Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save rkhozinov/3866ae3c44456b305fb9f33935853dd7 to your computer and use it in GitHub Desktop.
Save rkhozinov/3866ae3c44456b305fb9f33935853dd7 to your computer and use it in GitHub Desktop.
Vyos sample site-to-site vpn configuration
# Virtual Tunnel Interface
# 172.196.17.188 - 172.196.17.191
set interfaces vti vti0 address 172.196.17.190/30
set interfaces vti vti0 description 'Virtual tunnel interface for VPN tunnel'
# Phase 2
set vpn ipsec esp-group ESP-Default compression 'disable'
set vpn ipsec esp-group ESP-Default lifetime '3600'
set vpn ipsec esp-group ESP-Default mode 'tunnel'
set vpn ipsec esp-group ESP-Default pfs 'dh-group16'
set vpn ipsec esp-group ESP-Default proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha256'
# Phase 1
set vpn ipsec ike-group IKE-Default dead-peer-detection action 'clear'
set vpn ipsec ike-group IKE-Default dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout '90'
set vpn ipsec ike-group IKE-Default ikev2-reauth 'no'
set vpn ipsec ike-group IKE-Default key-exchange 'ikev1'
set vpn ipsec ike-group IKE-Default lifetime '86400'
set vpn ipsec ike-group IKE-Default proposal 1 dh-group '16'
set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha256'
# Here you can of course set up your own interface which is used for VPN
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec logging log-modes 'all'
# Setup the site-2-site config
set vpn ipsec site-to-site peer <remote-wan-ip> authentication id '<local-wan-ip>'
set vpn ipsec site-to-site peer <remote-wan-ip> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <remote-wan-ip> authentication pre-shared-secret 'some-super-uber-secret-password'
set vpn ipsec site-to-site peer <remote-wan-ip> connection-type 'initiate'
set vpn ipsec site-to-site peer <remote-wan-ip> default-esp-group 'ESP-Default'
set vpn ipsec site-to-site peer <remote-wan-ip> ike-group 'IKE-Default'
set vpn ipsec site-to-site peer <remote-wan-ip> ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer <remote-wan-ip> local-address '<local-wan-ip>'
# Make use of our VTI interface
set vpn ipsec site-to-site peer <remote-wan-ip> vti bind vti0
set vpn ipsec site-to-site peer <remote-wan-ip> vti esp-group ESP-Default
# Set up OSPF routing - instead of static routing
# This can vary depending on your network topology - so review if this is applicable
set protocols ospf parameters router-id <remote-wan-ip>
set protocols ospf area 0.0.0.0 network 40.0.0.0/30
set protocols ospf area 0.0.0.0 network 192.168.1.0/24
set protocols ospf area 0.0.0.0 network 192.168.2.0/24
set interfaces vti vti0 ip ospf network point-to-point
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment