Hi Team,
Can you please share the Method/processes to configured the Policy based Ipsec vpn for vyos. while i configured the route based vpn.
Sharp response will be appreciated. thanks
I dont think that someone can help you, without some more Information.
Can you please describe what you want to configure and where the Problem ist?
Which Version is in use?
Here is the Documentation for Site-to-Site VPN
Site-to-Site — VyOS 1.3.x (equuleus) documentation
Yes your are right, following are the configs which i use for policy based ipsec in 1.4 version vyos.
policy based vpn
vyos 1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-1E lifetime 3600
set vpn ipsec ike-group IKE-1E proposal 1 dh-group 2
set vpn ipsec ike-group IKE-1E proposal 1 encryption 3des
set vpn ipsec ike-group IKE-1E proposal 1 hash sha1
set vpn ipsec esp-group ESP-1E mode tunnel
set vpn ipsec esp-group ESP-1E pfs dh-group2
set vpn ipsec esp-group ESP-1E proposal 1 encryption 3des
set vpn ipsec esp-group ESP-1E proposal 1 hash sha1
set vpn ipsec site-to-site peer vyos-1-ipsec authentication remote-id 192.168.8.4
set vpn ipsec site-to-site peer vyos-1-ipsec authentication mode pre-shared-secret
set vpn ipsec site-to-site peer vyos-1-ipsec authentication pre-shared-secret ********
set vpn ipsec site-to-site peer vyos-1-ipsec connection-type initiate
set vpn ipsec site-to-site peer vyos-1-ipsec default-esp-group ESP-1E
set vpn ipsec site-to-site peer vyos-1-ipsec ike-group IKE-1E
set vpn ipsec site-to-site peer vyos-1-ipsec local-address 192.168.8.5
set vpn ipsec site-to-site peer vyos-1-ipsec remote-address 192.168.8.4
set vpn ipsec site-to-site peer vyos-1-ipsec tunnel 1 local 10.0.0.0/24
set vpn ipsec site-to-site peer vyos-1-ipsec tunnel 1 remote 172.168.0.0/24
vyos 2
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-1E lifetime 3600
set vpn ipsec ike-group IKE-1E proposal 1 dh-group 2
set vpn ipsec ike-group IKE-1E proposal 1 encryption 3des
set vpn ipsec ike-group IKE-1E proposal 1 hash sha1
set vpn ipsec esp-group ESP-1E mode tunnel
set vpn ipsec esp-group ESP-1E pfs dh-group2
set vpn ipsec esp-group ESP-1E proposal 1 encryption 3des
set vpn ipsec esp-group ESP-1E proposal 1 hash sha1
set vpn ipsec site-to-site peer vyos2-ipsec authentication remote-id 192.168.8.5
set vpn ipsec site-to-site peer vyos2-ipsec authentication mode pre-shared-secret
set vpn ipsec site-to-site peer vyos2-ipsec authentication pre-shared-secret *****
set vpn ipsec site-to-site peer vyos2-ipsec connection-type respond
set vpn ipsec site-to-site peer vyos2-ipsec default-esp-group ESP-1E
set vpn ipsec site-to-site peer vyos2-ipsec ike-group IKE-1E
set vpn ipsec site-to-site peer vyos2-ipsec local-address 192.168.8.4
set vpn ipsec site-to-site peer vyos2-ipsec remote-address 192.168.8.5
set vpn ipsec site-to-site peer vyos-1-ipsec tunnel 1 local 172.168.0.0/24
set vpn ipsec site-to-site peer vyos-1-ipsec tunnel 1 remote 10.0.0.0/24
The IPSec works, right?
What are u trying and what is not working?
Please share the config and/or logs and describe your problem
I configured the policy based IPsec in vyos but it is down.
configuration is given below:
vyos1
set vpn ipsec ike-group IKE-1E lifetime 3600
set vpn ipsec ike-group IKE-1E proposal 1 dh-group 2
set vpn ipsec ike-group IKE-1E proposal 1 encryption 3des
set vpn ipsec ike-group IKE-1E proposal 1 hash sha1
set vpn ipsec esp-group ESP-1E mode tunnel
set vpn ipsec esp-group ESP-1E pfs dh-group2
set vpn ipsec esp-group ESP-1E proposal 1 encryption 3des
set vpn ipsec esp-group ESP-1E proposal 1 hash sha1
set vpn ipsec site-to-site peer vyos2-ipsec authentication remote-id 192.168.8.5
set vpn ipsec site-to-site peer vyos2-ipsec authentication mode pre-shared-secret
set vpn ipsec site-to-site peer vyos2-ipsec authentication pre-shared-secret 12345
set vpn ipsec site-to-site peer vyos2-ipsec connection-type respond
set vpn ipsec site-to-site peer vyos2-ipsec default-esp-group ESP-1E
set vpn ipsec site-to-site peer vyos2-ipsec ike-group IKE-1E
set vpn ipsec site-to-site peer vyos2-ipsec tunnel 1 local prefix 12.12.12.0/29
set vpn ipsec site-to-site peer vyos2-ipsec tunnel 1 remote prefix 11.11.11.0/29
vyos2
set vpn ipsec ike-group IKE-1E lifetime 3600
set vpn ipsec ike-group IKE-1E proposal 1 dh-group 2
set vpn ipsec ike-group IKE-1E proposal 1 encryption 3des
set vpn ipsec ike-group IKE-1E proposal 1 hash sha1
set vpn ipsec esp-group ESP-1E mode tunnel
set vpn ipsec esp-group ESP-1E pfs dh-group2
set vpn ipsec esp-group ESP-1E proposal 1 encryption 3des
set vpn ipsec esp-group ESP-1E proposal 1 hash sha1
set vpn ipsec site-to-site peer vyos-1-ipsec authentication remote-id 192.168.8.4
set vpn ipsec site-to-site peer vyos-1-ipsec authentication mode pre-shared-secret
set vpn ipsec site-to-site peer vyos-1-ipsec authentication pre-shared-secret 12345
set vpn ipsec site-to-site peer vyos-1-ipsec connection-type initiate
set vpn ipsec site-to-site peer vyos-1-ipsec default-esp-group ESP-1E
set vpn ipsec site-to-site peer vyos-1-ipsec ike-group IKE-1E
set vpn ipsec site-to-site peer vyos-1-ipsec tunnel 1 local prefix 11.11.11.0/29
set vpn ipsec site-to-site peer vyos-1-ipsec tunnel 1 remote prefix 12.12.12.0/29
show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
vyos@vyatta-1:~$ show vpn ipsec st
state status
vyos@vyatta-1:~$ show vpn ipsec status
IPsec Process Running: 3044
Routed Connections:
vyos2-ipsec-tunnel-1{1}: ROUTED, TUNNEL, reqid 1
vyos2-ipsec-tunnel-1{1}: 12.12.12.0/29 === 11.11.11.0/29
Security Associations (0 up, 0 connecting):
I don’t see remote-address, also and on the remote-site
set vpn ipsec site-to-site peer <tag> remote-address x.x.x.x