Use cases¶
Use case: site to site VPN¶
In this use case, two sites A and B must be interconnected via a public network. An IPsec VPN is configured between the two security gateways SecGW-A and SecGW-B.
The IP addresses of the security gateways and of the sites are well known. The peers identify themselves with a Fully Qualified Domain Name (FQDN) and authenticate via a pre-shared key.
vsr running ike# show config nodefault
ike
global-options
..
ike-policy-template iketemp1
ike-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha512
prf-alg hmac-sha512
dh-group modp2048
..
..
ipsec-policy-template ipsectemp1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
..
ah-proposal 1
auth-alg hmac-sha512
..
..
vpn siteA-siteB
ike-policy
template iketemp1
..
ipsec-policy
template ipsectemp1
..
local-address 192.0.2.1
remote-address 198.51.100.1
local-id secgwa.6wind.net
remote-id secgwb.6wind.net
security-policy trunk
local-ts subnet 192.168.0.0/24
remote-ts subnet 192.168.99.0/24
..
..
pre-shared-key siteb
id secgwb.6wind.net
secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
..
Use case: VPN concentrator¶
In this use case, remote users must be given access to the local site A via a public network. The traffic must be secured by IPsec VPNs between users and the security gateways SecGW-A.
IKE negotiations are initiated by the remote users. Their public IP addresses are dynamically assigned by their access point. Each user requests the security gateway to assign it a virtual private address. The security gateway picks this VIP from a local pool.
The peers identify themselves with a user Fully Qualified Domain Name (user FQDN) and authenticate via pre-shared keys. Remote hosts use different VPN clients that support different cryptographic algorithms and key lengths.
vsr running ike# show config nodefault
ike
global-options
..
ike-policy-template iketemp1
ike-proposal 1
enc-alg aes256-cbc
enc-alg aes128-cbc
auth-alg hmac-sha512
prf-alg hmac-sha512
dh-group modp2048
..
ike-proposal 2
aead-alg aes128-gcm-128
prf-alg hmac-sha512
dh-group modp2048
..
..
ipsec-policy-template ipsectemp1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
..
esp-proposal 2
aead-alg aes128-gcm-128
..
ah-proposal 1
auth-alg hmac-sha512
..
..
vpn siteA-roadw
ike-policy
template iketemp1
..
ipsec-policy
template ipsectemp1
..
local-address 192.0.2.1
local-id user1.roadw.6wind.net
vip-pool user-vips
security-policy hub
local-ts subnet 192.168.0.0/24
..
..
pre-shared-key user1
id user1@6wind.net
secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
..
pre-shared-key user2
id user2@6wind.net
secret 0s3zpRt+h3g12NSaSKEx2yjY4ctak=
..
pool user-vips
address 192.168.99.0/24
subnet 172.16.0.0/12
subnet fc00:1234::/64
..
Use case: route-based VPN concentrator¶
In this use case, remote users must be given access to the local site A via a public network. The traffic must be secured by IPsec VPNs between users and the security gateways SecGW-A. Dynamic SVTI interfaces and cross-VRF are used.
IKE negotiations are initiated by the remote users. Their public IP addresses are dynamically assigned by their access point. Each user requests the security gateway to assign it a virtual private address. The security gateway picks this VIP from a local pool.
The peers identify themselves with a user Fully Qualified Domain Name (user FQDN) and authenticate via pre-shared keys.
Plaintext traffic is in VRF private
, while encrypted traffic is in VRF
wan
.
vsr running config# show config nodefault / vrf private interface
interface
physical eth1
port pci-b0s4
ipv4
address 192.168.0.1/24
..
..
svti-template svtitemp
mtu 1300
..
..
vsr running config# show config nodefault / vrf wan interface
interface
physical eth2
port pci-b0s5
ipv4
address 192.0.2.1/24
..
..
vsr running config# show config nodefault / vrf wan ike
ike
global-options
..
ike-policy-template iketemp1
ike-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha512
prf-alg hmac-sha512
dh-group modp2048
..
..
ipsec-policy-template ipsectemp1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
..
start-action none
close-action none
..
vpn siteA-roadw
dynamic-svti
svti-template svtitemp
vrf private
ike-policy
template iketemp1
..
ipsec-policy
template ipsectemp1
..
local-address 192.0.2.1
local-id concentrator.6wind.net
vip-pool user-vips
security-policy hub
local-ts subnet 192.168.0.0/24
..
..
pre-shared-key user1
id user1@6wind.net
secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
..
pre-shared-key user2
id user2@6wind.net
secret 0s3zpRt+h3g12NSaSKEx2yjY4ctak=
..
pool user-vips
address 192.168.99.0/24
subnet 172.16.0.0/12
subnet fc00:1234::/64
..
After a few negotiations and tear downs:
dut-vm running config# show state vrf private interface svti
svti dsvtiABJr_bNbVbc
mtu 1300
promiscuous false
description "vpn:siteA-roadw remote-id:user3@6wind.net svti-template:svtitemp"
enabled true
svti-id 1
link-vrf wan
oper-status UNKNOWN
counters
in-octets 0
in-unicast-pkts 0
in-discards 0
in-errors 0
out-octets 0
out-unicast-pkts 0
out-discards 0
out-errors 0
..
link-interface lo
..
svti dsvtiABJsgSSWSNQ
mtu 1300
promiscuous false
description "vpn:siteA-roadw remote-id:user42@6wind.net svti-template:svtitemp"
enabled true
svti-id 3
link-vrf wan
oper-status UNKNOWN
counters
in-octets 0
in-unicast-pkts 0
in-discards 0
in-errors 0
out-octets 0
out-unicast-pkts 0
out-discards 0
out-errors 0
..
link-interface lo
..
dut-vm running config# show state vrf private routing static
static
ipv4-route 192.168.0.3/32
next-hop dsvtiABJr_bNbVbc
..
ipv4-route 192.168.0.13/32
next-hop dsvtiABJsgSSWSNQ
..
(...)
dut-vm running config# show ike ike-sa vrf wan
VPN Local Address Local ID Remote Address Remote ID State IKE Version Child SA Count
siteA-roadw 192.0.2.1 concentrator.6wind.net 10.125.0.5 user3@6wind.net established 2 1
siteA-roadw 192.0.2.1 concentrator.6wind.net 10.175.0.7 user42@6wind.net established 2 1
See also
The command reference.