9

Vyos – Site to site VPN using VTI and OSPF

Hey! So today we will be challenging setup of vyos site-to-site VPN. In theory there is nothing really difficult about that one – its just choosing the right options.

What I would really would like to highlight here which I believe is quite useful ( although not always possible to achieve ) is to use VTI ( Virtual Tunnel Interface ) instead of local/remote prefixes ( more reading here ). So let’s get to do it πŸ™‚ All of these commands will be part of single commit.

First we tackle the virtual interface

set interfaces vti vti0 address 10.1.0.1/32
set interfaces vti vti0 description 'VPN_VTI0'

Of course description is optional however I like the system to be well described so other people can also benefit from understanding quickly what and why isΒ it.

Next I fill out phase 1 and phase 2 settings. And here I cannot help much as it will differ per endpoint you are setting your vpn with. So treat this only as point of reference

# Phase 2 
set vpn ipsec esp-group ESP-Default compression 'disable' 
set vpn ipsec esp-group ESP-Default lifetime '3600' 
set vpn ipsec esp-group ESP-Default mode 'tunnel' 
set vpn ipsec esp-group ESP-Default pfs 'dh-group2' 
set vpn ipsec esp-group ESP-Default proposal 1 encryption '3des' 
set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha1' 

# Phase 1 
set vpn ipsec ike-group IKE-Default dead-peer-detection action 'clear' 
set vpn ipsec ike-group IKE-Default dead-peer-detection interval '30' 
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout '90' 
set vpn ipsec ike-group IKE-Default ikev2-reauth 'no' 
set vpn ipsec ike-group IKE-Default key-exchange 'ikev1' 
set vpn ipsec ike-group IKE-Default lifetime '86400' 
set vpn ipsec ike-group IKE-Default proposal 1 dh-group '2' 
set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes256' 
set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha256'

 

Cool – so we got the base – now we need to define which interface will handle our VPN traffic

set vpn ipsec ipsec-interfaces interface 'eth1' 
set vpn ipsec logging log-modes 'all'

 

And then I move to configuring site-to-site vpn

# Setup the site-2-site config
set vpn ipsec site-to-site peer <remote-IP-address> authentication id '<local-WAN-IP-address>' 
set vpn ipsec site-to-site peer <remote-IP-address> authentication mode 'pre-shared-secret' 
set vpn ipsec site-to-site peer <remote-IP-address> authentication pre-shared-secret 'this-Of-course-Is-Some-paaaassshpraseeee' 
set vpn ipsec site-to-site peer <remote-IP-address> connection-type 'initiate' 
set vpn ipsec site-to-site peer <remote-IP-address> default-esp-group 'ESP-Default' 
set vpn ipsec site-to-site peer <remote-IP-address> ike-group 'IKE-Default' 
set vpn ipsec site-to-site peer <remote-IP-address> ikev2-reauth 'inherit' 
set vpn ipsec site-to-site peer <remote-IP-address> local-address '<local-WAN-IP-address>' 

Once done we need to associate our VTI interface with this site to site VPN. This is done by issuing the following

# Make use of our VTI interface
set vpn ipsec site-to-site peer <remote-IP-address> vti bind vti1
set vpn ipsec site-to-site peer <remote-IP-address> vti esp-group ESP-Default

 

Cool – easy wasn’t ? πŸ™‚ Now we can configure OSPF. I did mine this way

set protocols ospf parameters router-id <remote-IP-address>
set protocols ospf area 0.0.0.0 network 192.168.1.0/24
set protocols ospf area 0.0.0.0 network 192.168.2.0/24
set interfaces vti vti0 ip ospf network point-to-point

 

Full config as usual available in github

 

 

Any experience on challenges ? Maybe better ways ? Post in comments!

rafpe

9 Comments

  1. I have a few questions (i’m new to this). Can this method work fine in a lab with masquerading? It seems that when I configured this I am showing that the VPN is up but my devices can’t access the outside world once I complete it.

    • You would need to describe more information about your la setup. Difficult for me to say with such little information

  2. Thank you for posting this awesome article. I’m a long time reader
    but I’ve never been compelled to leave a comment.

    I subscribed to your blog and shared it on my Twitter.
    Thanks again for this great article!

  3. Oh, there’s the issue! I just figured out this form of error was caused by the combination of my use of `zone-policy` for the firewalls.

    After I set up the `vti`, I forgot to add it to the policy. That command is:

    > set zone-policy zone interface vti+

    The `+` is a wildcard that accepts all types. Note that the CLI will complain about it, but it’s not an error.

  4. Thanks for a great post on this! One point of experience is this won’t work against older Vyatta instances, they don’t have VTI capability. @dmbaturin was kind enough to steer me to how easy it was to upgrade at http://vyos.net/wiki/Upgrade, and when I remembered that I do still have console on the boxes, found it went as smoothly as it was shown there.

    The problem I am facing right now with the 1.1.7 version is that the quagga process (runs OSPF) on both sides gives a message of the form:

    > Jul 10 19:22:30 router1 ospfd[1844]: *** sendmsg in ospf_write failed to 224.0.0.5, id 53107, off 0, len 64, interface vti0, mtu 1440: Operation not permitted

    I haven’t been successful at getting around it. My configuration is at https://gist.github.com/briantopping/7149a2523ac0a0a6cdad61a26a424a38 if anyone is curious.

  5. Whilst this is a good example of how to setup VTI (over IPsec) and OSPF It is important for the reader to understand why you’re doing this and how it’s different to other setups.

    You’ve provided only information about how to get the connection setup but no information about how things connect to each other and any useful ways to debug the solution when two ends do not connect. It is not obvious about how the peers are connected as the example is only one sided.

    Also, it would be helpful to explain why you would use OSPF – someone may for example see that this is the only way to do facilitate OSPF, however unless you understand routing protocols in some depth then OSPF is just some ‘acronym’ that does not really explain its proper uses.

    What information and knowledge are you expecting to show the reader about a, how the VTi works, how to trouble shoot issues, examples of logs – what information OSPF provides and how to diagnose routing issues / prefixes/LSA’s to the reader.

    When i’ve used VyOS for BGP, OSPF, Ipsec and VTi – I spent a lot of time trying to understand how and why what I was doing – I think there would be a lot of benefit to the reader to show the whole picture of a working example of two VyOS (or one vyos node) talking to another with full OSPF LSA and tunnel information including logs πŸ™‚

    • I see two solutions here: 1st – read the theory for yourself. There is a lot of literature or videos about it. The world of VPN is huge and it can not be described in one simple, quick post. The 2nd possibility is to create many little posts on the blog with basic settings (like this one) and next posts with more specific examples/configurations for specific use.

Leave a Reply

Your email address will not be published. Required fields are marked *