Hi everyone,
Recently, we attempted to create a second IPsec tunnel by assigning secondary public ips on the same WAN interfaces between two vyos.
So for example, we have on local side (eth1 is the wan interface with 2 public ips)
set interfaces ethernet eth1 address x.x.x.a
set interfaces ethernet eth1 address x.x.x.c
definition for the 2 tunnels
set interfaces tunnel tun0 address ‘172.16.10.253/30’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 local-ip x.x.x.a
set interfaces tunnel tun0 remote-ip x.x.x.b
set interfaces tunnel tun1 address ‘172.16.11.253/30’
set interfaces tunnel tun1 encapsulation ‘gre’
set interfaces tunnel tun1 local-ip x.x.x.c
set interfaces tunnel tun1 remote-ip x.x.x.d
esp and ike sa definitions
set vpn ipsec esp-group espgrp1 compression ‘disable’
set vpn ipsec esp-group espgrp1 lifetime ‘3600’
set vpn ipsec esp-group espgrp1 mode ‘tunnel’
set vpn ipsec esp-group espgrp1 pfs ‘enable’
set vpn ipsec esp-group espgrp1 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group espgrp1 proposal 1 hash ‘sha1’
set vpn ipsec esp-group espgrp2 compression ‘disable’
set vpn ipsec esp-group espgrp2 lifetime ‘3600’
set vpn ipsec esp-group espgrp2 mode ‘tunnel’
set vpn ipsec esp-group espgrp2 pfs ‘enable’
set vpn ipsec esp-group espgrp2 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group espgrp2 proposal 1 hash ‘sha1’
set vpn ipsec ike-group ikegrp1 dead-peer-detection action ‘restart’
set vpn ipsec ike-group ikegrp1 dead-peer-detection interval ‘30’
set vpn ipsec ike-group ikegrp1 dead-peer-detection timeout ‘30’
set vpn ipsec ike-group ikegrp1 ikev2-reauth ‘no’
set vpn ipsec ike-group ikegrp1 key-exchange ‘ikev1’
set vpn ipsec ike-group ikegrp1 lifetime ‘28800’
set vpn ipsec ike-group ikegrp1 proposal 1 dh-group ‘2’
set vpn ipsec ike-group ikegrp1 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group ikegrp1 proposal 1 hash ‘sha1’
set vpn ipsec ike-group ikegrp2 dead-peer-detection action ‘restart’
set vpn ipsec ike-group ikegrp2 dead-peer-detection interval ‘30’
set vpn ipsec ike-group ikegrp2 dead-peer-detection timeout ‘30’
set vpn ipsec ike-group ikegrp2 ikev2-reauth ‘no’
set vpn ipsec ike-group ikegrp2 lifetime ‘28800’
set vpn ipsec ike-group ikegrp2 proposal 1 dh-group ‘2’
set vpn ipsec ike-group ikegrp2 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group ikegrp2 proposal 1 hash ‘sha1’
######## assigning the wan interface as ipsec interface ###############
set vpn ipsec ipsec-interfaces interface ‘eth1’
############ creating the 2 tunnels #################
set vpn ipsec site-to-site peer x.x.x.b authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer x.x.x.b authentication pre-shared-secret ‘abracadabra’
set vpn ipsec site-to-site peer x.x.x.b connection-type ‘initiate’
set vpn ipsec site-to-site peer x.x.x.b default-esp-group ‘espgrp1’
set vpn ipsec site-to-site peer x.x.x.b ike-group ‘ikegrp1’
set vpn ipsec site-to-site peer x.x.x.b ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer x.x.x.b local-address ‘x.x.x.a’
set vpn ipsec site-to-site peer x.x.x.b tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.b tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.b tunnel 1 protocol ‘gre’
set vpn ipsec site-to-site peer x.x.x.d authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer x.x.x.d authentication pre-shared-secret ‘paperbag’
set vpn ipsec site-to-site peer x.x.x.d connection-type ‘initiate’
set vpn ipsec site-to-site peer x.x.x.d default-esp-group ‘espgrp2’
set vpn ipsec site-to-site peer x.x.x.d ike-group ‘ikegrp2’
set vpn ipsec site-to-site peer x.x.x.d ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer x.x.x.d local-address ‘x.x.x.c’
set vpn ipsec site-to-site peer x.x.x.d tunnel 2 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.d tunnel 2 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.d tunnel 2 protocol ‘gre’
On the remote side (eth2 is wan interface)
set interfaces ethernet eth2 address x.x.x.b
set interfaces ethernet eth2 address x.x.x.d
and similar config as local side with source and destination public addresses reversed for the tunnels.
When I run --> show vpn ipsec sa, basically only one tunnel shows as up
bob@vyos:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
x.x.x.d x.x.x.c
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
2 down n/a n/a n/a no 0 n/a all
Peer ID / IP Local ID / IP
x.x.x.b x.x.x.a
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
1 up 769.0M/40.4G aes128 sha1_96/modp_1024 no 1860 3600 gre
So, I am wondering if it is even possible to run two ipsec vpn tunnels through same wan interfaces with multiple ips. What we are trying to do since ipsec vpn is single threaded process is to try and leverage the multiple threads/cpus on the hardware the vyos is installed on and to segregate traffic from different subnets through the different tunnels.
Alternatively I can install a second pair of vyos to create the second tunnel but wondering if it’s possible to handle two tunnels in this setup on 1 pair of vyos machines.
If anyone has any experience or insight, it would be greatly appreciated.
thx in advance