Hey! So today we will be challenging setup of vyos site-to-site VPN. In theory there is nothing really difficult about that one – its just choosing the right options.
What I would really would like to highlight here which I believe is quite useful ( although not always possible to achieve ) is to use VTI ( Virtual Tunnel Interface ) instead of local/remote prefixes ( more reading here ). So let’s get to do it 🙂 All of these commands will be part of single commit.
First we tackle the virtual interface
set interfaces vti vti0 address 10.1.0.1/32
set interfaces vti vti0 description 'VPN_VTI0'
Of course description is optional however I like the system to be well described so other people can also benefit from understanding quickly what and why is it.
Next I fill out phase 1 and phase 2 settings. And here I cannot help much as it will differ per endpoint you are setting your vpn with. So treat this only as point of reference
# Phase 2
set vpn ipsec esp-group ESP-Default compression 'disable'
set vpn ipsec esp-group ESP-Default lifetime '3600'
set vpn ipsec esp-group ESP-Default mode 'tunnel'
set vpn ipsec esp-group ESP-Default pfs 'dh-group2'
set vpn ipsec esp-group ESP-Default proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha1'
# Phase 1
set vpn ipsec ike-group IKE-Default dead-peer-detection action 'clear'
set vpn ipsec ike-group IKE-Default dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout '90'
set vpn ipsec ike-group IKE-Default ikev2-reauth 'no'
set vpn ipsec ike-group IKE-Default key-exchange 'ikev1'
set vpn ipsec ike-group IKE-Default lifetime '86400'
set vpn ipsec ike-group IKE-Default proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha256'
Cool – so we got the base – now we need to define which interface will handle our VPN traffic
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec logging log-modes 'all'
And then I move to configuring site-to-site vpn
# Setup the site-2-site config
set vpn ipsec site-to-site peer <remote-IP-address> authentication id '<local-WAN-IP-address>'
set vpn ipsec site-to-site peer <remote-IP-address> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <remote-IP-address> authentication pre-shared-secret 'this-Of-course-Is-Some-paaaassshpraseeee'
set vpn ipsec site-to-site peer <remote-IP-address> connection-type 'initiate'
set vpn ipsec site-to-site peer <remote-IP-address> default-esp-group 'ESP-Default'
set vpn ipsec site-to-site peer <remote-IP-address> ike-group 'IKE-Default'
set vpn ipsec site-to-site peer <remote-IP-address> ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer <remote-IP-address> local-address '<local-WAN-IP-address>'
Once done we need to associate our VTI interface with this site to site VPN. This is done by issuing the following
# Make use of our VTI interface
set vpn ipsec site-to-site peer <remote-IP-address> vti bind vti1
set vpn ipsec site-to-site peer <remote-IP-address> vti esp-group ESP-Default
Cool – easy wasn’t ? 🙂 Now we can configure OSPF. I did mine this way
set protocols ospf parameters router-id <remote-IP-address>
set protocols ospf area 0.0.0.0 network 192.168.1.0/24
set protocols ospf area 0.0.0.0 network 192.168.2.0/24
set interfaces vti vti0 ip ospf network point-to-point
Full config as usual available in github
Any experience on challenges ? Maybe better ways ? Post in comments!