Programming

Setting an IPSEC VPN using VyOS in AWS

This will be a tunnel between 2 EC2 instances. Let’s assume: VyOS-A Public IP: 23.23.46.168 Private IP: 10.113.129.113 Prod VPC CIDR: 10.113.0.0/16 VyOS-B Public IP: 3.230.21.112 Private IP: 10.100.3.199 client_vpn VPC CIDR: 10.100.0.0/16 Ensure these ports are open in the Security Groups. UDP 500 - ISAKMP/IKE IP Protocol 50 - ESP UDP 4500 - NAT-T Disable src/dst check on the instances. VyOS-A Setup IKE Phase 1 set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes256 set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha256 set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group 19 set vpn ipsec ike-group IKE-GROUP lifetime 28800 set vpn ipsec ike-group IKE-GROUP close-action 'start' set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart' set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '60' IPSec Phase 2 set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256 set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256 set vpn ipsec esp-group ESP-GROUP lifetime 3600 set vpn ipsec esp-group ESP-GROUP pfs 'dh-group19' Define the peer set vpn ipsec interface 'eth0' set vpn ipsec authentication psk VyOS-B secret 'MySecretKey' set vpn ipsec authentication psk VyOS-B id '23.23.46.168' set vpn ipsec authentication psk VyOS-B id '3.230.21.112' set vpn ipsec site-to-site peer VyOS-B authentication local-id '23.23.46.168' set vpn ipsec site-to-site peer VyOS-B authentication remote-id '3.230.21.112' set vpn ipsec site-to-site peer VyOS-B local-address '10.113.129.113' set vpn ipsec site-to-site peer VyOS-B remote-address '3.230.21.112' set vpn ipsec site-to-site peer VyOS-B tunnel 1 local prefix '10.113.0.0/16' set vpn ipsec site-to-site peer VyOS-B tunnel 1 remote prefix '10.100.0.0/16' set vpn ipsec site-to-site peer VyOS-B tunnel 1 esp-group ESP-GROUP set vpn ipsec site-to-site peer VyOS-B authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer VyOS-B connection-type 'initiate' set vpn ipsec site-to-site peer VyOS-B ike-group 'IKE-GROUP' set vpn ipsec site-to-site peer VyOS-B default-esp-group 'ESP-GROUP' set vpn ipsec site-to-site peer VyOS-B ikev2-reauth 'no' VyOS-B Setup IKE Phase 1 set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes256 set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha256 set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group 19 set vpn ipsec ike-group IKE-GROUP lifetime 28800 set vpn ipsec ike-group IKE-GROUP close-action 'start' set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart' set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '60' IPSec Phase 2 set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256 set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256 set vpn ipsec esp-group ESP-GROUP lifetime 3600 set vpn ipsec esp-group ESP-GROUP pfs 'dh-group19' Define the peer set vpn ipsec interface 'eth0' set vpn ipsec authentication psk VyOS-A secret 'MySecretKey' set vpn ipsec authentication psk VyOS-A id '23.23.46.168' set vpn ipsec authentication psk VyOS-A id '3.230.21.112' set vpn ipsec site-to-site peer VyOS-A authentication local-id '3.230.21.112' set vpn ipsec site-to-site peer VyOS-A authentication remote-id '23.23.46.168' set vpn ipsec site-to-site peer VyOS-A tunnel 1 local prefix '10.100.0.0/16' set vpn ipsec site-to-site peer VyOS-A tunnel 1 remote prefix '10.113.0.0/16' set vpn ipsec site-to-site peer VyOS-A local-address '10.100.3.199' set vpn ipsec site-to-site peer VyOS-A remote-address '23.23.46.168' set vpn ipsec site-to-site peer VyOS-A tunnel 1 esp-group ESP-GROUP set vpn ipsec site-to-site peer VyOS-A authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer VyOS-A connection-type 'respond' set vpn ipsec site-to-site peer VyOS-A ike-group 'IKE-GROUP' set vpn ipsec site-to-site peer VyOS-A default-esp-group 'ESP-GROUP' set vpn ipsec site-to-site peer VyOS-A ikev2-reauth 'no' Troubleshooting show vpn ike sa show vpn ipsec sa show log vpn show ip route restart ipsec ping 10.100.3.199 interface eth0 set system login user vyos authentication plaintext-password vyos show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 3.230.21.112 3.230.21.112 10.113.129.113 23.23.46.168 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv2 AES_CBC_256 HMAC_SHA2_256_128 ECP_256 yes 4987 22920 show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote addr

Feb 19, 2025 - 08:38
 0
Setting an IPSEC VPN using VyOS in AWS

This will be a tunnel between 2 EC2 instances.

Let’s assume:

VyOS-A

Public IP: 23.23.46.168
Private IP: 10.113.129.113
Prod VPC CIDR: 10.113.0.0/16

VyOS-B

Public IP: 3.230.21.112
Private IP: 10.100.3.199
client_vpn VPC CIDR: 10.100.0.0/16

Ensure these ports are open in the Security Groups.

  • UDP 500 - ISAKMP/IKE
  • IP Protocol 50 - ESP
  • UDP 4500 - NAT-T

Disable src/dst check on the instances.

VyOS-A Setup

IKE Phase 1

set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group 19
set vpn ipsec ike-group IKE-GROUP lifetime 28800
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '60'

IPSec Phase 2

set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256
set vpn ipsec esp-group ESP-GROUP lifetime 3600
set vpn ipsec esp-group ESP-GROUP pfs 'dh-group19'

Define the peer

set vpn ipsec interface 'eth0'

set vpn ipsec authentication psk VyOS-B secret 'MySecretKey'
set vpn ipsec authentication psk VyOS-B id '23.23.46.168'
set vpn ipsec authentication psk VyOS-B id '3.230.21.112'

set vpn ipsec site-to-site peer VyOS-B authentication local-id '23.23.46.168'
set vpn ipsec site-to-site peer VyOS-B authentication remote-id '3.230.21.112'
set vpn ipsec site-to-site peer VyOS-B local-address '10.113.129.113'
set vpn ipsec site-to-site peer VyOS-B remote-address '3.230.21.112'
set vpn ipsec site-to-site peer VyOS-B tunnel 1 local prefix '10.113.0.0/16'
set vpn ipsec site-to-site peer VyOS-B tunnel 1 remote prefix '10.100.0.0/16'  
set vpn ipsec site-to-site peer VyOS-B tunnel 1 esp-group ESP-GROUP
set vpn ipsec site-to-site peer VyOS-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer VyOS-B connection-type 'initiate'
set vpn ipsec site-to-site peer VyOS-B ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer VyOS-B default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer VyOS-B ikev2-reauth 'no'

VyOS-B Setup

IKE Phase 1

set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group 19
set vpn ipsec ike-group IKE-GROUP lifetime 28800
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '60'

IPSec Phase 2

set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256
set vpn ipsec esp-group ESP-GROUP lifetime 3600
set vpn ipsec esp-group ESP-GROUP pfs 'dh-group19'

Define the peer

set vpn ipsec interface 'eth0'

set vpn ipsec authentication psk VyOS-A secret 'MySecretKey'
set vpn ipsec authentication psk VyOS-A id '23.23.46.168'
set vpn ipsec authentication psk VyOS-A id '3.230.21.112'

set vpn ipsec site-to-site peer VyOS-A authentication local-id '3.230.21.112'
set vpn ipsec site-to-site peer VyOS-A authentication remote-id '23.23.46.168'
set vpn ipsec site-to-site peer VyOS-A tunnel 1 local prefix '10.100.0.0/16'
set vpn ipsec site-to-site peer VyOS-A tunnel 1 remote prefix '10.113.0.0/16'  
set vpn ipsec site-to-site peer VyOS-A local-address '10.100.3.199'
set vpn ipsec site-to-site peer VyOS-A remote-address '23.23.46.168'
set vpn ipsec site-to-site peer VyOS-A tunnel 1 esp-group ESP-GROUP
set vpn ipsec site-to-site peer VyOS-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer VyOS-A connection-type 'respond'
set vpn ipsec site-to-site peer VyOS-A ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer VyOS-A default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer VyOS-A ikev2-reauth 'no'

Troubleshooting

show vpn ike sa
show vpn ipsec sa
show log vpn
show ip route
restart ipsec
ping 10.100.3.199 interface eth0
set system login user vyos authentication plaintext-password vyos

show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
3.230.21.112 3.230.21.112               10.113.129.113 23.23.46.168            

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   AES_CBC_256  HMAC_SHA2_256_128 ECP_256        yes    4987    22920  


show vpn ipsec sa
Connection       State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID     Proposal
---------------  -------  --------  --------------  ----------------  ----------------  ------------  -------------------------------------
VyOS-B-tunnel-1  up       34m50s    0B/0B           0/0               3.230.21.112      3.230.21.112  AES_CBC_256/HMAC_SHA2_256_128/ECP_256


ping 10.100.3.199 interface eth0
PING 10.100.3.199 (10.100.3.199) from 10.113.129.113 eth0: 56(84) bytes of data.
64 bytes from 10.100.3.199: icmp_seq=1 ttl=64 time=0.665 ms
64 bytes from 10.100.3.199: icmp_seq=2 ttl=64 time=0.718 ms
64 bytes from 10.100.3.199: icmp_seq=3 ttl=64 time=0.686 ms
^C
--- 10.100.3.199 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2074ms
rtt min/avg/max/mdev = 0.665/0.689/0.718/0.021 ms
Read More

Tags:

Previous Article

The Developer’s Journey: Passion vs. Reality

Next Article

How to Build a Vector Database with SQLite in laravel for LLM's

Related Posts

#100DAYSOFCODE: Day 6

#100DAYSOFCODE: Day 6

Feb 19, 2025  0

Avro: Storing Null Values in Files

Avro: Storing Null Values in Files

Feb 14, 2025  0

What is the Benefit of Learning Bootstrap?

What is the Benefit of Learning Bootstrap?

Feb 11, 2025  0