Help vpn ipsec basic between 2 vyos

garcetto · October 31, 2022, 1:20pm

good afternoon,
tried to follow those instructions but does not work, anyone have a working config for vyos 1.14? thank you

RyVolodya · October 31, 2022, 1:29pm

Hello @garcetto,
Are you interested in ipsec site-to-site?

RyVolodya · October 31, 2022, 2:07pm

Example configuration site-to-site for VyOS 1.4:

Side-A:

set interfaces ethernet eth0 address '198.51.100.3/24'
set interfaces ethernet eth1 address '192.168.0.1/24'
set nat source rule 10 destination address '10.0.0.0/24'
set nat source rule 10 exclude
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '192.168.0.0/24'
set protocols static route 0.0.0.0/0 next-hop 198.51.100.1
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-B remote-address '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'

Side-B:

set interfaces ethernet eth0 address '203.0.113.2/24'
set interfaces ethernet eth1 address '10.0.0.1/24'
set nat source rule 10 destination address '192.168.0.0/24'
set nat source rule 10 exclude
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.0.0/24'
set protocols static route 0.0.0.0/0 next-hop 203.0.113.1
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-A remote-address '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '10.0.0.0/21'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '192.168.0.0/24'

Status VPN connection on Side-A:

vyos@vyos# run show vpn ipsec sa
Connection         State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
OFFICE-B-tunnel-0  up       9s        0B/0B           0/0               203.0.113.2       203.0.113.2  AES_CBC_256/HMAC_SHA1_96/MODP_1024
[edit]
vyos@vyos# run show vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
203.0.113.2 203.0.113.2                 198.51.100.3 198.51.100.3              

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     147     0      

[edit]
vyos@vyos#

garcetto · October 31, 2022, 2:43pm

for x in 1 to 1000000
thank you!!!
next x