AWS to EdgeRouter IPSEC VPN

General questions
, , ,
1

Thought it was time to give back to the VyOS community, what I have learned and gotten working, through lots of (sometimes painful) testing.

This is the working config (sanitised), in command form, for an IPSEC VPN between VyOS 1.1.8 and an Edgerouter. The same config will work between two VyOS end points with some minor modifications.

Also ikev2 had issues on VyOS 1.1.8, I have since upgraded the version of VyOS to 1.2.0 and ikev2 seems to work well!

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec auto-update '60'

set vpn ipsec esp-group esp_1 compression disable
set vpn ipsec esp-group esp_1 lifetime 1800
set vpn ipsec esp-group esp_1 mode tunnel
set vpn ipsec esp-group esp_1 pfs disable
set vpn ipsec esp-group esp_1 proposal 1 encryption aes256
set vpn ipsec esp-group esp_1 proposal 1 hash sha1

set vpn ipsec ike-group ike_1 dead-peer-detection action restart
set vpn ipsec ike-group ike_1 dead-peer-detection interval 30
set vpn ipsec ike-group ike_1 dead-peer-detection timeout 120
set vpn ipsec ike-group ike_1 ikev2-reauth no
set vpn ipsec ike-group ike_1 key-exchange ikev1
set vpn ipsec ike-group ike_1 lifetime 3600
set vpn ipsec ike-group ike_1 proposal 1 dh-group 2
set vpn ipsec ike-group ike_1 proposal 1 encryption aes256
set vpn ipsec ike-group ike_1 proposal 1 hash sha1

set vpn ipsec site-to-site peer 'Public-IP-Edgerouter' authentication id '@your-local-id'
set vpn ipsec site-to-site peer 'Public-IP-Edgerouter' authentication remote-id '@your-remote-id'
set vpn ipsec site-to-site peer 'Public-IP-Edgerouter' authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 'Public-IP-Edgerouter' authentication pre-shared-secret 'insert-PSK-here'
set vpn ipsec site-to-site peer 'Public-IP-Edgerouter' connection-type 'initiate'
set vpn ipsec site-to-site peer 'Public-IP-Edgerouter' default-esp-group 'esp_1'
set vpn ipsec site-to-site peer 'Public-IP-Edgerouter' ike-group 'ike_1'
set vpn ipsec site-to-site peer 'Public-IP-Edgerouter' local-address 'local-IP-address-of-VYOS'
set vpn ipsec site-to-site peer 'Public-IP-Edgerouter' tunnel 1 local prefix 'local-subnet'
set vpn ipsec site-to-site peer 'Public-IP-Edgerouter' tunnel 1 remote prefix 'remote-subnet'
1 Like
2

hi, that one missing AWS part to be complete (better with screenshots :grin:)
Thanks for sharing by the way!

3

hey syncer,

What part do you need, screenshots of? Happy to supply.

This is the AWS config side. Few key findings were, as of 1.1.8;

  • PFS had to be disabled
  • Had to use ikev1
  • The local address of the VyOS instance is its private IP, usually in the 10.x.x.x range, not its public IP. This is due to how VPC networking works in AWS.
  • Had to use authentication ‘IDs’, again because of AWS VPC.

Have been running 1.2.0 for a bit in production now ikev2, the only change to the above config, so far so good… Badly needed the updated version of Strongswan.