Created
June 5, 2016 09:31
-
-
Save RafPe/ef90176a9e99fce9be1965de719e1aec to your computer and use it in GitHub Desktop.
Vyos sample site-to-site vpn configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Virtual Tunnel Interface | |
| # 172.196.17.188 - 172.196.17.191 | |
| set interfaces vti vti0 address 172.196.17.190/30 | |
| set interfaces vti vti0 description 'Virtual tunnel interface for VPN tunnel' | |
| # Phase 2 | |
| set vpn ipsec esp-group ESP-Default compression 'disable' | |
| set vpn ipsec esp-group ESP-Default lifetime '3600' | |
| set vpn ipsec esp-group ESP-Default mode 'tunnel' | |
| set vpn ipsec esp-group ESP-Default pfs 'dh-group16' | |
| set vpn ipsec esp-group ESP-Default proposal 1 encryption 'aes256' | |
| set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha256' | |
| # Phase 1 | |
| set vpn ipsec ike-group IKE-Default dead-peer-detection action 'clear' | |
| set vpn ipsec ike-group IKE-Default dead-peer-detection interval '30' | |
| set vpn ipsec ike-group IKE-Default dead-peer-detection timeout '90' | |
| set vpn ipsec ike-group IKE-Default ikev2-reauth 'no' | |
| set vpn ipsec ike-group IKE-Default key-exchange 'ikev1' | |
| set vpn ipsec ike-group IKE-Default lifetime '86400' | |
| set vpn ipsec ike-group IKE-Default proposal 1 dh-group '16' | |
| set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes256' | |
| set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha256' | |
| # Here you can of course set up your own interface which is used for VPN | |
| set vpn ipsec ipsec-interfaces interface 'eth1' | |
| set vpn ipsec logging log-modes 'all' | |
| # Setup the site-2-site config | |
| set vpn ipsec site-to-site peer <remote-wan-ip> authentication id '<local-wan-ip>' | |
| set vpn ipsec site-to-site peer <remote-wan-ip> authentication mode 'pre-shared-secret' | |
| set vpn ipsec site-to-site peer <remote-wan-ip> authentication pre-shared-secret 'some-super-uber-secret-password' | |
| set vpn ipsec site-to-site peer <remote-wan-ip> connection-type 'initiate' | |
| set vpn ipsec site-to-site peer <remote-wan-ip> default-esp-group 'ESP-Default' | |
| set vpn ipsec site-to-site peer <remote-wan-ip> ike-group 'IKE-Default' | |
| set vpn ipsec site-to-site peer <remote-wan-ip> ikev2-reauth 'inherit' | |
| set vpn ipsec site-to-site peer <remote-wan-ip> local-address '<local-wan-ip>' | |
| # Make use of our VTI interface | |
| set vpn ipsec site-to-site peer <remote-wan-ip> vti bind vti0 | |
| set vpn ipsec site-to-site peer <remote-wan-ip> vti esp-group ESP-Default | |
| # Set up OSPF routing - instead of static routing | |
| # This can vary depending on your network topology - so review if this is applicable | |
| set protocols ospf parameters router-id <remote-wan-ip> | |
| set protocols ospf area 0.0.0.0 network 40.0.0.0/30 | |
| set protocols ospf area 0.0.0.0 network 192.168.1.0/24 | |
| set protocols ospf area 0.0.0.0 network 192.168.2.0/24 | |
| set interfaces vti vti0 ip ospf network point-to-point |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment