [Link]]

Create the configuration node vyatta@WEST# set tunnel 2 local prefix [Link]/24
for tunnel 2, and provide the [edit vpn ipsec site‐to‐site peer [Link]]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 2 remote prefix [Link]/24
tunnel 2. [edit vpn ipsec site‐to‐site peer [Link]]

Create the configuration node vyatta@WEST# set tunnel 3 local prefix [Link]/24
for tunnel 3, and provide the [edit vpn ipsec site‐to‐site peer [Link]]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 3 remote prefix [Link]/24
tunnel 3. [edit vpn ipsec site‐to‐site peer [Link]]

Create the configuration node vyatta@WEST# set tunnel 4 local prefix [Link]/24
for tunnel 4, and provide the [edit vpn ipsec site‐to‐site peer [Link]]
local subnet for this tunnel.

Provide the remote subnet for vyatta@WEST# set tunnel 4 remote prefix [Link]/24
tunnel 4. [edit vpn ipsec site‐to‐site peer [Link]]

Return to the top of the vyatta@WEST# top

configuration tree.

Commit the configuration. vyatta@WEST# commit

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 65

Example 2‐27 Creating a site‐to‐site connection from WEST to SOUTH

View the configuration for vyatta@WEST# show vpn ipsec site‐to‐site peer
the site‐to‐site connection. [Link] authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_2
}
default‐esp‐group ESP‐1W
ike‐group IKE‐1W
local‐address [Link]
tunnel 1 {
local {
prefix [Link]/24
}
remote {
prefix [Link]/24
}
}
tunnel 2 {
local {
prefix [Link]/24
}
remote {
prefix [Link]/24
}
}
tunnel 3 {
local {
prefix [Link]/24
}
remote {
prefix [Link]/24
}
}
tunnel 4 {
local {
prefix [Link]/24
}
remote {
prefix [Link]/24
}
}

Configure EAST
This section presents the following topics:

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 66

• Configuring the Second ESP Group on EAST

• Adding Tunnels to the Connection to WEST
• Creating the Connection to SOUTH
This example assumes that EAST has already been configured for a basic connection to
WEST, as described in ““Configuring a Basic Site-to-Site Connection” on page 20. The
additional configuration for EAST for this scenario consists of the following:
• An additional ESP group
• Three new tunnel configurations for the site-to-site connection to WEST
• A new site-to-site connection to SOUTH
This section presents the following examples:
• Example 2-28 Configuring a second ESP group on EAST
• Example 2-29 Adding tunnels to the connection to WEST
• Example 2-30 Creating a site-to-site connection from EAST to SOUTH

CONFIGURING THE SECOND ESP GROUP ON EAST

Example 2-28 creates a second ESP group ESP-2W on EAST. This ESP group
contains just one proposal:
• Proposal 1 uses AES-256 as the encryption cipher and SHA-1 as the hash
algorithm
The lifetime of a proposal from this ESP group is set to 600 seconds.
To create this ESP group, perform the following steps on EAST in configuration
mode.
Example 2‐28 Configuring a second ESP group on EAST

Step Command

Create the configuration node vyatta@EAST# set vpn ipsec esp‐group ESP‐2E proposal 1
for proposal 1 of ESP group
ESP‐2E.

Set the encryption cipher for vyatta@EAST# set vpn ipsec esp‐group ESP‐2E proposal 1
proposal 1. encryption aes256

Set the hash algorithm for vyatta@EAST# set vpn ipsec esp‐group ESP‐2E proposal 1 hash
proposal 1 of ESP‐2E. sha1

Set the lifetime for ESP‐2E. vyatta@EAST# set vpn ipsec esp‐group ESP‐2E lifetime 600

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 67

Example 2‐28 Configuring a second ESP group on EAST

View the configuration for the vyatta@EAST# show vpn ipsec esp‐group ESP‐2E
ESP group. Don’t commit yet. > proposal 1 {
> encryption aes256
> hash sha1
> }
> lifetime 600

ADDING TUNNELS TO THE CONNECTION TO WEST

Example 2-29 adds three tunnels to the site-to-site connection from EAST to WEST.
• Tunnel 2 communicates between [Link]/24 on EAST and
[Link]/24 on WEST, and uses the default ESP group ESP-1E.
• Tunnel 3 communicates between [Link]/24 on EAST and
[Link]/24 on WEST, and uses ESP group ESP-2E.
• Tunnel 4 communicates between [Link]/24 on EAST and
[Link]/24 on WEST, and uses ESP group ESP-2E.
To configure this connection, perform the following steps on EAST in configuration
mode.
Example 2‐29 Adding tunnels to the connection to WEST

Step Command

Navigate to the configuration vyatta@EAST# edit vpn ipsec site‐to‐site peer [Link]
node for WEST for easier editing [edit vpn ipsec site‐to‐site peer [Link]]

Create the configuration node vyatta@EAST# set tunnel 2 local prefix [Link]/24
for tunnel 2, and provide the [edit vpn ipsec site‐to‐site peer [Link]]
local subnet for this tunnel.

Provide the remote subnet for vyatta@EAST# set tunnel 2 remote prefix [Link]/24
tunnel 2. [edit vpn ipsec site‐to‐site peer [Link]]

Create the configuration node vyatta@EAST# set tunnel 3 local prefix [Link]/24
for tunnel 3, and provide the [edit vpn ipsec site‐to‐site peer [Link]]
local subnet for this tunnel.

Provide the remote subnet for vyatta@EAST# set tunnel 3 remote prefix [Link]/24
tunnel 3. [edit vpn ipsec site‐to‐site peer [Link]]

Specify the ESP group for vyatta@EAST# set tunnel 3 esp‐group ESP‐2E
tunnel 3. [edit vpn ipsec site‐to‐site peer [Link]]

Create the configuration node vyatta@EAST# set tunnel 4 local prefix [Link]/24
for tunnel 4, and provide the [edit vpn ipsec site‐to‐site peer [Link]]
local subnet for this tunnel.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 68

Example 2‐29 Adding tunnels to the connection to WEST

Provide the remote subnet for vyatta@EAST# set tunnel 4 remote prefix [Link]/24
tunnel 4. [edit vpn ipsec site‐to‐site peer [Link]]

Specify the ESP group for vyatta@EAST# set tunnel 4 esp‐group ESP‐2E
tunnel 4. [edit vpn ipsec site‐to‐site peer [Link]]

Return to the top of the vyatta@EAST# top

configuration tree.

Commit the configuration. vyatta@EAST# commit

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 69

Example 2‐29 Adding tunnels to the connection to WEST

View the configuration for vyatta@EAST# show vpn ipsec site‐to‐site peer
the site‐to‐site connection. [Link] authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
}
default‐esp‐group ESP‐1E
ike‐group IKE‐1E
local‐address [Link]
tunnel 1 {
local {
prefix [Link]/24
}
remote {
prefix [Link]/24
}
}
tunnel 2 {
local {
prefix [Link]/24
}
remote {
prefix [Link]/24
}
}
tunnel 3 {
esp‐group ESP‐2E
local {
prefix [Link]/24
}
remote {
prefix [Link]/24
}
}
tunnel 4 {
esp‐group ESP‐2E
local {
prefix [Link]/24
}
remote {
prefix [Link]/24
}
}

View IPsec interface vyatta@EAST# show vpn ipsec ipsec‐interfaces

configuration. interface eth0

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 70

Example 2‐29 Adding tunnels to the connection to WEST

View Ethernet interface vyatta@EAST# show interfaces ethernet eth0

eth0 address configuration. address address [Link]/27
local‐address is set to this
address.

CREATING THE CONNECTION TO SOUTH

Example 2-30 defines a site-to-site connection from EAST to SOUTH.
• The connection has four tunnels:
— Tunnel 1 communicates between [Link]/24 on EAST and
[Link]/24 on SOUTH, and uses the default ESP group ESP-1E.
— Tunnel 2 communicates between [Link]/24 on EAST and
[Link]/24 on SOUTH, and uses the default ESP group ESP-1E.
— Tunnel 3 communicates between [Link]/24 on EAST and
[Link]/24 on SOUTH, and uses the default ESP group ESP-1E.
— Tunnel 4 communicates between [Link]/24 on EAST and
[Link]/24 on SOUTH, and uses the default ESP group ESP-1E.
• EAST uses IP address [Link] on eth1.
• SOUTH uses IP address [Link] on eth0.
• The IKE group is IKE-1E
• The preshared secret is “test_key_2”.
To configure this connection, perform the following steps on EAST in configuration
mode.
Example 2‐30 Creating a site‐to‐site connection from EAST to SOUTH

Step Command
Create the node for SOUTH and vyatta@EAST# set vpn ipsec site‐to‐site peer [Link]
set the authentication mode authentication mode pre‐shared‐secret

Navigate to the node for the vyatta@EAST# edit vpn ipsec site‐to‐site peer [Link]
peer for easier editing [edit vpn ipsec site‐to‐site peer [Link]]

Provide the string that will be vyatta@EAST# set authentication pre‐shared‐secret test_key_2
used to generate encryption [edit vpn ipsec site‐to‐site peer [Link]]
keys.

Specify the default ESP group. vyatta@EAST# set default‐esp‐group ESP‐1E

[edit vpn ipsec site‐to‐site peer [Link]]

Specify the IKE group. vyatta@EAST# set ike‐group IKE‐1E

[edit vpn ipsec site‐to‐site peer [Link]]
VPN 6.5R1 v01
Vyatta