Hi Team,
I am trying to set up a redundant vpn with AWS with my own multi home wan vyos gateway. I have given a diagram below and would like to know if such scenarios can be possible with BGP or any other dynamic protocols?
Can someone please suggest any ideas? Or if any one has achieved the similar kind of setup?
Hi team.
From my above thread I decided to take baby-steps and here is my config. I configured the Tunnel between R1 and R2 with BGP. I have given my config below somehow my BGP is not working and host 192.168.47.128 is unable to contact 10.10.11.128
However if I put static route
192.168.47.0/24 VIA 169.254.254.5 on R2 and
10.10.11.0/24 VIA 169.254.254.7 on R1
They starts communicating. Can someone please help me here?
R1-config
set interfaces ethernet eth0 address '192.168.47.10/24'
set interfaces ethernet eth0 hw-id '00:0c:29:d4:6e:9e'
set interfaces ethernet eth1 address '100.1.1.10/24'
set interfaces ethernet eth1 hw-id '00:0c:29:d4:6e:a8'
set interfaces ethernet eth2 address '192.168.5.66/24'
set interfaces ethernet eth2 hw-id '00:0c:29:d4:6e:b2'
set interfaces loopback 'lo'
set interfaces vti vti5 address '169.254.254.5/32'
set protocols bgp 65000 neighbor 169.254.254.7 'disable-connected-check'
set protocols bgp 65000 neighbor 169.254.254.7 remote-as '65001'
set protocols bgp 65000 neighbor 169.254.254.7 timers holdtime '30'
set protocols bgp 65000 neighbor 169.254.254.7 timers keepalive '10'
set protocols bgp 65000 network '192.168.47.0/24'
set protocols static interface-route 169.254.254.7/32 next-hop-interface 'vti5'
set service 'ssh'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system host-name 'R1'
set system login user vyos authentication encrypted-password '$1$KRtTWZuP$BUnBUey8M0eyhH7llUt/j/'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system package repository community components 'main'
set system package repository community distribution 'helium'
set system package repository community url 'http://packages.vyos.net/vyos'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set vpn ipsec esp-group r1-r2-l1-esp compression 'disable'
set vpn ipsec esp-group r1-r2-l1-esp lifetime '3600'
set vpn ipsec esp-group r1-r2-l1-esp mode 'tunnel'
set vpn ipsec esp-group r1-r2-l1-esp pfs 'enable'
set vpn ipsec esp-group r1-r2-l1-esp proposal 5 encryption 'aes256'
set vpn ipsec esp-group r1-r2-l1-esp proposal 5 hash 'sha256'
set vpn ipsec ike-group r1-r2-l1-ike dead-peer-detection action 'restart'
set vpn ipsec ike-group r1-r2-l1-ike dead-peer-detection interval '15'
set vpn ipsec ike-group r1-r2-l1-ike dead-peer-detection timeout '30'
set vpn ipsec ike-group r1-r2-l1-ike ikev2-reauth 'no'
set vpn ipsec ike-group r1-r2-l1-ike key-exchange 'ikev1'
set vpn ipsec ike-group r1-r2-l1-ike lifetime '28800'
set vpn ipsec ike-group r1-r2-l1-ike proposal 5 dh-group '2'
set vpn ipsec ike-group r1-r2-l1-ike proposal 5 encryption 'aes256'
set vpn ipsec ike-group r1-r2-l1-ike proposal 5 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 100.1.1.20 authentication id '100.1.1.10'
set vpn ipsec site-to-site peer 100.1.1.20 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 100.1.1.20 authentication pre-shared-secret 'admin@123'
set vpn ipsec site-to-site peer 100.1.1.20 authentication remote-id '100.1.1.20'
set vpn ipsec site-to-site peer 100.1.1.20 ike-group 'r1-r2-l1-ike'
set vpn ipsec site-to-site peer 100.1.1.20 local-address '100.1.1.10'
set vpn ipsec site-to-site peer 100.1.1.20 vti bind 'vti5'
set vpn ipsec site-to-site peer 100.1.1.20 vti esp-group 'r1-r2-l1-esp'
And R2 Config
set interfaces ethernet eth0 address '10.10.11.10/24'
set interfaces ethernet eth0 hw-id '00:0c:29:1a:64:0f'
set interfaces ethernet eth1 address '100.1.1.20/24'
set interfaces ethernet eth1 hw-id '00:0c:29:1a:64:19'
set interfaces ethernet eth2 address '192.168.5.67/24'
set interfaces ethernet eth2 hw-id '00:0c:29:1a:64:23'
set interfaces loopback 'lo'
set interfaces vti vti5 address '169.254.254.7/32'
set protocols bgp 65001 neighbor 169.254.254.5 'disable-connected-check'
set protocols bgp 65001 neighbor 169.254.254.5 remote-as '65000'
set protocols bgp 65001 neighbor 169.254.254.5 timers holdtime '30'
set protocols bgp 65001 neighbor 169.254.254.5 timers keepalive '10'
set protocols bgp 65001 network '10.10.11.0/24'
set protocols static interface-route 169.254.254.5/32 next-hop-interface 'vti5'
set service 'ssh'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system host-name 'R2'
set system login user vyos authentication encrypted-password '$1$oMaCHy5V$zh039Yx1AzaUrf2BkiPuF/'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system package repository community components 'main'
set system package repository community distribution 'helium'
set system package repository community url 'http://packages.vyos.net/vyos'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set vpn ipsec esp-group r1-r2-l1-esp compression 'disable'
set vpn ipsec esp-group r1-r2-l1-esp lifetime '3600'
set vpn ipsec esp-group r1-r2-l1-esp mode 'tunnel'
set vpn ipsec esp-group r1-r2-l1-esp pfs 'enable'
set vpn ipsec esp-group r1-r2-l1-esp proposal 5 encryption 'aes256'
set vpn ipsec esp-group r1-r2-l1-esp proposal 5 hash 'sha256'
set vpn ipsec ike-group r1-r2-l1-ike dead-peer-detection action 'restart'
set vpn ipsec ike-group r1-r2-l1-ike dead-peer-detection interval '15'
set vpn ipsec ike-group r1-r2-l1-ike dead-peer-detection timeout '30'
set vpn ipsec ike-group r1-r2-l1-ike key-exchange 'ikev1'
set vpn ipsec ike-group r1-r2-l1-ike lifetime '28800'
set vpn ipsec ike-group r1-r2-l1-ike proposal 5 dh-group '2'
set vpn ipsec ike-group r1-r2-l1-ike proposal 5 encryption 'aes256'
set vpn ipsec ike-group r1-r2-l1-ike proposal 5 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 100.1.1.10 authentication id '100.1.1.20'
set vpn ipsec site-to-site peer 100.1.1.10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 100.1.1.10 authentication pre-shared-secret 'admin@123'
set vpn ipsec site-to-site peer 100.1.1.10 authentication remote-id '100.1.1.10'
set vpn ipsec site-to-site peer 100.1.1.10 ike-group 'r1-r2-l1-ike'
set vpn ipsec site-to-site peer 100.1.1.10 local-address '100.1.1.20'
set vpn ipsec site-to-site peer 100.1.1.10 vti bind 'vti5'
set vpn ipsec site-to-site peer 100.1.1.10 vti esp-group 'r1-r2-l1-esp'
Try to add ebgp-mutihop From both sites. And declare update-source x.x.x.x
set protocols bgp 65000 neighbor 169.254.254.7 'ebgp-multihop 10'
set protocols bgp 65000 neighbor 169.254.254.7 'update-source 169.254.254.5
Hi There,
Thanks for the reply. Do you have any ready made template for Multi WAN VPN redundancy with dynamic protocols with AWS, please?
By the way, 1.1.8 is EOL.
Yeah - I do not have subscription and I am yet to build mine.
it worked man!! Thanks a ton -
I am completely noob in BGP hence would really appreciate if you can explain me what we have done here? And how would this help to achieve to configure multiple or redundant tunnels?
Most likely it helped update-source x.x.x.x parameter.
It helped to determine the needed source IP address from which session will be initiate. So peer expect a bgp session from specific IP address. Need to dump traffic
to say it exactly.