Gateway Appliance - Basic VPN IPSec Configuration

The bold and italic text below should be edited to meet your specific environment's configuration.
The bold, italic and underlined text below should "NOT" used in a live production environment. Please create your own unique and secure pre-shared-secret for your deployment.

==================================================================================================================

IPSecRouter-A:
configure
set vpn ipsec esp-group ESP-G0 lifetime '3600'
set vpn ipsec esp-group ESP-G0 pfs 'dh-group5'
set vpn ipsec esp-group ESP-G0 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-G0 proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-G0 lifetime '14400'
set vpn ipsec ike-group IKE-G0 proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-G0 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-G0 proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 172.16.200.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.16.200.2 authentication pre-shared-secret 'IPSecVPNPassword'
set vpn ipsec site-to-site peer 172.16.200.2 default-esp-group 'ESP-G0'
set vpn ipsec site-to-site peer 172.16.200.2 ike-group 'IKE-G0'
set vpn ipsec site-to-site peer 172.16.200.2 local-address '192.168.100.2'
set vpn ipsec site-to-site peer 172.16.200.2 tunnel 0 local prefix '10.1.1.0/24'
set vpn ipsec site-to-site peer 172.16.200.2 tunnel 0 remote prefix '10.0.0.0/24'
commit
save
exit

=================================================================================================================

IPSecRouter-B:
configure
set vpn ipsec esp-group ESP-G0 lifetime '3600'
set vpn ipsec esp-group ESP-G0 pfs 'dh-group5'
set vpn ipsec esp-group ESP-G0 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-G0 proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-G0 lifetime '14400'
set vpn ipsec ike-group IKE-G0 proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-G0 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-G0 proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 192.168.100.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.100.2 authentication pre-shared-secret 'IPSecVPNPassword'
set vpn ipsec site-to-site peer 192.168.100.2 default-esp-group 'ESP-G0'
set vpn ipsec site-to-site peer 192.168.100.2 ike-group 'IKE-G0'
set vpn ipsec site-to-site peer 192.168.100.2 local-address '172.16.200.2'
set vpn ipsec site-to-site peer 192.168.100.2 tunnel 0 local prefix '10.0.0.0/24'
set vpn ipsec site-to-site peer 192.168.100.2 tunnel 0 remote prefix '10.1.1.0/24'
commit
save
exit

=================================================================================================================

You can verify the tunnel is up with the commands:

vyatta@IPSecRouter-A:~$ show vpn ike sa peer 172.16.200.2

vyatta@IPSecRouter-A:~$ show vpn ipsec sa peer 172.16.200.2

vyatta@IPSecRouter-B:~$ show vpn ike sa peer 192.168.100.2

vyatta@IPSecRouter-B:~$ show vpn ipsec sa peer 192.168.100.2

From the logs on both gateway appliances, you can see the phase 1 (ISAKMP) and phase 2 (IPsec) are established.

vyatta@IPSecRouter-A:~$ show log vpn ipsec
[snip]
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: loading secrets from "/etc/ipsec.secrets"
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: loaded PSK secret for 192.168.100.2 172.16.200.2
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: loading secrets from "/etc/dmvpn.secrets"
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: Changing to directory '/etc/ipsec.d/crls'
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: added connection description "peer-172.16.200.2-tunnel-0"
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: "peer-172.16.200.2-tunnel-0" #10: initiating Main Mode
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: "peer-172.16.200.2-tunnel-0" #10: received Vendor ID payload [strongSwan]
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: "peer-172.16.200.2-tunnel-0" #10: ignoring Vendor ID payload [Cisco-Unity]
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: "peer-172.16.200.2-tunnel-0" #10: received Vendor ID payload [XAUTH]
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: "peer-172.16.200.2-tunnel-0" #10: received Vendor ID payload [Dead Peer Detection]
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: "peer-172.16.200.2-tunnel-0" #10: Peer ID is ID_IPV4_ADDR: '172.16.200.2'
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: "peer-172.16.200.2-tunnel-0" #10: ISAKMP SA established
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: "peer-172.16.200.2-tunnel-0" #11: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#10}
Apr 19 13:15:58 IPSecRouter-A pluto[5282]: "peer-172.16.200.2-tunnel-0" #11: sent QI2, IPsec SA established {ESP=>0xc32738e7 <0xcd55eec4}

You should also run tests via traceroute from hosts on the remote and local prefix networks to verify the traffic is going over the new IPSec tunnel. You will want to run the traceroute before and after the tunnel is created to compare the results.

EXAMPES:

Before:
root@localhost:~ # traceroute -n 10.0.0.2
traceroute to 10.0.0.2 (10.0.0.2), 64 hops max, 40 byte packets
1 10.1.1.1 1.060 ms 1.011 ms 1.093 ms
2 192.168.100.1 1.070 ms 1.071 ms 1.080 ms
3 172.16.200.2 1.268 ms 1.202 ms 1.427 ms
4 10.0.0.2 1.798 ms 1.779 ms 1.719 ms
root@localhost:~ #

After:
root@localhost:~ # traceroute -n 10.0.0.2
traceroute to 10.0.0.2 (10.0.0.2), 64 hops max, 40 byte packets
1 10.1.1.1 1.747 ms 1.496 ms 1.395 ms
2 * * *
3 10.0.0.2 18.214 ms 2.037 ms 1.940 ms
root@localhost:~ #

=================================================================================================================