Hey! So today we will be challenging setup of vyos site-to-site VPN. In theory there is nothing really difficult about that one – its just choosing the right options.
What I would really would like to highlight here which I believe is quite useful ( although not always possible to achieve ) is to use VTI ( Virtual Tunnel Interface ) instead of local/remote prefixes ( more reading here ). So let’s get to do it 🙂 All of these commands will be part of single commit.
First we tackle the virtual interface
set interfaces vti vti0 address 10.1.0.1/32 set interfaces vti vti0 description 'VPN_VTI0'
Of course description is optional however I like the system to be well described so other people can also benefit from understanding quickly what and why is it.
Next I fill out phase 1 and phase 2 settings. And here I cannot help much as it will differ per endpoint you are setting your vpn with. So treat this only as point of reference
# Phase 2 set vpn ipsec esp-group ESP-Default compression 'disable' set vpn ipsec esp-group ESP-Default lifetime '3600' set vpn ipsec esp-group ESP-Default mode 'tunnel' set vpn ipsec esp-group ESP-Default pfs 'dh-group2' set vpn ipsec esp-group ESP-Default proposal 1 encryption '3des' set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha1' # Phase 1 set vpn ipsec ike-group IKE-Default dead-peer-detection action 'clear' set vpn ipsec ike-group IKE-Default dead-peer-detection interval '30' set vpn ipsec ike-group IKE-Default dead-peer-detection timeout '90' set vpn ipsec ike-group IKE-Default ikev2-reauth 'no' set vpn ipsec ike-group IKE-Default key-exchange 'ikev1' set vpn ipsec ike-group IKE-Default lifetime '86400' set vpn ipsec ike-group IKE-Default proposal 1 dh-group '2' set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha256'
Cool – so we got the base – now we need to define which interface will handle our VPN traffic
set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec logging log-modes 'all'
And then I move to configuring site-to-site vpn
# Setup the site-2-site config set vpn ipsec site-to-site peer <remote-IP-address> authentication id '<local-WAN-IP-address>' set vpn ipsec site-to-site peer <remote-IP-address> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <remote-IP-address> authentication pre-shared-secret 'this-Of-course-Is-Some-paaaassshpraseeee' set vpn ipsec site-to-site peer <remote-IP-address> connection-type 'initiate' set vpn ipsec site-to-site peer <remote-IP-address> default-esp-group 'ESP-Default' set vpn ipsec site-to-site peer <remote-IP-address> ike-group 'IKE-Default' set vpn ipsec site-to-site peer <remote-IP-address> ikev2-reauth 'inherit' set vpn ipsec site-to-site peer <remote-IP-address> local-address '<local-WAN-IP-address>'
Once done we need to associate our VTI interface with this site to site VPN. This is done by issuing the following
# Make use of our VTI interface set vpn ipsec site-to-site peer <remote-IP-address> vti bind vti1 set vpn ipsec site-to-site peer <remote-IP-address> vti esp-group ESP-Default
Cool – easy wasn’t ? 🙂 Now we can configure OSPF. I did mine this way
set protocols ospf parameters router-id <remote-IP-address> set protocols ospf area 0.0.0.0 network 192.168.1.0/24 set protocols ospf area 0.0.0.0 network 192.168.2.0/24 set interfaces vti vti0 ip ospf network point-to-point
Full config as usual available in github
Any experience on challenges ? Maybe better ways ? Post in comments!