IPsec Site-To-Site

About

This is a configuration example of an IPsec tunnel in a Site-To-Site scenario. In this setup, two separate networks are securely connected over the Internet using dedicated VPN gateways. The configuration demonstrates how to establish a reliable and encrypted communication channel between the sites.

Introduction

A common use case for IPsec VPNs is to connect two networks via a secure tunnel over the Internet. We refer to this scenario as Site-To-Site VPN. It is accomplished by having two VPN gateways, one at each site, negotiate and establish a secure tunnel, and to forward all traffic between the two networks through this tunnel. By creating VPN tunnels you establish a secure overlay network on top of your regular Internet connections.

                            .--.-.
                           ( (    )__
                          (_,  \ ) ,_)  Internet/Public Network
                            '-'--`--'
                             |    |
          .------------------'    '--------------------.
          |                                            |
          |Public IP:                                  |Public IP:
          |192.168.0.1                                 |192.168.0.2
      .---+----.                                   .---+----.
      |  Alice |           IPsec Tunnel            |  Bob   |
      |  GW-1  |===================================|  GW-2  |
      |        |Responder                 Initiator|        |
      '---+----'                                   '---+----'
          |.1     (Site A)           (Site B)          |.1
          |     10.1.0.0/16         10.2.0.0/16        |
---+------+---+-------------        ---+----------+----+----
   |          |                        |          |
   |.11       |.5                      |.11       |.5
 .-+--.     .-+--.                   .-+--.     .-+--.
 | H1 |     | H2 |                   | H3 |     | H4 |
 '----'     '----'                   '----'     '----'

Figure 1: Site-To-Site tunnel using IPsec.

In Figure 1 Alice is the responder and Bob is the initiator. They both configured their identities to allow for IKE authentication. Each peer defined the local and remote subnet. They also use a pre shared key chosen randomly with sufficient entropy.

To secure all traffic between Site-A and B, Alice would define 10.1.0.0/16 as local subnet, and 10.2.0.0/16 as remote subnet in the tunnel configuration. Bob would do the opposite, i.e., define 10.2.0.0/16 as local subnet, and 10.1.0.0/16 as remote subnet. Note that when subnets don’t match IKE might be established (Phase 1) but the tunnel won’t be created. In certain scenarios, it is possible to establish a tunnel where the remote subnet of one peer resides within the local subnet of another. In such cases, only the traffic that falls within the shared IP address range of the two subnets will be secured.

Responder Setup

alice:/#> config
alice:/config/#> tunnel
alice:/config/tunnel/#> ipsec 1
alice:/config/tunnel/ipsec-1/#> description "Site-to-site"

alice:/config/tunnel/ipsec-1/#> local-address 192.168.0.1
alice:/config/tunnel/ipsec-1/#> local-subnet 10.1.0.0/16
alice:/config/tunnel/ipsec-1/#> local-id alice

alice:/config/tunnel/ipsec-1/#> peer 192.168.0.2
alice:/config/tunnel/ipsec-1/#> remote-subnet 10.2.0.0/16
alice:/config/tunnel/ipsec-1/#> remote-id bob

alice:/config/tunnel/ipsec-1/#> secret This_is_a_strong_sec$%,^@d
alice:/config/tunnel/ipsec-1/#> leave

Initiator Setup

bob:/#> config
bob:/config/#> tunnel 
bob:/config/tunnel/#> ipsec 1
bob:/config/tunnel/ipsec-1/#> description "Site-to-site"
bob:/config/tunnel/ipsec-1/#> initiator

bob:/config/tunnel/ipsec-1/#> local-address 192.168.0.2
bob:/config/tunnel/ipsec-1/#> local-subnet 10.2.0.0/16
bob:/config/tunnel/ipsec-1/#> local-id bob

bob:/config/tunnel/ipsec-1/#> peer 192.168.0.1
bob:/config/tunnel/ipsec-1/#> remote-subnet 10.1.0.0/16
bob:/config/tunnel/ipsec-1/#> remote-id alice

bob:/config/tunnel/ipsec-1/#> secret This_is_a_strong_sec$%,^@d

bob:/config/tunnel/ipsec-1/#> leave

Verification

After applying the configuration Alice can check if Bob succeeded with connection:

alice:/#> show tunnel ipsec
ID  DESCRIPTION      STATUS               TIME (since last rekey)
1   ipsec1           Up(Installed)        0 Days 1 Hours 8 Mins 39 Secs

alice:/#> show tunnel ipsec 1
Current state for tunnel ipsec1 is UP(Installed).

Security-Association(SA) details:
ipsec1: #6, ESTABLISHED, IKEv2, 20759114c78bf131_i* 4fb9e973f3067b48_r
  local  'alice' @ 192.168.0.1[500]
  remote 'bob' @ 192.168.0.2[500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  established 5s ago, rekeying in 14304s
  tunnel1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_256_128
    installed 5s ago, rekeying in 3267s, expires in 3955s
    in  c2032981,      0 bytes,     0 packets
    out cc173955,      0 bytes,     0 packets
    local  192.168.0.1/32
    remote 192.168.0.2/32

Loaded configuration for the connection:
ipsec1: IKEv2, no reauthentication, rekeying every 14400s, dpd delay 30s
  local:  192.168.0.1
  remote: 192.168.0.2
  local pre-shared key authentication:
    id: alice
  remote pre-shared key authentication:
    id: bob
  tunnel1: TUNNEL, rekeying every 3600s, dpd action is start
    local:  dynamic
    remote: dynamic