Setting up an IPSEC VPN using VyOS in AWS

This will be a tunnel between 2 EC2 instances.

Let’s assume:

VyOS-A

Public IP: 23.23.46.168
Private IP: 10.113.129.113
Prod VPC CIDR: 10.113.0.0/16

VyOS-B

Public IP: 3.230.21.112
Private IP: 10.100.3.199
client_vpn VPC CIDR: 10.100.0.0/16

Ensure these ports are open in the Security Groups.

UDP 500 - ISAKMP/IKE
IP Protocol 50 - ESP
UDP 4500 - NAT-T

Disable src/dst check on the instances.

VyOS-A Setup

IKE Phase 1

set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group 19
set vpn ipsec ike-group IKE-GROUP lifetime 28800
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '60'

IPSec Phase 2

set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256
set vpn ipsec esp-group ESP-GROUP lifetime 3600
set vpn ipsec esp-group ESP-GROUP pfs 'dh-group19'

Define the peer

set vpn ipsec interface 'eth0'

set vpn ipsec authentication psk VyOS-B secret 'MySecretKey'
set vpn ipsec authentication psk VyOS-B id '23.23.46.168'
set vpn ipsec authentication psk VyOS-B id '3.230.21.112'

set vpn ipsec site-to-site peer VyOS-B authentication local-id '23.23.46.168'
set vpn ipsec site-to-site peer VyOS-B authentication remote-id '3.230.21.112'
set vpn ipsec site-to-site peer VyOS-B local-address '10.113.129.113'
set vpn ipsec site-to-site peer VyOS-B remote-address '3.230.21.112'
set vpn ipsec site-to-site peer VyOS-B tunnel 1 local prefix '10.113.0.0/16'
set vpn ipsec site-to-site peer VyOS-B tunnel 1 remote prefix '10.100.0.0/16'  
set vpn ipsec site-to-site peer VyOS-B tunnel 1 esp-group ESP-GROUP
set vpn ipsec site-to-site peer VyOS-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer VyOS-B connection-type 'initiate'
set vpn ipsec site-to-site peer VyOS-B ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer VyOS-B default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer VyOS-B ikev2-reauth 'no'

VyOS-B Setup

IKE Phase 1

set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group 19
set vpn ipsec ike-group IKE-GROUP lifetime 28800
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '60'

IPSec Phase 2

set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256
set vpn ipsec esp-group ESP-GROUP lifetime 3600
set vpn ipsec esp-group ESP-GROUP pfs 'dh-group19'

Define the peer

set vpn ipsec interface 'eth0'

set vpn ipsec authentication psk VyOS-A secret 'MySecretKey'
set vpn ipsec authentication psk VyOS-A id '23.23.46.168'
set vpn ipsec authentication psk VyOS-A id '3.230.21.112'

set vpn ipsec site-to-site peer VyOS-A authentication local-id '3.230.21.112'
set vpn ipsec site-to-site peer VyOS-A authentication remote-id '23.23.46.168'
set vpn ipsec site-to-site peer VyOS-A tunnel 1 local prefix '10.100.0.0/16'
set vpn ipsec site-to-site peer VyOS-A tunnel 1 remote prefix '10.113.0.0/16'  
set vpn ipsec site-to-site peer VyOS-A local-address '10.100.3.199'
set vpn ipsec site-to-site peer VyOS-A remote-address '23.23.46.168'
set vpn ipsec site-to-site peer VyOS-A tunnel 1 esp-group ESP-GROUP
set vpn ipsec site-to-site peer VyOS-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer VyOS-A connection-type 'respond'
set vpn ipsec site-to-site peer VyOS-A ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer VyOS-A default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer VyOS-A ikev2-reauth 'no'

Troubleshooting

show vpn ike sa
show vpn ipsec sa
show log vpn
show ip route
restart ipsec
reset vpn ipsec site-to-site peer Vodacom-TZ
ping 10.100.3.199 interface eth0
set system login user vyos authentication plaintext-password vyos

show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
3.230.21.112 3.230.21.112               10.113.129.113 23.23.46.168            

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   AES_CBC_256  HMAC_SHA2_256_128 ECP_256        yes    4987    22920  


show vpn ipsec sa
Connection       State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID     Proposal
---------------  -------  --------  --------------  ----------------  ----------------  ------------  -------------------------------------
VyOS-B-tunnel-1  up       34m50s    0B/0B           0/0               3.230.21.112      3.230.21.112  AES_CBC_256/HMAC_SHA2_256_128/ECP_256


ping 10.100.3.199 interface eth0
PING 10.100.3.199 (10.100.3.199) from 10.113.129.113 eth0: 56(84) bytes of data.
64 bytes from 10.100.3.199: icmp_seq=1 ttl=64 time=0.665 ms
64 bytes from 10.100.3.199: icmp_seq=2 ttl=64 time=0.718 ms
64 bytes from 10.100.3.199: icmp_seq=3 ttl=64 time=0.686 ms
^C
--- 10.100.3.199 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2074ms
rtt min/avg/max/mdev = 0.665/0.689/0.718/0.021 ms

DEV Community

Setting up an IPSEC VPN using VyOS in AWS

VyOS-A Setup

VyOS-B Setup

Top comments (0)