PKI and IPSec IKEv2 Remote-Access VPN

Hi
After VyOS Team helps me with this topic " PKI and IPSec IKEv2 site-to-site VPN ", I did " PKI and IPSec IKEv2 Remote-Access VPN " between two VyOS.
I wanted to share it here so that it is available to everyone.

I considered one VyOS as a CA and one as a Client. After generating a certificate for VyOS-CA and VyOS-Client, I use Strongswan for config CA and Client.

Topology:

VyOS R1-CA:


connections {
  ra-rw {
    remote_addrs = %any
    local_addrs = 192.0.2.4
    proposals = aes128gcm128-sha256-modp2048
    version = 2
    send_certreq = no
    rekey_time = 7200s
    keyingtries = 1
    pools = ra-rw-ipv4
    local {
        id = "C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=R1"
        auth = pubkey
        certs = R1.pem
    }
    remote {
        auth = eap-mschapv2
        id = "C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=R2"
        eap_id = %any
    }
    children {
        ikev2-vpn {
             esp_proposals = aes128gcm128-sha256
             rekey_time = 3600s
             rand_time = 540s
             dpd_action = clear
             inactivity = 28800
             local_ts = 1.1.1.0/24
             remote_ts = 1.1.1.0/24
         }
      }
   }
}
pools {
    ra-rw-ipv4 {
        addrs = 192.0.2.3/24
        dns = 192.0.2.4
    }
}
secrets {
    eap-vyos {
        secret = "vyos"
        id = "vyos"
    }
}

ipsec.secrets for VyOS-CA:
: RSA “/etc/swanctl/private/x509_R1.pem”
vyos : EAP “vyos”

VyOS R2-Client:


connections {
  ra-rw {
    remote_addrs = 192.0.2.4
    local_addrs = 192.0.2.3
    proposals = aes128gcm128-sha256-modp2048
    version = 2
    local {
        id = "C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=R2"
        eap_id = vyos
        auth = eap
    }
    remote {
        auth = pubkey
        id = "C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=R1"
    }
    children {
        ikev2-vpn {
           esp_proposals = aes128gcm128-sha256
           local_ts = 1.1.1.0/24
           remote_ts = 1.1.1.0/24
       }
    }
  }
}
secrets {
    eap-vyos {
        secret = "vyos"
        id = "vyos"
    }
}

ipsec.secrets for VyOS-Client:
vyos : EAP “vyos”

Results:
tcpdump:


ipsec statusall:

ipsec up ra-rw:

daemon: (sudo journalctl -b /usr/lib/ipsec/charon | tee):

Thanks to the VyOS team for their help.

2 Likes

Well done!
As next challenge, can i suggest you to convert this into documentation topic?
@robort can advise about process

Yes, Sure. I will do this.