Dear all,
I created ipsec tunnel between two vyos router according to this page (IPsec — VyOS 1.3.x (equuleus) documentation) and it works.
However I found multiple connections the next day:
vyos@vyos:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
----------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
peer_100-100-100-106_tunnel_1 up 35m39s 0B/1K 0B/15B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m39s 1K/0B 15B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m43s 0B/0B 0B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m43s 0B/0B 0B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m43s 0B/0B 0B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m43s 0B/0B 0B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m43s 0B/0B 0B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m43s 0B/0B 0B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m43s 0B/0B 0B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m43s 0B/0B 0B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m47s 0B/0B 0B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m47s 0B/0B 0B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m47s 0B/0B 0B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m47s 0B/0B 0B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1 up 35m47s 0B/0B 0B/0B 100.100.100.106 LEFT AES_CBC_128/HMAC_SHA1_96/MODP_1024
vyos@vyos:~$
Following are my left vyos’s configuration:
vyos@vyos:~$ show configuration
interfaces {
ethernet eth0 {
address dhcp
hw-id 40:62:31:12:8c:38
}
ethernet eth1 {
hw-id 40:62:31:12:8c:39
}
ethernet eth2 {
hw-id 40:62:31:12:8c:3a
}
ethernet eth3 {
address 192.168.3.99/24
hw-id 40:62:31:12:8c:3b
}
loopback lo {
address 192.168.99.1/32
}
tunnel tun0 {
address 10.10.10.1/24
encapsulation gre
remote 192.168.99.2
source-address 192.168.99.1
}
}
pki {
key-pair ipsec-LEFT {
private {
key ****************
}
public {
key ****************
}
}
key-pair ipsec-RIGHT {
public {
key ****************
}
}
}
service {
...
}
system {
...
}
vpn {
ipsec {
esp-group MyESPGroup {
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group MyIKEGroup {
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
interface eth0
site-to-site {
peer @RIGHT {
authentication {
id LEFT
mode rsa
remote-id RIGHT
rsa {
local-key ****************
remote-key ****************
}
}
connection-type respond
default-esp-group MyESPGroup
ike-group MyIKEGroup
local-address 100.100.100.106
tunnel 1 {
local {
prefix 192.168.99.1/32
}
remote {
prefix 192.168.99.2/32
}
}
}
}
}
}
vyos@vyos:~$
Following are my right vyos’s configuration:
vyos@vyos:~$ show configuration
firewall {
all-ping enable
}
interfaces {
ethernet eth0 {
address dhcp
hw-id 40:62:31:12:8c:1c
}
ethernet eth1 {
hw-id 40:62:31:12:8c:1d
}
ethernet eth2 {
address 192.168.10.1/32
hw-id 40:62:31:12:8c:1e
}
ethernet eth3 {
address 192.168.3.90/24
hw-id 40:62:31:12:8c:1f
}
loopback lo {
address 192.168.99.2/32
}
tunnel tun0 {
address 10.10.10.2/24
encapsulation gre
remote 192.168.99.1
source-address 192.168.99.2
}
}
nat {
source {
rule 100 {
outbound-interface eth0
source {
address 192.168.1.0/24
}
translation {
address masquerade
}
}
}
}
pki {
key-pair ipsec-LEFT {
public {
key ****************
}
}
key-pair ipsec-RIGHT {
private {
key ****************
}
public {
key ****************
}
}
}
service {
...
}
system {
...
}
vpn {
ipsec {
esp-group MyESPGroup {
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group MyIKEGroup {
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
interface eth0
site-to-site {
peer 100.100.100.106 {
authentication {
id RIGHT
mode rsa
remote-id LEFT
rsa {
local-key ****************
remote-key ****************
}
}
connection-type initiate
default-esp-group MyESPGroup
ike-group MyIKEGroup
local-address 172.16.1.102
tunnel 1 {
local {
prefix 192.168.99.2/32
}
remote {
prefix 192.168.99.1/32
}
}
}
}
}
}
vyos@vyos:~$