Can anybody tell me what I’m doing incorrectly here? Unable to connect site to site vpn, vyos unable to reach the other edge device WAN IP.
Vyos is running as an EC2 instance, eth0 is a public subnet with the WAN/public IP, eth1 is the internal private subnet. Would like each of the site to site connections to be able to route-to and access each of the other vti interface tunnels, as well as the private subnet in AWS.
The public IP network is 10.0.0.0/24 (eth0 at 10.0.0.254), eth1 private subnet is 10.0.1.0/24. The vti interfaces for each VTI tunnel are/will be 10.10.0.0/30, 10.10.1.0/30, 10.10.2.0/30, and so on… (so vti2 will be 10.10.2.0/30, each side of the tunnel should be 10.10.2.1 and 10.10.2.2).
Right now, want to leave VyOS firewall/iptables open, and just use as a router, and configure access control on the AWS side.
Config:
firewall {
ipv4 {
name ALLOW-ALL {
default-action accept
rule 1 {
action accept
inbound-interface {
name eth0
}
outbound-interface {
name eth0
}
}
rule 2 {
action accept
inbound-interface {
name eth1
}
outbound-interface {
name eth1
}
}
rule 3 {
action accept
inbound-interface {
name "*"
}
outbound-interface {
name "*"
}
}
}
}
}
interfaces {
ethernet eth0 {
address 10.0.0.254/24
description "Public Subnet VyOS NIC"
hw-id 0a:ff:fc:bb:25:35
mtu 1500
}
ethernet eth1 {
address 10.0.1.254/24
description "Private Subnet VyOS NIC"
hw-id 0a:ff:e8:b1:f3:5f
mtu 1500
}
loopback lo {
}
vti vti0 {
address 10.10.0.1/30
mtu 1400
}
vti vti1 {
address 10.10.1.1/30
mtu 1400
}
vti vti2 {
address 10.10.2.1/30
mtu 1400
}
vti vti3 {
address 10.10.3.1/30
mtu 1400
}
vti vti4 {
mtu 1400
}
vti vti5 {
mtu 1400
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.0.0.1 {
}
}
route 10.2.0.0/16 {
next-hop 10.10.2.1 {
}
next-hop 10.10.2.2 {
}
}
}
}
service {
ntp {
allow-client {
address 0.0.0.0/0
address ::/0
}
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
ssh {
client-keepalive-interval 180
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
domain-name ec2.internal
host-name ip-10-0-0-254
login {
user admin {
authentication {
encrypted-password ****************
}
full-name "WP Admin"
}
user jon {
authentication {
encrypted-password ****************
}
full-name "jon"
}
user vyos {
authentication {
public-keys cloud-init-fea7e33b-a681-4810-bb43-e1786f1e5c3f {
key ****************
type ssh-rsa
}
}
}
}
name-server 8.8.8.8
name-server 8.8.4.4
option {
ctrl-alt-delete reboot
}
syslog {
global {
facility all {
level info
}
facility local7 {
level debug
}
}
}
}
vpn {
ipsec {
authentication {
psk 5555_Porter {
id 44.216.26.207
id 98.4.96.58
secret supersecretkey
}
}
esp-group vyos-esp {
lifetime 3600
mode tunnel
pfs dh-group14
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group vyos-ike {
key-exchange ikev1
lifetime 86400
proposal 1 {
dh-group 14
encryption aes256
hash sha1
}
}
interface eth0
options {
disable-route-autoinstall
}
site-to-site {
peer 555_Porter {
authentication {
local-id 44.216.26.207
mode pre-shared-secret
remote-id 98.4.96.58
}
ike-group vyos-ike
local-address 44.216.26.207
remote-address 98.4.96.58
tunnel 20 {
esp-group vyos-esp
local {
prefix 10.0.0.0/23
}
remote {
prefix 10.2.0.0/16
}
}
vti {
bind vti2
}
}
}
}
}