References
https://docs.vyos.io/en/equuleus/configuration/vpn/site2site_ipsec.html
My Lab Setting
vyos@vyos-a:~$ show configuration commands
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group network-group INTERNAL_NETWORKS network '192.168.100.0/24'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 destination port '22'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 20 source group network-group 'INTERNAL_NETWORKS'
set firewall name OUTSIDE-LOCAL rule 20 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 20 state related 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address '192.168.100.168/24'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
set interfaces ethernet eth0 hw-id '00:0c:29:21:27:05'
set interfaces ethernet eth1 address '76.3.2.1/24'
set interfaces ethernet eth1 hw-id '00:0c:29:21:27:fb'
set interfaces loopback lo
set protocols static route 0.0.0.0/0 next-hop 192.168.100.1
set protocols static route 10.1.1.0/24 next-hop 76.3.2.254
set protocols static route 210.1.2.0/24 next-hop 76.3.2.254
set service ssh listen-address '192.168.100.168'
set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'vyos-a'
set system login user vyos authentication encrypted-password
set system login user vyos authentication plaintext-password
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set vpn ipsec esp-group IPSEC-PROPOSAL compression 'disable'
set vpn ipsec esp-group IPSEC-PROPOSAL lifetime '14400'
set vpn ipsec esp-group IPSEC-PROPOSAL mode 'tunnel'
set vpn ipsec esp-group IPSEC-PROPOSAL pfs 'disable'
set vpn ipsec esp-group IPSEC-PROPOSAL proposal 1 encryption 'aes256'
set vpn ipsec esp-group IPSEC-PROPOSAL proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-PROPOSAL close-action 'none'
set vpn ipsec ike-group IKE-PROPOSAL ikev2-reauth 'no'
set vpn ipsec ike-group IKE-PROPOSAL key-exchange 'ikev1'
set vpn ipsec ike-group IKE-PROPOSAL lifetime '14400'
set vpn ipsec ike-group IKE-PROPOSAL proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-PROPOSAL proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-PROPOSAL proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 210.1.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 210.1.2.1 authentication pre-shared-secret 'vyos'
set vpn ipsec site-to-site peer 210.1.2.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 210.1.2.1 ike-group 'IKE-PROPOSAL'
set vpn ipsec site-to-site peer 210.1.2.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 210.1.2.1 local-address '76.3.2.1'
set vpn ipsec site-to-site peer 210.1.2.1 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 210.1.2.1 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 210.1.2.1 tunnel 1 esp-group 'IPSEC-PROPOSAL'
set vpn ipsec site-to-site peer 210.1.2.1 tunnel 1 local prefix '192.168.100.0/24'
set vpn ipsec site-to-site peer 210.1.2.1 tunnel 1 remote prefix '10.1.1.0/24'
==============================
vyos@vyos-b:~$ show configuration commands
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group network-group INTERNAL_NETWORKS network '192.168.100.0/24'
set firewall group network-group INTERNAL_NETWORKS network '10.1.1.0/24'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 destination port '22'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 20 source group network-group 'INTERNAL_NETWORKS'
set firewall name OUTSIDE-LOCAL rule 20 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 20 state related 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address '10.1.1.168/24'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
set interfaces ethernet eth0 hw-id '00:0c:29:f9:dd:95'
set interfaces ethernet eth1 address '210.1.2.1/24'
set interfaces ethernet eth1 hw-id '00:0c:29:f9:dd:9f'
set interfaces loopback lo
set protocols static route 0.0.0.0/0 next-hop 210.1.2.254
set service ssh listen-address '10.1.1.168'
set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'vyos-b'
set system login user vyos authentication encrypted-password
set system login user vyos authentication plaintext-password
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set vpn ipsec esp-group IPSEC-PROPOSAL compression 'disable'
set vpn ipsec esp-group IPSEC-PROPOSAL lifetime '14400'
set vpn ipsec esp-group IPSEC-PROPOSAL mode 'tunnel'
set vpn ipsec esp-group IPSEC-PROPOSAL pfs 'disable'
set vpn ipsec esp-group IPSEC-PROPOSAL proposal 1 encryption 'aes256'
set vpn ipsec esp-group IPSEC-PROPOSAL proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-PROPOSAL close-action 'none'
set vpn ipsec ike-group IKE-PROPOSAL ikev2-reauth 'no'
set vpn ipsec ike-group IKE-PROPOSAL key-exchange 'ikev1'
set vpn ipsec ike-group IKE-PROPOSAL lifetime '14400'
set vpn ipsec ike-group IKE-PROPOSAL proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-PROPOSAL proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-PROPOSAL proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 76.3.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 76.3.2.1 authentication pre-shared-secret 'vyos'
set vpn ipsec site-to-site peer 76.3.2.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 76.3.2.1 ike-group 'IKE-PROPOSAL'
set vpn ipsec site-to-site peer 76.3.2.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 76.3.2.1 local-address '210.1.2.1'
set vpn ipsec site-to-site peer 76.3.2.1 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 76.3.2.1 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 76.3.2.1 tunnel 1 esp-group 'IPSEC-PROPOSAL'
set vpn ipsec site-to-site peer 76.3.2.1 tunnel 1 local prefix '10.1.1.0/24'
set vpn ipsec site-to-site peer 76.3.2.1 tunnel 1 remote prefix '192.168.100.0/24'
===========================
vyos@vyos-a:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
210.1.2.1 76.3.2.1
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 aes256 sha256_128 2(MODP_1024) no 3600 14400
vyos@vyos-a:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ------------------------
peer-210.1.2.1-tunnel-1 up 16m22s 23K/20K 194/282 210.1.2.1 N/A AES_CBC_256/HMAC_SHA1_96
vyos@vyos-a:~$ show arp
Address HWtype HWaddress Flags Mask Iface
192.168.100.1 ether c8:3a:35:23:eb:c8 C eth0
192.168.100.40 ether 70:85:c2:6a:8d:d9 C eth0
76.1.1.254 ether 00:0c:29:14:49:e0 C eth1
vyos@vyos-a:~$
========================================
vyos@vyos-b:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
76.3.2.1 210.1.2.1
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 aes256 sha256_128 2(MODP_1024) no 3600 14400
vyos@vyos-b:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
---------------------- ------- -------- -------------- ---------------- ---------------- ----------- ------------------------
peer-76.3.2.1-tunnel-1 up 14m45s 20K/23K 279/191 76.3.2.1 N/A AES_CBC_256/HMAC_SHA1_96
vyos@vyos-b:~$
vyos@vyos-b:~$ sh arp
Address HWtype HWaddress Flags Mask Iface
210.69.8.254 ether 00:0c:29:14:49:ea C eth1
10.1.1.10 ether 00:0c:29:7d:d6:23 C eth0
vyos@vyos-b:~$
沒有留言:
張貼留言