configure
set system hostname RIGHT
set interfaces dummy dum0
set interfaces dummy dum0 address 192.168.100.1/24
set interfaces ethernet eth0 address 10.255.255.2/30
set interfaces ethernet eth0 description 'Outside'
#set interfaces ethernet eth0 duplex 'auto'
#set interfaces ethernet eth0 speed ‘auto'
set interfaces ethernet eth1 address 172.16.1.1/24
set interfaces ethernet eth1 description 'Inside'
#set interfaces ethernet eth1 duplex 'auto'
#set interfaces ethernet eth1 speed 'auto
commit
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 default-router '172.16.1.1'
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 dns-server '172.16.1.1'
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 domain-name 'internal-network'
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 range rang01 start '172.16.1.100'
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 range rang01 stop '172.16.1.254'
======================================================================================================================================================================================================================
run generate vpn rsa-key bits 2048
rsa-key to /config/ipsec.d/rsa-keys/localhost.key
Your new local RSA key has been generated
The public portion of the key is:
0sAQO2335[long string here]
===========================================================================================================
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 10.255.255.2
set interfaces tunnel tun0 remote-ip 10.255.255.1
set interfaces tunnel tun0 address 10.10.10.2/30
## IPsec
set vpn ipsec ipsec-interfaces interface eth0
# IKE group
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
# ESP group
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
# IPsec tunnel
set vpn ipsec site-to-site peer 10.255.255.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 10.255.255.1 authentication pre-shared-secret MYSECRETKEY
set vpn ipsec site-to-site peer 10.255.255.1 ike-group MyIKEGroup
set vpn ipsec site-to-site peer 10.255.255.1 default-esp-group MyESPGroup
set vpn ipsec site-to-site peer 10.255.255.1 local-address 10.255.255.2
# This will match all GRE traffic to the peer
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 protocol gre
===========================================================================================================
set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE RIGHT>
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
set vpn ipsec site-to-site peer 10.255.255.1 authentication id @RIGHT
set vpn ipsec site-to-site peer 10.255.255.1 authentication mode rsa
set vpn ipsec site-to-site peer 10.255.255.1 authentication rsa-key-name LEFT
set vpn ipsec site-to-site peer 10.255.255.1 remote-id @LEFT
set vpn ipsec site-to-site peer 10.255.255.1 connection-type initiate
set vpn ipsec site-to-site peer 10.255.255.1 default-esp-group MyESPGroup
set vpn ipsec site-to-site peer 10.255.255.1 ike-group MyIKEGroup
set vpn ipsec site-to-site peer 10.255.255.1 local-address any
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 local prefix 172.16.1.0/24
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 remote prefix 192.168.0.0/24
After pulling my hair out of my head i have reached to a point where…
I have both PC1 and PC2 can ping each other as i have configured ospf.
The tunnel traffic is unencrypted as wireshark captures show clear pings and ospf hello packets same as the above screenshot
I am sharing the show conf commands outputs of both my Left and Right Routers
LEFT
Left# run sh configuration commands
set interfaces dummy dum0 address ‘192.168.255.1/24’
set interfaces ethernet eth0 address ‘10.255.255.1/30’
set interfaces ethernet eth0 description ‘Outside’
set interfaces ethernet eth0 hw-id ‘0c:0d:e2:57:0c:00’
set interfaces ethernet eth1 address ‘192.168.0.1/24’
set interfaces ethernet eth1 description ‘Inside’
set interfaces ethernet eth1 hw-id ‘0c:0d:e2:57:0c:01’
set interfaces ethernet eth2 hw-id ‘0c:0d:e2:57:0c:02’
set interfaces loopback lo
set interfaces tunnel tun0 address ‘10.10.10.1/30’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 local-ip ‘10.255.255.1’
set interfaces tunnel tun0 multicast ‘disable’
set interfaces tunnel tun0 remote-ip ‘10.255.255.2’
set protocols ospf area 0.0.0.0 network ‘10.10.10.0/30’
set protocols ospf area 0.0.0.0 network ‘192.168.0.0/24’
set protocols ospf area 0.0.0.0 network ‘192.168.255.0/24’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router ‘192.168.0.1’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server ‘192.168.0.1’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name ‘internal-network’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease ‘86400’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range rang01 start ‘192.168.0.100’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range rang01 stop ‘192.168.0.254’
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system host-name ‘Left’
set system login user vyos authentication encrypted-password ‘$0000’
set system login user vyos authentication plaintext-password ‘’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set vpn ipsec esp-group MyESPGroup compression ‘disable’
set vpn ipsec esp-group MyESPGroup lifetime ‘3600’
set vpn ipsec esp-group MyESPGroup mode ‘tunnel’
set vpn ipsec esp-group MyESPGroup pfs ‘enable’
set vpn ipsec esp-group MyESPGroup proposal 1 encryption ‘aes128’
set vpn ipsec esp-group MyESPGroup proposal 1 hash ‘sha1’
set vpn ipsec ike-group MyIKEGroup close-action ‘none’
set vpn ipsec ike-group MyIKEGroup ikev2-reauth ‘no’
set vpn ipsec ike-group MyIKEGroup key-exchange ‘ikev1’
set vpn ipsec ike-group MyIKEGroup lifetime ‘28800’
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group ‘2’
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption ‘aes128’
set vpn ipsec ike-group MyIKEGroup proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer 10.255.255.2 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 10.255.255.2 authentication pre-shared-secret ‘MYSECRETKEY’
set vpn ipsec site-to-site peer 10.255.255.2 connection-type ‘initiate’
set vpn ipsec site-to-site peer 10.255.255.2 default-esp-group ‘MyESPGroup’
set vpn ipsec site-to-site peer 10.255.255.2 ike-group ‘MyIKEGroup’
set vpn ipsec site-to-site peer 10.255.255.2 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 10.255.255.2 local-address ‘10.255.255.1’
set vpn ipsec site-to-site peer 10.255.255.2 tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 10.255.255.2 tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 10.255.255.2 tunnel 1 protocol ‘gre’
set vpn ipsec site-to-site peer @RIGHT authentication mode ‘rsa’
set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name ‘RIGHT’
set vpn ipsec site-to-site peer @RIGHT connection-type ‘respond’
set vpn ipsec site-to-site peer @RIGHT default-esp-group ‘MyESPGroup’
set vpn ipsec site-to-site peer @RIGHT ike-group ‘MyIKEGroup’
set vpn ipsec site-to-site peer @RIGHT ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer @RIGHT local-address ‘10.255.255.1’
set vpn ipsec site-to-site peer @RIGHT tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer @RIGHT tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix ‘192.168.0.0/24’
set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix ‘172.16.1.0/24’
set vpn rsa-keys rsa-key-name RIGHT rsa-key '0sA==================================
Right
Right:~$ show configuration commands
set interfaces dummy dum0 address ‘192.168.100.1/24’
set interfaces ethernet eth0 address ‘10.255.255.2/30’
set interfaces ethernet eth0 description ‘Outside’
set interfaces ethernet eth0 hw-id ‘0c:0d:e2:40:ba:00’
set interfaces ethernet eth1 address ‘172.16.1.1/24’
set interfaces ethernet eth1 description ‘Inside’
set interfaces ethernet eth1 hw-id ‘0c:0d:e2:40:ba:01’
set interfaces ethernet eth2 hw-id ‘0c:0d:e2:40:ba:02’
set interfaces loopback lo
set interfaces tunnel tun0 address ‘10.10.10.2/30’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 local-ip ‘10.255.255.2’
set interfaces tunnel tun0 multicast ‘disable’
set interfaces tunnel tun0 remote-ip ‘10.255.255.1’
set protocols ospf area 0.0.0.0 network ‘10.10.10.0/30’
set protocols ospf area 0.0.0.0 network ‘172.16.1.0/24’
set protocols ospf area 0.0.0.0 network ‘192.168.100.0/24’
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 default-router ‘172.16.1.1’
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 dns-server ‘172.16.1.1’
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 domain-name ‘internal-network’
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 lease ‘86400’
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 range rang01 start ‘172.16.1.100’
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 range rang01 stop ‘172.16.1.254’
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system host-name ‘Right’
set system login user vyos authentication encrypted-password ‘$0000’
set system login user vyos authentication plaintext-password ‘’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set vpn ipsec esp-group MyESPGroup compression ‘disable’
set vpn ipsec esp-group MyESPGroup lifetime ‘3600’
set vpn ipsec esp-group MyESPGroup mode ‘tunnel’
set vpn ipsec esp-group MyESPGroup pfs ‘enable’
set vpn ipsec esp-group MyESPGroup proposal 1 encryption ‘aes128’
set vpn ipsec esp-group MyESPGroup proposal 1 hash ‘sha1’
set vpn ipsec ike-group MyIKEGroup close-action ‘none’
set vpn ipsec ike-group MyIKEGroup ikev2-reauth ‘no’
set vpn ipsec ike-group MyIKEGroup key-exchange ‘ikev1’
set vpn ipsec ike-group MyIKEGroup lifetime ‘28800’
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group ‘2’
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption ‘aes128’
set vpn ipsec ike-group MyIKEGroup proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer 10.255.255.1 authentication id ‘@RIGHT’
set vpn ipsec site-to-site peer 10.255.255.1 authentication mode ‘rsa’
set vpn ipsec site-to-site peer 10.255.255.1 authentication pre-shared-secret ‘MYSECRETKEY’
set vpn ipsec site-to-site peer 10.255.255.1 authentication rsa-key-name ‘LEFT’
set vpn ipsec site-to-site peer 10.255.255.1 connection-type ‘initiate’
set vpn ipsec site-to-site peer 10.255.255.1 default-esp-group ‘MyESPGroup’
set vpn ipsec site-to-site peer 10.255.255.1 ike-group ‘MyIKEGroup’
set vpn ipsec site-to-site peer 10.255.255.1 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 10.255.255.1 local-address ‘any’
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 local prefix ‘172.16.1.0/24’
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 protocol ‘gre’
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 remote prefix ‘192.168.0.0/24’
set vpn rsa-keys rsa-key-name LEFT rsa-key '0=================