good afternoon,
tried to follow those instructions but does not work, anyone have a working config for vyos 1.14? thank you
Hello @garcetto,
Are you interested in ipsec site-to-site?
Example configuration site-to-site for VyOS 1.4:
Side-A:
set interfaces ethernet eth0 address '198.51.100.3/24'
set interfaces ethernet eth1 address '192.168.0.1/24'
set nat source rule 10 destination address '10.0.0.0/24'
set nat source rule 10 exclude
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '192.168.0.0/24'
set protocols static route 0.0.0.0/0 next-hop 198.51.100.1
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-B remote-address '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'
Side-B:
set interfaces ethernet eth0 address '203.0.113.2/24'
set interfaces ethernet eth1 address '10.0.0.1/24'
set nat source rule 10 destination address '192.168.0.0/24'
set nat source rule 10 exclude
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.0.0/24'
set protocols static route 0.0.0.0/0 next-hop 203.0.113.1
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-A remote-address '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '10.0.0.0/21'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '192.168.0.0/24'
Status VPN connection on Side-A:
vyos@vyos# run show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
----------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
OFFICE-B-tunnel-0 up 9s 0B/0B 0/0 203.0.113.2 203.0.113.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024
[edit]
vyos@vyos# run show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
203.0.113.2 203.0.113.2 198.51.100.3 198.51.100.3
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 AES_CBC_256 HMAC_SHA1_96 MODP_1024 no 147 0
[edit]
vyos@vyos#
1 Like
for x in 1 to 1000000
thank you!!!
next x
