user@vyos# sh vpn | commands
set ipsec esp-group ESPGROUP1 compression ‘disable’
set ipsec esp-group ESPGROUP1 lifetime ‘3600’
set ipsec esp-group ESPGROUP1 mode ‘tunnel’
set ipsec esp-group ESPGROUP1 pfs ‘dh-group14’
set ipsec esp-group ESPGROUP1 proposal 1 encryption ‘aes256’
set ipsec esp-group ESPGROUP1 proposal 1 hash ‘sha256’
set ipsec ike-group IKEGROUP1 ikev2-reauth ‘no’
set ipsec ike-group IKEGROUP1 key-exchange ‘ikev1’
set ipsec ike-group IKEGROUP1 lifetime ‘86400’
set ipsec ike-group IKEGROUP1 proposal 1 dh-group ‘14’
set ipsec ike-group IKEGROUP1 proposal 1 encryption ‘aes256’
set ipsec ike-group IKEGROUP1 proposal 1 hash ‘sha256’
set ipsec ipsec-interfaces interface ‘eth1’
set ipsec site-to-site peer 10.10.10.10 authentication mode ‘pre-shared-secret’
set ipsec site-to-site peer 10.10.10.10 authentication pre-shared-secret ‘secret’
set ipsec site-to-site peer 10.10.10.10 connection-type ‘initiate’
set ipsec site-to-site peer 10.10.10.10 default-esp-group ‘ESPGROUP1’
set ipsec site-to-site peer 10.10.10.10 ike-group ‘IKEGROUP1’
set ipsec site-to-site peer 10.10.10.10 ikev2-reauth ‘inherit’
set ipsec site-to-site peer 10.10.10.10 local-address ‘12.12.12.12’
set ipsec site-to-site peer 10.10.10.10 tunnel 1 allow-nat-networks ‘disable’
set ipsec site-to-site peer 10.10.10.10 tunnel 1 allow-public-networks ‘disable’
set ipsec site-to-site peer 10.10.10.10 tunnel 1 protocol ‘gre’
[edit]
user@vyos
When I do commit after editing VyOS config (or restart VyOS) vpn-config.pl has deleted 2 rows from /etc/ipsec.conf
leftprotoport=gre
** rightprotoport=gre**
Workaround.
run ‘sudo su’ and add leftprotoport=gre and rightprotoport=gre to /etc/ipsec.conf
conn peer-10.10.10.10-tunnel-1
left=12.12.12.12
right=10.10.10.10
**leftprotoport=gre**
** rightprotoport=gre**
ike=aes256-sha256-modp2048!
keyexchange=ikev1
ikelifetime=86400s
esp=aes256-sha256-modp2048!
keylife=3600s
rekeymargin=540s
type=tunnel
compress=no
authby=secret
auto=start
keyingtries=%forever
#conn peer-10.10.10.10-tunnel-1
then run
root@vyos:/user# ipsec stop; ipsec start
or
You must manually add from the previos 1.2.0 versions vpn-config.pl code. Insert it before section “check if passthrough connection is needed”
#
# Protocol/port
#
my $protocol = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword protocol");
my $lprotoport = '';
if (defined($protocol)){
$lprotoport .= $protocol;
}
my $lport = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword local port");
if (defined($lport)){
if (!defined($protocol)){
$lprotoport .= "0/$lport";
} elsif (is_tcp_udp($protocol)){
$lprotoport .= "/$lport";
} else {
vpn_die(["vpn","ipsec","site-to-site","peer",$peer, "tunnel", $tunnel, "local", "port"],
"$vpn_cfg_err local port can only be defined when protocol is tcp, udp, or undefined.\n");
}
}
if (not($lprotoport eq '')){
$genout .= "\tleftprotoport=$lprotoport\n";
}
my $rprotoport = '';
if (defined($protocol)){
$rprotoport .= $protocol;
}
my $rport = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword remote port");
if (defined($rport)){
if (!defined($protocol)){
$rprotoport .= "0/$rport";
} elsif (is_tcp_udp($protocol)){
$rprotoport .= "/$rport";
} else {
vpn_die(["vpn","ipsec","site-to-site","peer",$peer, "tunnel", $tunnel, "remote", "port"],
"$vpn_cfg_err remote port can only be defined when protocol is tcp, udp, or undefined.\n");
}
}
if (not($rprotoport eq '')){
$genout .= "\trightprotoport=$rprotoport\n";
}
save the file and restart VyOS.