DEV Community

leroykayanda
leroykayanda

Posted on

Setting an IPSEC VPN using VyOS in AWS

This will be a tunnel between 2 EC2 instances.

Let’s assume:

VyOS-A

Public IP: 23.23.46.168
Private IP: 10.113.129.113
Prod VPC CIDR: 10.113.0.0/16
Enter fullscreen mode Exit fullscreen mode

VyOS-B

Public IP: 3.230.21.112
Private IP: 10.100.3.199
client_vpn VPC CIDR: 10.100.0.0/16
Enter fullscreen mode Exit fullscreen mode

Ensure these ports are open in the Security Groups.

  • UDP 500 - ISAKMP/IKE
  • IP Protocol 50 - ESP
  • UDP 4500 - NAT-T

Disable src/dst check on the instances.

VyOS-A Setup

IKE Phase 1

set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group 19
set vpn ipsec ike-group IKE-GROUP lifetime 28800
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '60'
Enter fullscreen mode Exit fullscreen mode

IPSec Phase 2

set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256
set vpn ipsec esp-group ESP-GROUP lifetime 3600
set vpn ipsec esp-group ESP-GROUP pfs 'dh-group19'
Enter fullscreen mode Exit fullscreen mode

Define the peer

set vpn ipsec interface 'eth0'

set vpn ipsec authentication psk VyOS-B secret 'MySecretKey'
set vpn ipsec authentication psk VyOS-B id '23.23.46.168'
set vpn ipsec authentication psk VyOS-B id '3.230.21.112'

set vpn ipsec site-to-site peer VyOS-B authentication local-id '23.23.46.168'
set vpn ipsec site-to-site peer VyOS-B authentication remote-id '3.230.21.112'
set vpn ipsec site-to-site peer VyOS-B local-address '10.113.129.113'
set vpn ipsec site-to-site peer VyOS-B remote-address '3.230.21.112'
set vpn ipsec site-to-site peer VyOS-B tunnel 1 local prefix '10.113.0.0/16'
set vpn ipsec site-to-site peer VyOS-B tunnel 1 remote prefix '10.100.0.0/16'  
set vpn ipsec site-to-site peer VyOS-B tunnel 1 esp-group ESP-GROUP
set vpn ipsec site-to-site peer VyOS-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer VyOS-B connection-type 'initiate'
set vpn ipsec site-to-site peer VyOS-B ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer VyOS-B default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer VyOS-B ikev2-reauth 'no'
Enter fullscreen mode Exit fullscreen mode

VyOS-B Setup

IKE Phase 1

set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group 19
set vpn ipsec ike-group IKE-GROUP lifetime 28800
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '60'
Enter fullscreen mode Exit fullscreen mode

IPSec Phase 2

set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256
set vpn ipsec esp-group ESP-GROUP lifetime 3600
set vpn ipsec esp-group ESP-GROUP pfs 'dh-group19'
Enter fullscreen mode Exit fullscreen mode

Define the peer

set vpn ipsec interface 'eth0'

set vpn ipsec authentication psk VyOS-A secret 'MySecretKey'
set vpn ipsec authentication psk VyOS-A id '23.23.46.168'
set vpn ipsec authentication psk VyOS-A id '3.230.21.112'

set vpn ipsec site-to-site peer VyOS-A authentication local-id '3.230.21.112'
set vpn ipsec site-to-site peer VyOS-A authentication remote-id '23.23.46.168'
set vpn ipsec site-to-site peer VyOS-A tunnel 1 local prefix '10.100.0.0/16'
set vpn ipsec site-to-site peer VyOS-A tunnel 1 remote prefix '10.113.0.0/16'  
set vpn ipsec site-to-site peer VyOS-A local-address '10.100.3.199'
set vpn ipsec site-to-site peer VyOS-A remote-address '23.23.46.168'
set vpn ipsec site-to-site peer VyOS-A tunnel 1 esp-group ESP-GROUP
set vpn ipsec site-to-site peer VyOS-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer VyOS-A connection-type 'respond'
set vpn ipsec site-to-site peer VyOS-A ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer VyOS-A default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer VyOS-A ikev2-reauth 'no'
Enter fullscreen mode Exit fullscreen mode

Troubleshooting

show vpn ike sa
show vpn ipsec sa
show log vpn
show ip route
restart ipsec
ping 10.100.3.199 interface eth0
set system login user vyos authentication plaintext-password vyos

show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
3.230.21.112 3.230.21.112               10.113.129.113 23.23.46.168            

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   AES_CBC_256  HMAC_SHA2_256_128 ECP_256        yes    4987    22920  


show vpn ipsec sa
Connection       State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID     Proposal
---------------  -------  --------  --------------  ----------------  ----------------  ------------  -------------------------------------
VyOS-B-tunnel-1  up       34m50s    0B/0B           0/0               3.230.21.112      3.230.21.112  AES_CBC_256/HMAC_SHA2_256_128/ECP_256


ping 10.100.3.199 interface eth0
PING 10.100.3.199 (10.100.3.199) from 10.113.129.113 eth0: 56(84) bytes of data.
64 bytes from 10.100.3.199: icmp_seq=1 ttl=64 time=0.665 ms
64 bytes from 10.100.3.199: icmp_seq=2 ttl=64 time=0.718 ms
64 bytes from 10.100.3.199: icmp_seq=3 ttl=64 time=0.686 ms
^C
--- 10.100.3.199 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2074ms
rtt min/avg/max/mdev = 0.665/0.689/0.718/0.021 ms
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

Read next

aairom profile image

Yet another document ingestion project with Docling and IBM Cloud Code Engine (serverless)

Alain Airom -

web3hires profile image

🚀 Your Daily Crypto Job Digest For 18 February!! 🚀

Web3 Hires -

ttibbs profile image

State of Auth Made Simple

Terry W -

1cadumagalhaes profile image

Criação de conteúdo, open source e planos para 2025

Cadu Magalhães -