WeOSIPsec Site-To-Site
About
This is a configuration example of an IPsec tunnel in a Site-To-Site scenario.
Introduction
A common use case for IPsec VPNs is to connect two networks via a secure tunnel over the Internet. We refer to this scenario as Site-To-Site VPN. It is accomplished by having two VPN gateways, one at each site, negotiate and establish a secure tunnel, and to forward all traffic between the two networks through this tunnel. By creating VPN tunnels you establish a secure overlay network on top of your regular Internet connections.
.--.-.
( ( )__
(_, \ ) ,_) Internet/Public Network
'-'--`--'
| |
.------------------' '--------------------.
| |
|Public IP: |Public IP:
|192.168.0.1 |192.168.0.2
.---+----. .---+----.
| Alice | IPsec Tunnel | Bob |
| GW-1 |===================================| GW-2 |
| |Responder Initiator| |
'---+----' '---+----'
|.1 (Site A) (Site B) |.1
| 10.1.0.0/16 10.2.0.0/16 |
---+------+---+------------- ---+----------+----+----
| | | |
|.11 |.5 |.11 |.5
.-+--. .-+--. .-+--. .-+--.
| H1 | | H2 | | H3 | | H4 |
'----' '----' '----' '----'
Figure 1: Site-To-Site tunnel using IPsec.
In Figure 1 Alice is the responder and Bob is the initiator. They both configured their identities to allow for IKE authentication. Each peer defined the local and remote subnet. They also use a pre shared key chosen randomly with sufficient entropy.
To secure all traffic between Site-A and B, Alice would define 10.1.0.0/16 as local subnet, and 10.2.0.0/16 as remote subnet in the tunnel configuration. Bob would do the opposite, i.e., define 10.2.0.0/16 as local subnet, and 10.1.0.0/16 as remote subnet. Note that when subnets don’t match IKE might be established (Phase 1) but the tunnel won’t be created. In certain scenarios, it is possible to establish a tunnel where the remote subnet of one peer resides within the local subnet of another. In such cases, only the traffic that falls within the shared IP address range of the two subnets will be secured.
Responder Setup
alice:/#> config alice:/config/#> tunnel alice:/config/tunnel/#> ipsec 1 alice:/config/tunnel/ipsec-1/#> description "Site-to-site" alice:/config/tunnel/ipsec-1/#> local-address 192.168.0.1 alice:/config/tunnel/ipsec-1/#> local-subnet 10.1.0.0/16 alice:/config/tunnel/ipsec-1/#> local-id alice alice:/config/tunnel/ipsec-1/#> peer 192.168.0.2 alice:/config/tunnel/ipsec-1/#> remote-subnet 10.2.0.0/16 alice:/config/tunnel/ipsec-1/#> remote-id bob alice:/config/tunnel/ipsec-1/#> secret This_is_a_strong_sec$%,^@d alice:/config/tunnel/ipsec-1/#> leave
Initiator Setup
bob:/#> config bob:/config/#> tunnel bob:/config/tunnel/#> ipsec 1 bob:/config/tunnel/ipsec-1/#> description "Site-to-site" bob:/config/tunnel/ipsec-1/#> initiator bob:/config/tunnel/ipsec-1/#> local-address 192.168.0.2 bob:/config/tunnel/ipsec-1/#> local-subnet 10.2.0.0/16 bob:/config/tunnel/ipsec-1/#> local-id bob bob:/config/tunnel/ipsec-1/#> peer 192.168.0.1 bob:/config/tunnel/ipsec-1/#> remote-subnet 10.1.0.0/16 bob:/config/tunnel/ipsec-1/#> remote-id alice bob:/config/tunnel/ipsec-1/#> secret This_is_a_strong_sec$%,^@d bob:/config/tunnel/ipsec-1/#> leave
Verification
After applying the configuration Alice can check if Bob succeeded with connection:
alice:/#> show tunnel ipsec ID DESCRIPTION STATUS TIME (since last rekey) 1 ipsec1 Up(Installed) 0 Days 1 Hours 8 Mins 39 Secs
alice:/#> show tunnel ipsec 1
ipsec1: #1, ESTABLISHED, IKEv2, f12bb939c9af0481_i 47854a240bfbe42b_r*
local 'alice' @ 192.168.0.1[500]
remote 'bob' @ 192.168.0.2[500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
established 4139s ago, rekeying in 8889s
tunnel1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_384_192/MODP_4096
installed 832s ago, rekeying in 2480s, expires in 3128s
in cc057a20, 1596 bytes, 19 packets, 512s ago
out cb1c4624, 1596 bytes, 19 packets, 512s ago
local 10.1.0.0/16
remote 10.2.0.0/16