2022年9月24日 星期六

Configure site 2 site VPN with VyOS

















References

https://docs.vyos.io/en/equuleus/configuration/vpn/site2site_ipsec.html

My Lab Setting 


vyos@vyos-a:~$ show configuration commands 

set firewall all-ping 'enable'

set firewall broadcast-ping 'disable'

set firewall config-trap 'disable'

set firewall group network-group INTERNAL_NETWORKS network '192.168.100.0/24'

set firewall ipv6-receive-redirects 'disable'

set firewall ipv6-src-route 'disable'

set firewall ip-src-route 'disable'

set firewall log-martians 'enable'

set firewall name OUTSIDE-LOCAL default-action 'drop'

set firewall name OUTSIDE-LOCAL rule 20 action 'accept'

set firewall name OUTSIDE-LOCAL rule 20 destination port '22'

set firewall name OUTSIDE-LOCAL rule 20 protocol 'tcp'

set firewall name OUTSIDE-LOCAL rule 20 source group network-group 'INTERNAL_NETWORKS'

set firewall name OUTSIDE-LOCAL rule 20 state established 'enable'

set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'

set firewall name OUTSIDE-LOCAL rule 20 state related 'enable'

set firewall receive-redirects 'disable'

set firewall send-redirects 'enable'

set firewall source-validation 'disable'

set firewall syn-cookies 'enable'

set firewall twa-hazards-protection 'disable'

set interfaces ethernet eth0 address '192.168.100.168/24'

set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'

set interfaces ethernet eth0 hw-id '00:0c:29:21:27:05'

set interfaces ethernet eth1 address '76.3.2.1/24'

set interfaces ethernet eth1 hw-id '00:0c:29:21:27:fb'

set interfaces loopback lo

set protocols static route 0.0.0.0/0 next-hop 192.168.100.1

set protocols static route 10.1.1.0/24 next-hop 76.3.2.254

set protocols static route 210.1.2.0/24 next-hop 76.3.2.254

set service ssh listen-address '192.168.100.168'

set service ssh port '22'

set system config-management commit-revisions '100'

set system conntrack modules ftp

set system conntrack modules h323

set system conntrack modules nfs

set system conntrack modules pptp

set system conntrack modules sip

set system conntrack modules sqlnet

set system conntrack modules tftp

set system console device ttyS0 speed '115200'

set system host-name 'vyos-a'

set system login user vyos authentication encrypted-password 

set system login user vyos authentication plaintext-password 

set system ntp server time1.vyos.net

set system ntp server time2.vyos.net

set system ntp server time3.vyos.net

set system syslog global facility all level 'info'

set system syslog global facility protocols level 'debug'

set vpn ipsec esp-group IPSEC-PROPOSAL compression 'disable'

set vpn ipsec esp-group IPSEC-PROPOSAL lifetime '14400'

set vpn ipsec esp-group IPSEC-PROPOSAL mode 'tunnel'

set vpn ipsec esp-group IPSEC-PROPOSAL pfs 'disable'

set vpn ipsec esp-group IPSEC-PROPOSAL proposal 1 encryption 'aes256'

set vpn ipsec esp-group IPSEC-PROPOSAL proposal 1 hash 'sha1'

set vpn ipsec ike-group IKE-PROPOSAL close-action 'none'

set vpn ipsec ike-group IKE-PROPOSAL ikev2-reauth 'no'

set vpn ipsec ike-group IKE-PROPOSAL key-exchange 'ikev1'

set vpn ipsec ike-group IKE-PROPOSAL lifetime '14400'

set vpn ipsec ike-group IKE-PROPOSAL proposal 1 dh-group '2'

set vpn ipsec ike-group IKE-PROPOSAL proposal 1 encryption 'aes256'

set vpn ipsec ike-group IKE-PROPOSAL proposal 1 hash 'sha256'

set vpn ipsec ipsec-interfaces interface 'eth1'

set vpn ipsec site-to-site peer 210.1.2.1 authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer 210.1.2.1 authentication pre-shared-secret 'vyos'

set vpn ipsec site-to-site peer 210.1.2.1 connection-type 'initiate'

set vpn ipsec site-to-site peer 210.1.2.1 ike-group 'IKE-PROPOSAL'

set vpn ipsec site-to-site peer 210.1.2.1 ikev2-reauth 'inherit'

set vpn ipsec site-to-site peer 210.1.2.1 local-address '76.3.2.1'

set vpn ipsec site-to-site peer 210.1.2.1 tunnel 1 allow-nat-networks 'disable'

set vpn ipsec site-to-site peer 210.1.2.1 tunnel 1 allow-public-networks 'disable'

set vpn ipsec site-to-site peer 210.1.2.1 tunnel 1 esp-group 'IPSEC-PROPOSAL'

set vpn ipsec site-to-site peer 210.1.2.1 tunnel 1 local prefix '192.168.100.0/24'

set vpn ipsec site-to-site peer 210.1.2.1 tunnel 1 remote prefix '10.1.1.0/24'

==============================

vyos@vyos-b:~$ show configuration commands 

set firewall all-ping 'enable'

set firewall broadcast-ping 'disable'

set firewall config-trap 'disable'

set firewall group network-group INTERNAL_NETWORKS network '192.168.100.0/24'

set firewall group network-group INTERNAL_NETWORKS network '10.1.1.0/24'

set firewall ipv6-receive-redirects 'disable'

set firewall ipv6-src-route 'disable'

set firewall ip-src-route 'disable'

set firewall log-martians 'enable'

set firewall name OUTSIDE-LOCAL default-action 'drop'

set firewall name OUTSIDE-LOCAL rule 20 action 'accept'

set firewall name OUTSIDE-LOCAL rule 20 destination port '22'

set firewall name OUTSIDE-LOCAL rule 20 protocol 'tcp'

set firewall name OUTSIDE-LOCAL rule 20 source group network-group 'INTERNAL_NETWORKS'

set firewall name OUTSIDE-LOCAL rule 20 state established 'enable'

set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'

set firewall name OUTSIDE-LOCAL rule 20 state related 'enable'

set firewall receive-redirects 'disable'

set firewall send-redirects 'enable'

set firewall source-validation 'disable'

set firewall syn-cookies 'enable'

set firewall twa-hazards-protection 'disable'

set interfaces ethernet eth0 address '10.1.1.168/24'

set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'

set interfaces ethernet eth0 hw-id '00:0c:29:f9:dd:95'

set interfaces ethernet eth1 address '210.1.2.1/24'

set interfaces ethernet eth1 hw-id '00:0c:29:f9:dd:9f'

set interfaces loopback lo

set protocols static route 0.0.0.0/0 next-hop 210.1.2.254

  

   

set service ssh listen-address '10.1.1.168'

set service ssh port '22'

set system config-management commit-revisions '100'

set system conntrack modules ftp

set system conntrack modules h323

set system conntrack modules nfs

set system conntrack modules pptp

set system conntrack modules sip

set system conntrack modules sqlnet

set system conntrack modules tftp

set system console device ttyS0 speed '115200'

set system host-name 'vyos-b'

set system login user vyos authentication encrypted-password 

set system login user vyos authentication plaintext-password 

set system ntp server time1.vyos.net

set system ntp server time2.vyos.net

set system ntp server time3.vyos.net

set system syslog global facility all level 'info'

set system syslog global facility protocols level 'debug'

set vpn ipsec esp-group IPSEC-PROPOSAL compression 'disable'

set vpn ipsec esp-group IPSEC-PROPOSAL lifetime '14400'

set vpn ipsec esp-group IPSEC-PROPOSAL mode 'tunnel'

set vpn ipsec esp-group IPSEC-PROPOSAL pfs 'disable'

set vpn ipsec esp-group IPSEC-PROPOSAL proposal 1 encryption 'aes256'

set vpn ipsec esp-group IPSEC-PROPOSAL proposal 1 hash 'sha1'

set vpn ipsec ike-group IKE-PROPOSAL close-action 'none'

set vpn ipsec ike-group IKE-PROPOSAL ikev2-reauth 'no'

set vpn ipsec ike-group IKE-PROPOSAL key-exchange 'ikev1'

set vpn ipsec ike-group IKE-PROPOSAL lifetime '14400'

set vpn ipsec ike-group IKE-PROPOSAL proposal 1 dh-group '2'

set vpn ipsec ike-group IKE-PROPOSAL proposal 1 encryption 'aes256'

set vpn ipsec ike-group IKE-PROPOSAL proposal 1 hash 'sha256'

set vpn ipsec ipsec-interfaces interface 'eth1'

set vpn ipsec site-to-site peer 76.3.2.1 authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer 76.3.2.1 authentication pre-shared-secret 'vyos'

set vpn ipsec site-to-site peer 76.3.2.1 connection-type 'initiate'

set vpn ipsec site-to-site peer 76.3.2.1 ike-group 'IKE-PROPOSAL'

set vpn ipsec site-to-site peer 76.3.2.1 ikev2-reauth 'inherit'

set vpn ipsec site-to-site peer 76.3.2.1 local-address '210.1.2.1'

set vpn ipsec site-to-site peer 76.3.2.1 tunnel 1 allow-nat-networks 'disable'

set vpn ipsec site-to-site peer 76.3.2.1 tunnel 1 allow-public-networks 'disable'

set vpn ipsec site-to-site peer 76.3.2.1 tunnel 1 esp-group 'IPSEC-PROPOSAL'

set vpn ipsec site-to-site peer 76.3.2.1 tunnel 1 local prefix '10.1.1.0/24'

set vpn ipsec site-to-site peer 76.3.2.1 tunnel 1 remote prefix '192.168.100.0/24'


===========================

vyos@vyos-a:~$ show vpn ike sa

Peer ID / IP                            Local ID / IP               

------------                            -------------

210.1.2.1                             76.3.2.1                               


    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time

    -----  ------  -------  ----    ---------      -----  ------  ------

    up     IKEv1   aes256   sha256_128 2(MODP_1024)   no     3600    14400  


 

vyos@vyos-a:~$ show vpn ipsec sa

Connection                 State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal

-------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ------------------------

peer-210.1.2.1-tunnel-1  up       16m22s    23K/20K         194/282           210.1.2.1       N/A          AES_CBC_256/HMAC_SHA1_96


vyos@vyos-a:~$ show arp 

Address                  HWtype  HWaddress           Flags Mask            Iface

192.168.100.1            ether   c8:3a:35:23:eb:c8   C                     eth0

192.168.100.40           ether   70:85:c2:6a:8d:d9   C                     eth0

76.1.1.254               ether   00:0c:29:14:49:e0   C                     eth1

vyos@vyos-a:~$ 


========================================

vyos@vyos-b:~$ show vpn ike sa 

Peer ID / IP                            Local ID / IP               

------------                            -------------

76.3.2.1                                210.1.2.1                            


    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time

    -----  ------  -------  ----    ---------      -----  ------  ------

    up     IKEv1   aes256   sha256_128 2(MODP_1024)   no     3600    14400  


 

vyos@vyos-b:~$ show vpn ipsec sa

Connection              State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal

----------------------  -------  --------  --------------  ----------------  ----------------  -----------  ------------------------

peer-76.3.2.1-tunnel-1  up       14m45s    20K/23K         279/191           76.3.2.1          N/A          AES_CBC_256/HMAC_SHA1_96

vyos@vyos-b:~$ 



vyos@vyos-b:~$ sh arp 

Address                  HWtype  HWaddress           Flags Mask            Iface

210.69.8.254             ether   00:0c:29:14:49:ea   C                     eth1

10.1.1.10                ether   00:0c:29:7d:d6:23   C                     eth0

vyos@vyos-b:~$