9

Vyos – Site to site VPN using VTI and OSPF

Hey! So today we will be challenging setup of vyos site-to-site VPN. In theory there is nothing really difficult about that one – its just choosing the right options.

What I would really would like to highlight here which I believe is quite useful ( although not always possible to achieve ) is to use VTI ( Virtual Tunnel Interface ) instead of local/remote prefixes ( more reading here ). So let’s get to do it 🙂 All of these commands will be part of single commit.

First we tackle the virtual interface

set interfaces vti vti0 address 10.1.0.1/32
set interfaces vti vti0 description 'VPN_VTI0'

Of course description is optional however I like the system to be well described so other people can also benefit from understanding quickly what and why is it.

Next I fill out phase 1 and phase 2 settings. And here I cannot help much as it will differ per endpoint you are setting your vpn with. So treat this only as point of reference

# Phase 2 
set vpn ipsec esp-group ESP-Default compression 'disable' 
set vpn ipsec esp-group ESP-Default lifetime '3600' 
set vpn ipsec esp-group ESP-Default mode 'tunnel' 
set vpn ipsec esp-group ESP-Default pfs 'dh-group2' 
set vpn ipsec esp-group ESP-Default proposal 1 encryption '3des' 
set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha1' 

# Phase 1 
set vpn ipsec ike-group IKE-Default dead-peer-detection action 'clear' 
set vpn ipsec ike-group IKE-Default dead-peer-detection interval '30' 
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout '90' 
set vpn ipsec ike-group IKE-Default ikev2-reauth 'no' 
set vpn ipsec ike-group IKE-Default key-exchange 'ikev1' 
set vpn ipsec ike-group IKE-Default lifetime '86400' 
set vpn ipsec ike-group IKE-Default proposal 1 dh-group '2' 
set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes256' 
set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha256'

 

Cool – so we got the base – now we need to define which interface will handle our VPN traffic

set vpn ipsec ipsec-interfaces interface 'eth1' 
set vpn ipsec logging log-modes 'all'

 

And then I move to configuring site-to-site vpn

# Setup the site-2-site config
set vpn ipsec site-to-site peer <remote-IP-address> authentication id '<local-WAN-IP-address>' 
set vpn ipsec site-to-site peer <remote-IP-address> authentication mode 'pre-shared-secret' 
set vpn ipsec site-to-site peer <remote-IP-address> authentication pre-shared-secret 'this-Of-course-Is-Some-paaaassshpraseeee' 
set vpn ipsec site-to-site peer <remote-IP-address> connection-type 'initiate' 
set vpn ipsec site-to-site peer <remote-IP-address> default-esp-group 'ESP-Default' 
set vpn ipsec site-to-site peer <remote-IP-address> ike-group 'IKE-Default' 
set vpn ipsec site-to-site peer <remote-IP-address> ikev2-reauth 'inherit' 
set vpn ipsec site-to-site peer <remote-IP-address> local-address '<local-WAN-IP-address>' 

Once done we need to associate our VTI interface with this site to site VPN. This is done by issuing the following

# Make use of our VTI interface
set vpn ipsec site-to-site peer <remote-IP-address> vti bind vti1
set vpn ipsec site-to-site peer <remote-IP-address> vti esp-group ESP-Default

 

Cool – easy wasn’t ? 🙂 Now we can configure OSPF. I did mine this way

set protocols ospf parameters router-id <remote-IP-address>
set protocols ospf area 0.0.0.0 network 192.168.1.0/24
set protocols ospf area 0.0.0.0 network 192.168.2.0/24
set interfaces vti vti0 ip ospf network point-to-point

 

Full config as usual available in github

 

 

Any experience on challenges ? Maybe better ways ? Post in comments!

0

Configure WSMan connectivity on vyos firewall

This is just a quick write up. When working with secure environements it might be necessary to open some firewall ports.  If by anychance you are looking how to do that on vyos firewall below you find details.

Enter configuration mode :

# Enter configuration mode
Config

Create new rule

# Port Group 
set firewall group port-group WSMan port '5985-5986'

# Set the rule
set firewall name some-name rule 666 action 'accept'
set firewall name some-name rule 666 description 'Allow for PowerShell remoting'
set firewall name some-name rule 666 destination group network-group AllNetworks
set firewall name some-name rule 666 destination group port-group 'WSMan'
set firewall name some-name rule 666 protocol 'tcp'
set firewall name some-name rule 666 source group address-group 'my-managemnt-servers'

 

Now above might require short explanation :

  • First we create a port group called WSMAN
  • Then we create rule 666 which will allow for powershell remoting
  • It will be allowed to network group defined in AllNetworks  ( defining it is beyond the scope of this short post so you can always find it in documentation http://vyos.net/wiki/User_Guide )
  • We specify we will allow port group defined earlier (so in our case WsMan ports )
  • Its type of TCP
  • and lastly we say that source of this will be my management servers defined as address group with name my-management-servers ( again 🙂 I will refer you to wiki how to create those )

One you are done with those you need to make sure configuration is commited. This is done by calling the following :

Commit

 

If there are no validation errors just save the config 🙂 so you are not suprised that after reboot it does not work 🙂

save

 

Enjoy securing your networks 🙂