Hi ,
Can I terminate ipsec VPN to Vyos instance deployed on GCP? If yes, suggest on how do I configure ipsec on an instance? I’m familiar with ipsec has some experience configuring it , but for gcp instance I’m a bit confused by the fact that I have only a single interface!?.
My setup:
side 1: VyOS at home facing WAN on eth0 and LAN on eth1.
side 2: VyOS instance on GCP, single interface eth 0 on LAN. The VM instance has static public IP it associated with.
thank you.
Hi with little experimenting i found a solution to my own question. The idea was to treat GCP VyOS instance as firewall behind NAT. Full configuration below for Office VyOS and GCP VyOS the key line there is set vpn ipsec site-to-site peer 3.24.14.19 authentication remote-id '192.168.0.1’
on Office VyOS that allows IPSec tunnel to form on IP that is not the peer IP.
$ sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
eth0 12.25.9.114/24 u/u OUTSIDE
eth1 1.1.1.1/24 u/u INSIDE
set firewall name WAN-LOCAL default-action ‘drop’
set firewall name WAN-LOCAL rule 101 action ‘accept’
set firewall name WAN-LOCAL rule 101 state established ‘enable’
set firewall name WAN-LOCAL rule 101 state related ‘enable’
set firewall name WAN-LOCAL rule 102 action ‘drop’
set firewall name WAN-LOCAL rule 102 state invalid ‘enable’
set firewall name WAN-LOCAL rule 103 action ‘accept’
set firewall name WAN-LOCAL rule 103 description ‘SSH remote access’
set firewall name WAN-LOCAL rule 103 destination port ‘22’
set firewall name WAN-LOCAL rule 103 protocol ‘tcp’
set firewall name WAN-LOCAL rule 104 action ‘accept’
set firewall name WAN-LOCAL rule 104 description ‘allow IPSEC’
set firewall name WAN-LOCAL rule 104 destination port ‘500’
set firewall name WAN-LOCAL rule 104 protocol ‘udp’
set firewall name WAN-LOCAL rule 105 action ‘accept’
set firewall name WAN-LOCAL rule 105 description ‘allow ESP’
set firewall name WAN-LOCAL rule 105 protocol ‘esp’
set interfaces ethernet eth0 firewall local name ‘WAN-LOCAL’
set nat source rule 500 description ‘GCP-VPN-TEST’
set nat source rule 500 destination address ‘192.168.6.0/24’
set nat source rule 500 exclude
set nat source rule 500 outbound-interface ‘eth0’
set nat source rule 500 source address ‘1.1.1.0/24’
set vpn ipsec esp-group cld-esp compression ‘disable’
set vpn ipsec esp-group cld-esp lifetime ‘1800’
set vpn ipsec esp-group cld-esp mode ‘tunnel’
set vpn ipsec esp-group cld-esp pfs ‘enable’
set vpn ipsec esp-group cld-esp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group cld-esp proposal 1 hash ‘sha1’
set vpn ipsec ike-group cld-ike ikev2-reauth ‘no’
set vpn ipsec ike-group cld-ike key-exchange ‘ikev1’
set vpn ipsec ike-group cld-ike lifetime ‘3600’
set vpn ipsec ike-group cld-ike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group cld-ike proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer 3.24.14.19 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 3.24.14.19 authentication pre-shared-secret ‘SomePreSharedKey’
set vpn ipsec site-to-site peer 3.24.14.19 authentication remote-id ‘192.168.0.1’
set vpn ipsec site-to-site peer 3.24.14.19 ike-group ‘cld-ike’
set vpn ipsec site-to-site peer 3.24.14.19 local-address ‘12.25.9.114’
set vpn ipsec site-to-site peer 3.24.14.19 tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 3.24.14.19 tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 3.24.14.19 tunnel 0 esp-group ‘cld-esp’
set vpn ipsec site-to-site peer 3.24.14.19 tunnel 0 local prefix ‘1.1.1.0/24’
set vpn ipsec site-to-site peer 3.24.14.19 tunnel 0 remote prefix ‘2.2.2.0/24’
~$ sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
eth0 192.168.0.1/24 u/u
dum6 2.2.2.1/24 u/u
set nat source rule 500 description ‘GCP-VPN-TEST’
set nat source rule 500 destination address ‘1.1.1.0/24’
set nat source rule 500 exclude
set nat source rule 500 outbound-interface ‘eth0’
set nat source rule 500 source address ‘2.2.2.0/24’
set vpn ipsec esp-group offs-esp compression ‘disable’
set vpn ipsec esp-group offs-esp lifetime ‘1800’
set vpn ipsec esp-group offs-esp mode ‘tunnel’
set vpn ipsec esp-group offs-esp pfs ‘enable’
set vpn ipsec esp-group offs-esp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group offs-esp proposal 1 hash ‘sha1’
set vpn ipsec ike-group offs-ike ikev2-reauth ‘no’
set vpn ipsec ike-group offs-ike key-exchange ‘ikev1’
set vpn ipsec ike-group offs-ike lifetime ‘3600’
set vpn ipsec ike-group offs-ike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group offs-ike proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer 12.25.9.114 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 12.25.9.114 authentication pre-shared-secret ‘SomePreSharedKey’
set vpn ipsec site-to-site peer 12.25.9.114 ike-group ‘offs-ike’
set vpn ipsec site-to-site peer 12.25.9.114 local-address ‘192.168.0.1’
set vpn ipsec site-to-site peer 12.25.9.114 tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 12.25.9.114 tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 12.25.9.114 tunnel 0 esp-group ‘offs-esp’
set vpn ipsec site-to-site peer 12.25.9.114 tunnel 0 local prefix ‘2.2.2.0/24’
set vpn ipsec site-to-site peer 12.25.9.114 tunnel 0 remote prefix ‘1.1.1.0/24’