Hi All,
Based on a Vyos’s blog post by Daniil Baturin, I’ve accomplished this configuration for interconnecting one head office (H1) and two other branch offices (B1, B2) on Vyos 1.1.8. The almost in the subject means that at H1, whenever the Vyos box is restarted, the vpn only starts working after entering “restart vpn”.
So, I’ve build an ISO based on Crux branch, tested it without success, used a rolling release from the day before yesterday, also with no luck.
The first thing I’ve found out is that version 1.2.0 doesn’t like rsa-keys generated with previous versions, it simply doesn’t load the vpn section from the config file. After regenerating new rsa-keys at all sides and exchanged them, the vpn simply doesn’t get up with no logs whatsoever, at least that I can find them.
So, if you could take a look at the following trimmed config files for H1 and B2 and give some tips, heads up, improvement, misconception, hell something, I would be high appreciated.
H1
interfaces {
dummy dum0 {
address xxx.xxx.254.1/32
}
dummy dum1 {
address xxx.xxx.254.9/32
}
ethernet eth0 {
address xxx.xxx.3.246/22
duplex auto
hw-id XX:XX:XX:c1:9d:c9
smp_affinity auto
speed auto
}
loopback lo {
}
tunnel tun0 {
address xxx.xxx.0.1/29
encapsulation gre
local-ip xxx.xxx.254.1
multicast disable
remote-ip xxx.xxx.254.6
}
tunnel tun1 {
address xxx.xxx.0.9/29
encapsulation gre
local-ip xxx.xxx.254.9
multicast disable
remote-ip xxx.xxx.254.14
}
}
protocols {
ospf {
area 0 {
network xxx.xxx.0.0/29
network xxx.xxx.35.0/24
network xxx.xxx.0.0/22
}
area 1 {
network xxx.xxx.0.8/29
network xxx.xxx.97.0/24
}
log-adjacency-changes {
}
parameters {
abr-type cisco
router-id xxx.xxx.254.1
}
redistribute {
static {
metric-type 2
}
}
}
}
...
vpn {
ipsec {
esp-group e-default {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group i-default {
dead-peer-detection {
action restart
interval 30
timeout 60
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface dum0
interface dum1
}
nat-traversal enable
site-to-site {
peer @b1 {
authentication {
id h1
mode rsa
rsa-key-name b1
}
connection-type respond
default-esp-group e-default
ike-group i-default
ikev2-reauth inherit
local-address any
tunnel 2 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix xxx.xxx.254.9/32
}
remote {
prefix xxx.xxx.254.14/32
}
}
}
peer @b2 {
authentication {
id h1
mode rsa
rsa-key-name b2
}
connection-type respond
default-esp-group e-default
ike-group i-default
ikev2-reauth inherit
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix xxx.xxx.254.1/32
}
remote {
prefix xxx.xxx.254.6/32
}
}
}
}
}
rsa-keys {
rsa-key-name b1 {
}
rsa-key-name b2 {
}
}
}
B2
interfaces {
dummy dum0 {
address xxx.xxx.254.6/32
}
ethernet eth0 {
address xxx.xxx.97.247/24
duplex auto
hw-id XX:XX:XX:af:d5:cf
smp_affinity auto
speed auto
}
loopback lo {
}
tunnel tun0 {
address xxx.xxx.0.6/29
encapsulation gre
local-ip xxx.xxx.254.6
multicast disable
remote-ip xxx.xxx.254.1
}
}
protocols {
ospf {
area 0 {
network xxx.xxx.97.0/24
network xxx.xxx.0.0/29
}
log-adjacency-changes {
}
parameters {
abr-type cisco
router-id xxx.xxx.254.6
}
redistribute {
static {
metric-type 2
}
}
}
}
...
vpn {
ipsec {
esp-group e-default {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group i-default {
dead-peer-detection {
action restart
interval 30
timeout 60
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface dum0
}
nat-traversal enable
site-to-site {
peer xxxxx.tld {
authentication {
id @b2
mode rsa
remote-id h1
rsa-key-name h1
}
connection-type initiate
default-esp-group e-default
ike-group i-default
ikev2-reauth inherit
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix xxx.xxx.254.6/32
}
remote {
prefix xxx.xxx.254.1/32
}
}
}
}
}
rsa-keys {
rsa-key-name h1 {
}
}
}
Cheers,
Joao