Introduction
Using a VyOS Router Appliance, you can establish a secure site-to-site VPN connection between two (or more) locations.
In this walk-through, we will show you how to setup two VyOS routers as firewalls and then how to establish a site-to-site IPSEC VPN tunnel between the two sites. For the IPSEC encryption, we will be using current best practice encryption methods – AES256/SHA256.
To implement this for testing, we will be using our EVE-NG Lab Servers to fully setup this environment.
The VyOS Router images being used for testing are version 1.1.8
The PC images used in this environment are the generic Virtual PC (vpc) systems configured with DHCP-Client or a static IP address.
For the “Internet” portion of this lab, I am using a simple VyOS router configured with two interface to provide routed paths, emulating an “ISP” connection.
Visual Diagram
Instructions
First, we need to establish two VyOS firewalls. Both firewalls will have DHCP-Server and DNS Caching services running on the LAN (Inside) network with static IPv4 addresses on the WAN (Outside) interfaces.
Emulated ISP Router Configuration
set system host-name 'internet'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system login user vyos authentication plaintext-password '{{your-secure-password}}'
set system login user vyos level 'admin'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set interfaces ethernet eth0 address '198.51.100.1/24'
set interfaces ethernet eth1 address '203.0.113.1/24'
internet# run show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
C>* 127.0.0.0/8 is directly connected, lo
C>* 198.51.100.0/24 is directly connected, eth0
C>* 203.0.113.0/24 is directly connected, eth1
Firewall #1 (FW-01) — Base Configuration
###
# Configure Basic Firewall System
###
set system host-name 'fw-01'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system login user vyos authentication plaintext-password '{{your-secure-password}}'
set system login user vyos level 'admin'
set system time-zone 'UTC'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system package auto-sync '1'
set system package repository community components 'main'
set system package repository community distribution 'helium'
set system package repository community url 'http://packages.vyos.net/vyos'
set system package repository community password ''
set system package repository community username ''
###
# Configure Interface Settings
###
set interfaces ethernet eth0 address '198.51.100.2/24'
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
set interfaces ethernet eth1 address '192.168.10.1/24'
set interfaces ethernet eth1 description 'INSIDE'
###
# Configure a default static route to the ISP
###
set protocols static route 0.0.0.0/0 next-hop '198.51.100.1'
###
# Configure DHCP Server on --INSIDE-- Interface
###
set service dhcp-server disabled 'false'
set service dhcp-server shared-network-name LAN authoritative 'disable'
set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 default-router '192.168.10.1'
set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 dns-server '192.168.10.1'
set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 domain-name 'internal-network'
set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 start 192.168.10.25 stop '192.168.10.200'
###
# Configure DNS Caching Server on --INSIDE-- Interface
###
set service dns forwarding cache-size '4096'
set service dns forwarding listen-on 'eth1'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '8.8.4.4'
###
# Configure Basic Firewall Ruleset
###
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
## OUTSIDE (Public World) to Firewall Appliance Policies
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
## OUTSIDE (Public World) to INSIDE devices
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL 'enable-default-log'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
set firewall name OUTSIDE-LOCAL rule 40 ipsec 'match-ipsec'
###
# Configure NAT Policies
###
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.10.0/24'
set nat source rule 100 translation address 'masquerade'
Firewall #2 (FW-02) — Base Configuration
###
# Configure Basic Firewall System
###
set system host-name 'fw-02'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system login user vyos authentication plaintext-password '{{your-secure-password}}'
set system login user vyos level 'admin'
set system time-zone 'UTC'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system package auto-sync '1'
set system package repository community components 'main'
set system package repository community distribution 'helium'
set system package repository community url 'http://packages.vyos.net/vyos'
set system package repository community password ''
set system package repository community username ''
###
# Configure Interface Settings
###
set interfaces ethernet eth0 address '203.0.113.2/24'
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
set interfaces ethernet eth1 address '192.168.20.1/24'
set interfaces ethernet eth1 description 'INSIDE'
###
# Configure a default static route to the ISP
###
set protocols static route 0.0.0.0/0 next-hop '203.0.113.1'
###
# Configure DHCP Server on --INSIDE-- Interface
###
set service dhcp-server disabled 'false'
set service dhcp-server shared-network-name LAN authoritative 'disable'
set service dhcp-server shared-network-name LAN subnet 192.168.20.0/24 default-router '192.168.20.1'
set service dhcp-server shared-network-name LAN subnet 192.168.20.0/24 dns-server '192.168.20.1'
set service dhcp-server shared-network-name LAN subnet 192.168.20.0/24 domain-name 'internal-network'
set service dhcp-server shared-network-name LAN subnet 192.168.20.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.20.0/24 start 192.168.20.25 stop '192.168.20.200'
###
# Configure DNS Caching Server on --INSIDE-- Interface
###
set service dns forwarding cache-size '4096'
set service dns forwarding listen-on 'eth1'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '8.8.4.4'
###
# Configure Basic Firewall Ruleset
###
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
## OUTSIDE (Public World) to Firewall Appliance Policies
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
## OUTSIDE (Public World) to INSIDE devices
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL 'enable-default-log'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
set firewall name OUTSIDE-LOCAL rule 40 ipsec 'match-ipsec'
###
# Configure NAT Policies
###
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.20.0/24'
set nat source rule 100 translation address 'masquerade'
From each firewall, you should now be able to PING your ISP connection as well as the remote site firewall.
FW-01 >> ISP
fw-01# ping 198.51.100.1 -c 5 PING 198.51.100.1 (198.51.100.1) 56(84) bytes of data. 64 bytes from 198.51.100.1: icmp_req=1 ttl=64 time=2.32 ms 64 bytes from 198.51.100.1: icmp_req=2 ttl=64 time=2.01 ms 64 bytes from 198.51.100.1: icmp_req=3 ttl=64 time=2.24 ms 64 bytes from 198.51.100.1: icmp_req=4 ttl=64 time=1.68 ms 64 bytes from 198.51.100.1: icmp_req=5 ttl=64 time=1.78 ms --- 198.51.100.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 1.687/2.009/2.322/0.249 ms
FW-01 >> FW-02 (WAN)
fw-01# ping 203.0.113.2 -c 5 PING 203.0.113.2 (203.0.113.2) 56(84) bytes of data. 64 bytes from 203.0.113.2: icmp_req=1 ttl=63 time=3.31 ms 64 bytes from 203.0.113.2: icmp_req=2 ttl=63 time=2.64 ms 64 bytes from 203.0.113.2: icmp_req=3 ttl=63 time=1.88 ms 64 bytes from 203.0.113.2: icmp_req=4 ttl=63 time=3.49 ms 64 bytes from 203.0.113.2: icmp_req=5 ttl=63 time=1.53 ms --- 203.0.113.2 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 1.534/2.574/3.498/0.769 ms
FW-02 >> ISP
fw-02# ping 203.0.113.1 -c 5 PING 203.0.113.1 (203.0.113.1) 56(84) bytes of data. 64 bytes from 203.0.113.1: icmp_req=1 ttl=64 time=5.40 ms 64 bytes from 203.0.113.1: icmp_req=2 ttl=64 time=1.50 ms 64 bytes from 203.0.113.1: icmp_req=3 ttl=64 time=1.32 ms 64 bytes from 203.0.113.1: icmp_req=4 ttl=64 time=1.67 ms 64 bytes from 203.0.113.1: icmp_req=5 ttl=64 time=1.39 ms --- 203.0.113.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 1.326/2.259/5.406/1.578 ms
FW-02 >> FW-01 (WAN)
fw-02# ping 198.51.100.2 -c 5 PING 198.51.100.2 (198.51.100.2) 56(84) bytes of data. 64 bytes from 198.51.100.2: icmp_req=1 ttl=63 time=2.68 ms 64 bytes from 198.51.100.2: icmp_req=2 ttl=63 time=3.43 ms 64 bytes from 198.51.100.2: icmp_req=3 ttl=63 time=2.85 ms 64 bytes from 198.51.100.2: icmp_req=4 ttl=63 time=1.87 ms 64 bytes from 198.51.100.2: icmp_req=5 ttl=63 time=1.91 ms --- 198.51.100.2 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 1.872/2.550/3.431/0.593 ms
Now that you have verified connectivity between the two firewalls, we are ready to establish our VPN session between them.
We first need to configure the IPSEC VPN ESP / IKE polices that will be used and set the interface that will be used for the VPN connection.
You will configure these settings on both firewalls. It is important to understand that both firewalls must have matching settings. If they do not, the IPSEC tunnel will not establish.
set vpn ipsec ike-group aes256-sha256 dead-peer-detection action 'restart' set vpn ipsec ike-group aes256-sha256 dead-peer-detection interval '30' set vpn ipsec ike-group aes256-sha256 dead-peer-detection timeout '120' set vpn ipsec ike-group aes256-sha256 ikev2-reauth 'no' set vpn ipsec ike-group aes256-sha256 key-exchange 'ikev2' set vpn ipsec ike-group aes256-sha256 lifetime '3600' set vpn ipsec ike-group aes256-sha256 proposal 1 dh-group '19' set vpn ipsec ike-group aes256-sha256 proposal 1 encryption 'aes256' set vpn ipsec ike-group aes256-sha256 proposal 1 hash 'sha256' set vpn ipsec esp-group aes256-sha256 compression 'disable' set vpn ipsec esp-group aes256-sha256 lifetime '28800' set vpn ipsec esp-group aes256-sha256 mode 'tunnel' set vpn ipsec esp-group aes256-sha256 pfs 'dh-group19' set vpn ipsec esp-group aes256-sha256 proposal 1 encryption 'aes256' set vpn ipsec esp-group aes256-sha256 proposal 1 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth0'
Next, we need to configure the specific settings associated with each firewall.
On firewall #1 (FW-01), we are going to create a tunnel policy (tunnel 0) that defines the local network and the remote network that we will be talking to. This will be on on firewall #2 (FW-02) as well, just in reverse assignment. In this example, I have using a pre-shared-secret key. You will want to generate a unique key of your own. These keys must match on each firewall.
Firewall #1 (FW-01) – Tunnel Configuration
set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret '3mqBSixtMiDy4ngWUKt0uScGH9f2vPoy' set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'aes256-sha256' set vpn ipsec site-to-site peer 203.0.113.2 local-address '198.51.100.2' set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-public-networks 'disable' set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 esp-group 'aes256-sha256' set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 local prefix '192.168.10.0/24' set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 remote prefix '192.168.20.0/24'
Next, we need to update our firewall policies and NAT policies to allow traffic from the remote network.
set firewall name OUTSIDE-IN rule 20 action 'accept' set firewall name OUTSIDE-IN rule 20 source address '192.168.20.0/24' set nat source rule 10 destination address '192.168.20.0/24' set nat source rule 10 'exclude' set nat source rule 10 outbound-interface 'eth0' set nat source rule 10 source address '192.168.10.0/24'
We are now ready to configure firewall #2 (FW-02) tunnel settings. You will notice that the network assignments are exactly opposite of firewall #1 settings.
Firewall #2 (FW-02) – Tunnel Configuration
set vpn ipsec site-to-site peer 198.51.100.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 198.51.100.2 authentication pre-shared-secret '3mqBSixtMiDy4ngWUKt0uScGH9f2vPoy' set vpn ipsec site-to-site peer 198.51.100.2 ike-group 'aes256-sha256' set vpn ipsec site-to-site peer 198.51.100.2 local-address '203.0.113.2' set vpn ipsec site-to-site peer 198.51.100.2 tunnel 0 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 198.51.100.2 tunnel 0 allow-public-networks 'disable' set vpn ipsec site-to-site peer 198.51.100.2 tunnel 0 esp-group 'aes256-sha256' set vpn ipsec site-to-site peer 198.51.100.2 tunnel 0 local prefix '192.168.20.0/24' set vpn ipsec site-to-site peer 198.51.100.2 tunnel 0 remote prefix '192.168.10.0/24'
Next, we need to update our firewall policies and NAT policies to allow traffic from the remote network.
set firewall name OUTSIDE-IN rule 20 action 'accept' set firewall name OUTSIDE-IN rule 20 source address '192.168.10.0/24' set nat source rule 10 destination address '192.168.10.0/24' set nat source rule 10 'exclude' set nat source rule 10 outbound-interface 'eth0' set nat source rule 10 source address '192.168.20.0/24'
We are now ready to test connectivity from our VPC workstations to the Internet.
pc-01> ping 192.168.10.1 84 bytes from 192.168.10.1 icmp_seq=1 ttl=64 time=0.612 ms 84 bytes from 192.168.10.1 icmp_seq=2 ttl=64 time=0.447 ms 84 bytes from 192.168.10.1 icmp_seq=3 ttl=64 time=0.592 ms 84 bytes from 192.168.10.1 icmp_seq=4 ttl=64 time=0.509 ms 84 bytes from 192.168.10.1 icmp_seq=5 ttl=64 time=0.449 ms pc-01> ping 198.51.100.1 84 bytes from 198.51.100.1 icmp_seq=1 ttl=63 time=1.781 ms 84 bytes from 198.51.100.1 icmp_seq=2 ttl=63 time=1.526 ms 84 bytes from 198.51.100.1 icmp_seq=3 ttl=63 time=1.010 ms 84 bytes from 198.51.100.1 icmp_seq=4 ttl=63 time=1.015 ms 84 bytes from 198.51.100.1 icmp_seq=5 ttl=63 time=0.997 ms pc-01> ping 203.0.113.1 84 bytes from 203.0.113.1 icmp_seq=1 ttl=63 time=1.492 ms 84 bytes from 203.0.113.1 icmp_seq=2 ttl=63 time=0.918 ms 84 bytes from 203.0.113.1 icmp_seq=3 ttl=63 time=0.835 ms 84 bytes from 203.0.113.1 icmp_seq=4 ttl=63 time=1.088 ms 84 bytes from 203.0.113.1 icmp_seq=5 ttl=63 time=1.018 ms pc-01> ping 203.0.113.2 84 bytes from 203.0.113.2 icmp_seq=1 ttl=62 time=2.013 ms 84 bytes from 203.0.113.2 icmp_seq=2 ttl=62 time=1.838 ms 84 bytes from 203.0.113.2 icmp_seq=3 ttl=62 time=1.485 ms 84 bytes from 203.0.113.2 icmp_seq=4 ttl=62 time=1.398 ms 84 bytes from 203.0.113.2 icmp_seq=5 ttl=62 time=1.607 ms
pc-02> ping 192.168.20.1 84 bytes from 192.168.20.1 icmp_seq=1 ttl=64 time=0.811 ms 84 bytes from 192.168.20.1 icmp_seq=2 ttl=64 time=0.636 ms 84 bytes from 192.168.20.1 icmp_seq=3 ttl=64 time=0.437 ms 84 bytes from 192.168.20.1 icmp_seq=4 ttl=64 time=0.569 ms 84 bytes from 192.168.20.1 icmp_seq=5 ttl=64 time=0.489 ms pc-02> ping 203.0.113.1 84 bytes from 203.0.113.1 icmp_seq=1 ttl=63 time=1.382 ms 84 bytes from 203.0.113.1 icmp_seq=2 ttl=63 time=1.191 ms 84 bytes from 203.0.113.1 icmp_seq=3 ttl=63 time=0.889 ms 84 bytes from 203.0.113.1 icmp_seq=4 ttl=63 time=0.964 ms 84 bytes from 203.0.113.1 icmp_seq=5 ttl=63 time=1.184 ms pc-02> ping 198.51.100.1 84 bytes from 198.51.100.1 icmp_seq=1 ttl=63 time=1.447 ms 84 bytes from 198.51.100.1 icmp_seq=2 ttl=63 time=0.961 ms 84 bytes from 198.51.100.1 icmp_seq=3 ttl=63 time=0.836 ms 84 bytes from 198.51.100.1 icmp_seq=4 ttl=63 time=0.814 ms 84 bytes from 198.51.100.1 icmp_seq=5 ttl=63 time=1.087 ms pc-02> ping 198.51.100.2 84 bytes from 198.51.100.2 icmp_seq=1 ttl=62 time=2.122 ms 84 bytes from 198.51.100.2 icmp_seq=2 ttl=62 time=1.748 ms 84 bytes from 198.51.100.2 icmp_seq=3 ttl=62 time=1.326 ms 84 bytes from 198.51.100.2 icmp_seq=4 ttl=62 time=1.456 ms 84 bytes from 198.51.100.2 icmp_seq=5 ttl=62 time=1.442 ms
The VPN tunnels should establish automatically, lets try to PING each workstation from the remote side.
pc-01> ping 192.168.20.25 84 bytes from 192.168.20.25 icmp_seq=1 ttl=62 time=2.213 ms 84 bytes from 192.168.20.25 icmp_seq=2 ttl=62 time=2.144 ms 84 bytes from 192.168.20.25 icmp_seq=3 ttl=62 time=1.883 ms 84 bytes from 192.168.20.25 icmp_seq=4 ttl=62 time=1.672 ms 84 bytes from 192.168.20.25 icmp_seq=5 ttl=62 time=1.684 ms pc-02> ping 192.168.10.25 84 bytes from 192.168.10.25 icmp_seq=1 ttl=62 time=2.493 ms 84 bytes from 192.168.10.25 icmp_seq=2 ttl=62 time=2.039 ms 84 bytes from 192.168.10.25 icmp_seq=3 ttl=62 time=1.790 ms 84 bytes from 192.168.10.25 icmp_seq=4 ttl=62 time=2.347 ms 84 bytes from 192.168.10.25 icmp_seq=5 ttl=62 time=1.902 ms
Excellent! We have a secure IPSEC VPN session between the two sites.
VPN Troubleshooting
If your VPN session does not establish, you can troubleshoot the session using the VyOS tools.
fw-01# run show vpn ipsec status
IPSec Process Running PID: 2804
1 Active IPsec Tunnels
IPsec Interfaces :
eth0 (198.51.100.2)
fw-01# run show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
203.0.113.2 198.51.100.2
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 up 2.2K/1.4K aes256 sha256 no 1712 28800 all
fw-01# run show vpn ipsec state
src 198.51.100.2 dst 203.0.113.2
proto esp spi 0xce3be02c reqid 16384 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x5fb337ea982be8dc36e9561cc10f4a71ae156a160ed296ceab1557b9d8479a5d 128
enc cbc(aes) 0xd54016cf7581932123424014e7d76e6003c6e613f4ede9341ef048070de5da3f
src 203.0.113.2 dst 198.51.100.2
proto esp spi 0xc977fcb1 reqid 16384 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0xa8a01d1f9f3f742da04d8bdf80d38939171a52e767dfcfb069e91ea6980eff50 128
enc cbc(aes) 0x52e7c92791a3261ece75648526b811289c96eabb9343e68c8efa696aaaabeabf
src 198.51.100.2 dst 203.0.113.2
proto esp spi 0xc47590eb reqid 16384 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x5b4fb2aaffc1a6688f1d1b7e751a086268e33374561eb6d3509420ca95c656b9 128
enc cbc(aes) 0xdb71ad1f7ff446f54c5fe1000a18a85b503789182e833efe0ef08de9f00334ce
src 203.0.113.2 dst 198.51.100.2
proto esp spi 0xcace3deb reqid 16384 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x1b8e3a3bc76f539c11bc36d2683e3b06bcae029cf388de05246bc7eb7e2cca6f 128
enc cbc(aes) 0x569dd618d7e8f21fe54339045575c7f30f04631bb41db15b68dc8bda73eaa956
fw-01# run show vpn ipsec policy
src 192.168.10.0/24 dst 192.168.20.0/24
dir out priority 1859 ptype main
tmpl src 198.51.100.2 dst 203.0.113.2
proto esp reqid 16384 mode tunnel
src 192.168.20.0/24 dst 192.168.10.0/24
dir fwd priority 1859 ptype main
tmpl src 203.0.113.2 dst 198.51.100.2
proto esp reqid 16384 mode tunnel
src 192.168.20.0/24 dst 192.168.10.0/24
dir in priority 1859 ptype main
tmpl src 203.0.113.2 dst 198.51.100.2
proto esp reqid 16384 mode tunnel
fw-01# run show log vpn ipsec
...
Apr 19 01:50:54 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #10: responding to Main Mode
Apr 19 01:50:54 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #10: Peer ID is ID_IPV4_ADDR: '203.0.113.2'
Apr 19 01:50:54 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #10: sent MR3, ISAKMP SA established
Apr 19 01:50:54 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #11: responding to Quick Mode
Apr 19 01:50:54 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #11: Dead Peer Detection (RFC 3706) enabled
Apr 19 01:50:54 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #11: IPsec SA established {ESP=>0xc47590eb <0xcace3deb}
Apr 19 01:51:24 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #9: received Vendor ID payload [strongSwan]
Apr 19 01:51:24 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #9: ignoring Vendor ID payload [Cisco-Unity]
Apr 19 01:51:24 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #9: received Vendor ID payload [XAUTH]
Apr 19 01:51:24 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #9: received Vendor ID payload [Dead Peer Detection]
Apr 19 01:51:24 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #9: Peer ID is ID_IPV4_ADDR: '203.0.113.2'
Apr 19 01:51:24 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #9: ISAKMP SA established
Apr 19 01:51:24 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#9}
Apr 19 01:51:24 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #12: Dead Peer Detection (RFC 3706) enabled
Apr 19 01:51:24 fw-01 pluto[2804]: "peer-203.0.113.2-tunnel-0" #12: sent QI2, IPsec SA established {ESP=>0xce3be02c <0xc977fcb1}
...
Download the EVE-NG Pre-Built Lab Environment
| VyOS - IPSEC VPN Lab (1410 downloads ) |
| MD5 Hash: d25b7f9babfa7029ea2d8219a6ddc4b0 |
| SHA1 Hash: b4c3348362a6d8bfb5ad48c2d99bc7da2c9428fc |