we’re currently looking to remove our existing Ubuntu / Strongswan solution. I am testing Vyos. This is my first few hours in, so I’m likely missing something stupidly obvious.
I’ve built two vnets, with a vm and a vyos appliance in each. I’ve got an IPSEC connection up, but it won’t pass any traffic since there aren’t any rules in route table 220. There’s currently no NAT, I am aiming to keep it simple and add things along the way.
This is the complete configuration I’ve added on top of the standard config (its a non-permanent address!)
set vpn ipsec esp-group office-srv-esp compression 'disable'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 dh-group '2'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 40.91.116.129 authentication id '40.91.113.135'
set vpn ipsec site-to-site peer 40.91.116.129 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 40.91.116.129 authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer 40.91.116.129 connection-type 'initiate'
set vpn ipsec site-to-site peer 40.91.116.129 ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer 40.91.116.129 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 40.91.116.129 local-address '192.168.5.4'
set vpn ipsec site-to-site peer 40.91.116.129 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 40.91.116.129 tunnel 0 allow-public-networks 'enable'
set vpn ipsec site-to-site peer 40.91.116.129 tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer 40.91.116.129 tunnel 0 local prefix '192.168.4.0/22'
set vpn ipsec site-to-site peer 40.91.116.129 tunnel 0 remote prefix '192.168.0.0/22'