Site-To-Site Mode With Tls - Brocade Communications Systems 5600 Reference Manual

Openvpn

Hide thumbs Also See for 5600:

Configuration manual (187 pages)

Reference manual (96 pages)

Quick start manual (48 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

page of 124

/ 124
Contents
Table of Contents
Bookmarks

Table of Contents

Site-to-site mode with TLS

TABLE 4

Site-to-site OpenVPN with preshared secret: V2 static route (Continued)

Step

Show the static routing configuration.

Site-to-site mode with TLS

When TLS is used in site-to-site mode, the Brocade vRouter configuration is the same as described in

the previous section, except that you must configure TLS-related options instead of the shared-

secret-key-file option. As previously discussed, one endpoint takes the passive role and the other

takes the active role.

Each endpoint must also have the following files, which are required for the TLS protocol.

• Certificate Authority (CA) certificate file: This file contains the certificate of the CA, which is used to

validate the certificate of the other endpoint.

• Host certificate file: This file contains the certificate of the endpoint, which is presented to the other

endpoint during the TLS negotiation.

• Host key file: This file contains the private key of the endpoint, which is kept secret from anybody

else.

• Certificate revocation list (CRL) file: (Optional) This file contains a list of certificates that have been

revoked, which prevent endpoints with these certificates from establishing a VPN tunnel.

• DH parameters file: (Only needed by the passive endpoint) This file contains Diffie Hellman

parameters that are required only by the endpoint taking the passive role in the TLS negotiation.

More information about these files is available in the OpenVPN documentation.

The configuration that follows corresponds to the configuration for the example in the previous section.

Assume that the necessary files have been generated and distributed to each endpoint and that V1

and V2 are passive and active, respectively.

To configure V1 for a site-to-site VPN with TLS, perform the following steps in configuration mode.

TABLE 5

V1 OpenVPN configuration: site-to-site with TLS

Step

Create the vtun0 configuration node.

Set the local IP address of the VPN tunnel.

Set the OpenVPN mode.

Set the remote IP address of the VPN tunnel.

Specify the physical IP address of the remote host.

Set the role of this endpoint.

Specify the location of the CA certificate file.

Specify the location of the host certificate file.

Command

vyatta@V2# show protocols static

interface-route 192.168.100.0/24 {

next-hop-interface vtun0 {

}

Command

vyatta@V1# set interfaces openvpn vtun0

vyatta@V1# set interfaces openvpn vtun0 local-address

192.168.200.1

vyatta@V1# set interfaces openvpn vtun0 mode site-to-site

vyatta@V1# set interfaces openvpn vtun0 remote-address

192.168.200.2

vyatta@V1# set interfaces openvpn vtun0 remote-host 87.65.43.21

vyatta@V1# set interfaces openvpn vtun0 tls role passive

vyatta@V1# set interfaces openvpn vtun0 tls ca-cert-file /

config/auth/ca.crt

vyatta@V1# set interfaces openvpn vtun0 tls cert-file /config/

auth/V1.crt

Brocade 5600 vRouter OpenVPN Reference Guide

53-1003719-03

Table of Contents

Site-To-Site Mode With Tls - Brocade Communications Systems 5600 Reference Manual

Site-to-site mode with TLS

Related Manuals for Brocade Communications Systems 5600

Related Content for Brocade Communications Systems 5600

Table of Contents