Hello!
I have tested VyOS's Site-to-Site VPN.
It's really have amazing performance and logical configuration construct !!!
I have assigned 2 vCPU, 2GB vRAM and 2GB vDISK for Encryption performance.
but, It has required very low resource comparing other appliance-type UTM(Router+VPN+Firewall) devices.
I'm going to attach the tested configuration below.
Good luck!
[[SITE-A]]
set vpn ipsec esp-group ESP lifetime 28800
set vpn ipsec esp-group ESP mode tunnel
set vpn ipsec esp-group ESP pfs dh-group5
set vpn ipsec esp-group ESP proposal 1 encryption 3des
set vpn ipsec esp-group ESP proposal 1 hash sha1
set vpn ipsec ike-group IKE lifetime 86400
set vpn ipsec ike-group IKE proposal 1 dh-group 2
set vpn ipsec ike-group IKE proposal 1 encryption 3des
set vpn ipsec ike-group IKE proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer ##SITE-B OUTSIDE IP ADDRESS## authentication mode pre-shared-secret
set vpn ipsec site-to-site peer ##SITE-B OUTSIDE IP ADDRESS## authentication pre-shared-secret ##PASSWORD##
set vpn ipsec site-to-site peer ##SITE-B OUTSIDE IP ADDRESS## default-esp-group ESP
set vpn ipsec site-to-site peer ##SITE-B OUTSIDE IP ADDRESS## ike-group IKE
set vpn ipsec site-to-site peer ##SITE-B OUTSIDE IP ADDRESS## local-address ##SITE-A OUTSIDE IP ADDRESS##
set vpn ipsec site-to-site peer ##SITE-B OUTSIDE IP ADDRESS## connection-type initiate
set vpn ipsec site-to-site peer ##SITE-B OUTSIDE IP ADDRESS## tunnel 1 esp-group ESP
set vpn ipsec site-to-site peer ##SITE-B OUTSIDE IP ADDRESS## tunnel 1 local prefix ##SITE-A INSIDE IP ADDRESS/PREFIX##
set vpn ipsec site-to-site peer ##SITE-B OUTSIDE IP ADDRESS## tunnel 1 remote prefix ##SITE-B INSIDE IP ADDRESS/PREFIX##
set nat source rule 10 description "NAT Exclude address over IPSEC VPN"
set nat source rule 10 destination address ##SITE-B INSIDE IP ADDRESS/PREFIX##
set nat source rule 10 exclude
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address ##SITE-A INSIDE IP ADDRESS/PREFIX##
commit
========================================================================================
[[SITE-B]]
set vpn ipsec esp-group ESP lifetime 28800
set vpn ipsec esp-group ESP mode tunnel
set vpn ipsec esp-group ESP pfs dh-group5
set vpn ipsec esp-group ESP proposal 1 encryption 3des
set vpn ipsec esp-group ESP proposal 1 hash sha1
set vpn ipsec ike-group IKE lifetime 86400
set vpn ipsec ike-group IKE proposal 1 dh-group 2
set vpn ipsec ike-group IKE proposal 1 encryption 3des
set vpn ipsec ike-group IKE proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer ##SITE-A OUTSIDE IP ADDRESS## authentication mode pre-shared-secret
set vpn ipsec site-to-site peer ##SITE-A OUTSIDE IP ADDRESS## authentication pre-shared-secret ##PASSWORD##
set vpn ipsec site-to-site peer ##SITE-A OUTSIDE IP ADDRESS## default-esp-group ESP
set vpn ipsec site-to-site peer ##SITE-A OUTSIDE IP ADDRESS## ike-group IKE
set vpn ipsec site-to-site peer ##SITE-A OUTSIDE IP ADDRESS## local-address ##SITE-B OUTSIDE IP ADDRESS##
set vpn ipsec site-to-site peer ##SITE-A OUTSIDE IP ADDRESS## connection-type initiate
set vpn ipsec site-to-site peer ##SITE-A OUTSIDE IP ADDRESS## tunnel 1 esp-group ESP
set vpn ipsec site-to-site peer ##SITE-A OUTSIDE IP ADDRESS## tunnel 1 local prefix ##SITE-B INSIDE IP ADDRESS/PREFIX##
set vpn ipsec site-to-site peer ##SITE-A OUTSIDE IP ADDRESS## tunnel 1 remote prefix ##SITE-A INSIDE IP ADDRESS/PREFIX##
set nat source rule 10 description "NAT Exclude address over IPSEC VPN"
set nat source rule 10 destination address ##SITE-A INSIDE IP ADDRESS/PREFIX##
set nat source rule 10 exclude
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address ##SITE-B INSIDE IP ADDRESS/PREFIX##
commit
========================================================================================
[[Firewall - Each Router]]
set firewall name OUTSIDE-IN default-action drop
set firewall name OUTSIDE-IN rule 10 action accept
set firewall name OUTSIDE-IN rule 10 state established enable
set firewall name OUTSIDE-IN rule 10 state related enable
set firewall name OUTSIDE-IN rule 40 description "Allow address from IPSEC VPN"
set firewall name OUTSIDE-IN rule 40 action accept
set firewall name OUTSIDE-IN rule 40 destination address ##OWN INSIDE IP ADDRESS/PREFIX##
set firewall name OUTSIDE-IN rule 40 source address ##OTHER INSIDE IP ADDRESS/PREFIX##
set firewall name OUTSIDE-LOCAL default-action drop
set firewall name OUTSIDE-LOCAL rule 10 action accept
set firewall name OUTSIDE-LOCAL rule 10 state established enable
set firewall name OUTSIDE-LOCAL rule 10 state related enable
set firewall name OUTSIDE-LOCAL rule 20 description "Allow ICMP"
set firewall name OUTSIDE-LOCAL rule 20 action accept
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name echo-request
set firewall name OUTSIDE-LOCAL rule 20 protocol icmp
set firewall name OUTSIDE-LOCAL rule 20 state new enable
set firewall name OUTSIDE-LOCAL rule 31 description "Allow SSH"
set firewall name OUTSIDE-LOCAL rule 31 action accept
set firewall name OUTSIDE-LOCAL rule 31 destination port 22
set firewall name OUTSIDE-LOCAL rule 31 protocol tcp
set firewall name OUTSIDE-LOCAL rule 31 state new enable
set firewall name OUTSIDE-LOCAL rule 40 description "Allow ESP"
set firewall name OUTSIDE-LOCAL rule 40 action accept
set firewall name OUTSIDE-LOCAL rule 40 protocol esp
set firewall name OUTSIDE-LOCAL rule 41 description "Allow IKE"
set firewall name OUTSIDE-LOCAL rule 41 action accept
set firewall name OUTSIDE-LOCAL rule 41 destination port 500
set firewall name OUTSIDE-LOCAL rule 41 protocol udp
set firewall name OUTSIDE-LOCAL rule 42 description "Allow NAT-T"
set firewall name OUTSIDE-LOCAL rule 42 action accept
set firewall name OUTSIDE-LOCAL rule 42 destination port 4500
set firewall name OUTSIDE-LOCAL rule 42 protocol udp
set firewall name OUTSIDE-LOCAL rule 43 description "Allow IPSEC UDP"
set firewall name OUTSIDE-LOCAL rule 43 action accept
set firewall name OUTSIDE-LOCAL rule 43 destination port 1701
set firewall name OUTSIDE-LOCAL rule 43 ipsec match-ipsec
set firewall name OUTSIDE-LOCAL rule 43 protocol udp
set interfaces ethernet eth0 firewall in name OUTSIDE-IN
set interfaces ethernet eth0 firewall local name OUTSIDE-LOCAL
commit
VyOS IPSec VPN.txt
VyOS Site-A Configuration Example.txt
VyOS Site-B Configuration Example.txt
No comments:
Post a Comment