vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 01:31:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added IPSec blueprints with Cisco and PA (#1667)

Browse Source 
Added blueprint Policy-based Site-to-Site IPsec VPN with Cisco IOS.
Added blueprint Route-based Site-to-Site IPsec VPN with Cisco IOS.
Added blueprint Route-based Site-to-Site IPsec VPN with Palo Alto.
This commit is contained in:
aapostoliuk 2025-08-12 17:45:43 +03:00 committed by GitHub
parent 723f4fd402
commit ddceec6cf5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
14 changed files with 1183 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/_static/images/PA-ESP-group.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
docs/_static/images/PA-IKE-GW-1.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
docs/_static/images/PA-IKE-GW-2.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
docs/_static/images/PA-IKE-group.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
docs/_static/images/PA-IPsec-tunnel.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
docs/_static/images/PA-tunnel-1.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
docs/_static/images/PA-tunnel-2.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
docs/_static/images/PA-tunnel-3.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
docs/_static/images/cisco-vpn-ipsec.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
docs/_static/images/ipsec-vyos-pa.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

3
docs/configexamples/index.rst
View File

@ -22,6 +22,9 @@ This chapter contains various configuration examples:
qos
segment-routing-isis
nmp
ipsec-cisco-policy-based
ipsec-cisco-route-based
ipsec-pa-route-based
Configuration Blueprints (autotest)

355
docs/configexamples/ipsec-cisco-policy-based.rst Normal file
View File

@ -0,0 +1,355 @@
:lastproofread: 2025-06-26
.. _examples-ipsec-cisco-policy-based:
##########################################################
Policy-based Site-to-Site VPN IPsec between VyOS and Cisco
##########################################################
This document is to describe a basic setup using policy-based
site-to-site VPN IPsec. In this example we use VyOS 1.5 and
Cisco IOS. Cisco initiates IPsec connection only if interesting
traffic present. For stable work we recommend configuring an
initiator role on VyOS side.
Network Topology
================
.. image:: /_static/images/cisco-vpn-ipsec.png
:align: center
:alt: Network Topology Diagram
Prerequirements
===============
**VyOS:**
+---------+----------------+
| WAN IP | 10.0.1.2/30 |
+---------+----------------+
| LAN1 IP | 192.168.0.1/24 |
+---------+----------------+
| LAN2 IP | 192.168.1.1/24 |
+---------+----------------+
**Cisco:**
+---------+-----------------+
| WAN IP | 10.0.2.2/30 |
+---------+-----------------+
| LAN1 IP | 192.168.10.1/24 |
+---------+-----------------+
| LAN2 IP | 192.168.11.1/24 |
+---------+-----------------+
**IKE parameters:**
+-------------------+---------+
| Encryption | AES-256 |
+-------------------+---------+
| HASH | SHA-1 |
+-------------------+---------+
| Diff-Helman Group | 14 |
+-------------------+---------+
| Life-Time | 28800 |
+-------------------+---------+
| IKE Version | 2 |
+-------------------+---------+
**IPsec parameters:**
+------------+---------+
| Encryption | AES-256 |
+------------+---------+
| HASH | SHA-256 |
+------------+---------+
| Life-Time | 3600 |
+------------+---------+
| PFS | disable |
+------------+---------+
**Traffic Selectors**
192.168.0.0/24 <==> 192.168.10.0/24
192.168.1.0/24 <==> 192.168.11.0/24
**Hosts configuration**
+--------+--------------+
| PC1 IP | 192.168.0.2 |
+--------+--------------+
| PC2 IP | 192.168.1.2 |
+--------+--------------+
| PC3 IP | 192.168.10.2 |
+--------+--------------+
| PC4 IP | 192.168.11.2 |
+--------+--------------+
Configuration
=============
.. note:: Pfs is disabled in Cisco by default.
VyOS
----
.. code-block:: none
set interfaces ethernet eth0 address '10.0.1.2/30'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth2 address '192.168.1.1/24'
set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'dGVzdA=='
set vpn ipsec authentication psk AUTH-PSK secret-type 'base64'
set vpn ipsec esp-group ESP-GROUP lifetime '3600'
set vpn ipsec esp-group ESP-GROUP pfs 'disable'
set vpn ipsec esp-group ESP-GROUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GROUP proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '10'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec site-to-site peer CISCO authentication local-id '10.0.1.2'
set vpn ipsec site-to-site peer CISCO authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer CISCO authentication remote-id '10.0.2.2'
set vpn ipsec site-to-site peer CISCO connection-type 'initiate'
set vpn ipsec site-to-site peer CISCO default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer CISCO ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer CISCO local-address '10.0.1.2'
set vpn ipsec site-to-site peer CISCO remote-address '10.0.2.2'
set vpn ipsec site-to-site peer CISCO tunnel 1 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer CISCO tunnel 1 remote prefix '192.168.10.0/24'
set vpn ipsec site-to-site peer CISCO tunnel 2 local prefix '192.168.1.0/24'
set vpn ipsec site-to-site peer CISCO tunnel 2 remote prefix '192.168.11.0/24'
Cisco
-----
.. code-block:: none
crypto ikev2 proposal aes-cbc-256-proposal
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy policy1
match address local 10.0.2.2
proposal aes-cbc-256-proposal
!
crypto ikev2 keyring keys
peer VyOS
address 10.0.1.2
pre-shared-key local test
pre-shared-key remote test
!
crypto ikev2 profile IKEv2-profile
match identity remote address 10.0.1.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keys
lifetime 28800
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map IPSEC-map 10 ipsec-isakmp
set peer 10.0.1.2
set security-association lifetime seconds 3600
set transform-set TS
set ikev2-profile IKEv2-profile
match address cryptoacl
!
interface GigabitEthernet0/0
ip address 10.0.2.2 255.255.255.252
crypto map IPSEC-map
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/2
ip address 192.168.11.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.2.1
!
ip access-list extended cryptoacl
permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
Monitoring
==========
Monitoring on VyOS side
-----------------------
IKE SAs:
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.0.2.2 10.0.2.2 10.0.1.2 10.0.1.2
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 304 26528
IPsec SAs:
.. code-block:: none
vyos@vyos:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
-------------- ------- -------- -------------- ---------------- ---------------- ----------- -----------------------------
CISCO-tunnel-1 up 6m6s 0B/0B 0/0 10.0.2.2 10.0.2.2 AES_CBC_256/HMAC_SHA2_256_128
CISCO-tunnel-2 up 6m6s 0B/0B 0/0 10.0.2.2 10.0.2.2 AES_CBC_256/HMAC_SHA2_256_128
Monitoring on Cisco side
------------------------
IKE SAs:
.. code-block:: none
Cisco#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.2.2/4500 10.0.1.2/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/471 sec
IPv6 Crypto IKEv2 SA
IPsec SAs:
.. code-block:: none
Cisco#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: IPSEC-map, local addr 10.0.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 10.0.1.2 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.2.2, remote crypto endpt.: 10.0.1.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xC81F83DA(3357508570)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x8C63C51E(2355348766)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 23, flow_id: SW:23, sibling_flags 80000040, crypto map: IPSEC-map
sa timing: remaining key lifetime (k/sec): (4231729/3585)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC81F83DA(3357508570)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 24, flow_id: SW:24, sibling_flags 80000040, crypto map: IPSEC-map
sa timing: remaining key lifetime (k/sec): (4231729/3585)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 10.0.1.2 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.2.2, remote crypto endpt.: 10.0.1.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xC40C7A20(3289152032)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2948B6CB(692631243)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 21, flow_id: SW:21, sibling_flags 80000040, crypto map: IPSEC-map
sa timing: remaining key lifetime (k/sec): (4194891/3581)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC40C7A20(3289152032)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 22, flow_id: SW:22, sibling_flags 80000040, crypto map: IPSEC-map
sa timing: remaining key lifetime (k/sec): (4194891/3581)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Checking Connectivity
---------------------
ICMP packets from PC1 to PC3.
.. code-block:: none
PC1> ping 192.168.10.2
84 bytes from 192.168.10.2 icmp_seq=1 ttl=62 time=8.479 ms
84 bytes from 192.168.10.2 icmp_seq=2 ttl=62 time=3.344 ms
84 bytes from 192.168.10.2 icmp_seq=3 ttl=62 time=3.139 ms
84 bytes from 192.168.10.2 icmp_seq=4 ttl=62 time=3.176 ms
84 bytes from 192.168.10.2 icmp_seq=5 ttl=62 time=3.978 ms
ICMP packets from PC2 to PC4.
.. code-block:: none
PC2> ping 192.168.11.2
84 bytes from 192.168.11.2 icmp_seq=1 ttl=62 time=9.687 ms
84 bytes from 192.168.11.2 icmp_seq=2 ttl=62 time=3.286 ms
84 bytes from 192.168.11.2 icmp_seq=3 ttl=62 time=2.972 ms

405
docs/configexamples/ipsec-cisco-route-based.rst Normal file
View File

@ -0,0 +1,405 @@
:lastproofread: 2025-06-26
.. _examples-ipsec-cisco-route-based:
#########################################################
Route-based Site-to-Site VPN IPsec between VyOS and Cisco
#########################################################
This document is to describe a basic setup using route-based
site-to-site VPN IPsec. In this example we use VyOS 1.5 and
Cisco IOS. Cisco initiates IPsec connection only if interesting
traffic present. For stable work we recommend configuring an
initiator role on VyOS side. OSPF is selected as routing protocol
inside the tunnel.
Network Topology
================
.. image:: /_static/images/cisco-vpn-ipsec.png
:align: center
:alt: Network Topology Diagram
Prerequirements
===============
**VyOS:**
+---------+----------------+
| WAN IP | 10.0.1.2/30 |
+---------+----------------+
| LAN1 IP | 192.168.0.1/24 |
+---------+----------------+
| LAN2 IP | 192.168.1.1/24 |
+---------+----------------+
**Cisco:**
+---------+-----------------+
| WAN IP | 10.0.2.2/30 |
+---------+-----------------+
| LAN1 IP | 192.168.10.1/24 |
+---------+-----------------+
| LAN2 IP | 192.168.11.1/24 |
+---------+-----------------+
**IKE parameters:**
+-------------------+---------+
| Encryption | AES-128 |
+-------------------+---------+
| HASH | SHA-1 |
+-------------------+---------+
| Diff-Helman Group | 14 |
+-------------------+---------+
| Life-Time | 28800 |
+-------------------+---------+
| IKE Version | 1 |
+-------------------+---------+
**IPsec parameters:**
+------------+---------+
| Encryption | AES-256 |
+------------+---------+
| HASH | SHA-256 |
+------------+---------+
| Life-Time | 3600 |
+------------+---------+
| PFS | disable |
+------------+---------+
**Hosts configuration**
+--------+--------------+
| PC1 IP | 192.168.0.2 |
+--------+--------------+
| PC2 IP | 192.168.1.2 |
+--------+--------------+
| PC3 IP | 192.168.10.2 |
+--------+--------------+
| PC4 IP | 192.168.11.2 |
+--------+--------------+
Configuration
=============
.. note:: Pfs is disabled in Cisco by default.
VyOS
----
.. code-block:: none
set interfaces ethernet eth0 address '10.0.1.2/30'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth2 address '192.168.1.1/24'
set interfaces vti vti1 address '10.100.100.1/30'
set interfaces vti vti1 mtu '1438'
set protocols ospf area 0 network '10.100.100.0/30'
set protocols ospf area 0 network '192.168.0.0/24'
set protocols ospf area 0 network '192.168.1.0/24'
set protocols ospf interface eth1 passive
set protocols ospf interface eth2 passive
set protocols ospf interface vti1 network 'point-to-point'
set protocols ospf parameters router-id '2.2.2.2'
set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'dGVzdA=='
set vpn ipsec authentication psk AUTH-PSK secret-type 'base64'
set vpn ipsec esp-group ESP-GROUP lifetime '3600'
set vpn ipsec esp-group ESP-GROUP pfs 'disable'
set vpn ipsec esp-group ESP-GROUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GROUP proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '10'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes128'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer CISCO authentication local-id '10.0.1.2'
set vpn ipsec site-to-site peer CISCO authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer CISCO authentication remote-id '10.0.2.2'
set vpn ipsec site-to-site peer CISCO connection-type 'initiate'
set vpn ipsec site-to-site peer CISCO default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer CISCO ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer CISCO local-address '10.0.1.2'
set vpn ipsec site-to-site peer CISCO remote-address '10.0.2.2'
set vpn ipsec site-to-site peer CISCO vti bind 'vti1'
Cisco
-----
.. code-block:: none
crypto isakmp policy 10
encr aes
authentication pre-share
group 14
lifetime 28800
crypto isakmp key test address 10.0.1.2
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile IPsec-profile
set transform-set TS
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel10
ip address 10.100.100.2 255.255.255.252
ip ospf network point-to-point
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 10.0.1.2
tunnel protection ipsec profile IPsec-profile
!
interface GigabitEthernet0/0
ip address 10.0.2.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 192.168.11.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
router ospf 1
router-id 1.1.1.1
passive-interface GigabitEthernet0/1
passive-interface GigabitEthernet0/2
network 10.100.100.0 0.0.0.3 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.11.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 10.0.2.1
Monitoring
==========
Monitoring on VyOS side
-----------------------
IKE SAs:
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.0.2.2 10.0.2.2 10.0.1.2 10.0.1.2
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 8175 18439
IPsec SAs:
.. code-block:: none
vyos@vyos:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------ ------- -------- -------------- ---------------- ---------------- ----------- -----------------------------
CISCO-vti up 34m59s 17K/14K 224/213 10.0.2.2 10.0.2.2 AES_CBC_256/HMAC_SHA2_256_128
OSPF Neighbor Status:
.. code-block:: none
vyos@vyos:~$ show ip ospf neighbor
Neighbor ID Pri State Up Time Dead Time Address Interface RXmtL RqstL DBsmL
1.1.1.1 1 Full/- 1h29m37s 39.317s 10.100.100.2 vti1:10.100.100.1 0 0 0
Routing Table:
.. code-block:: none
vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, L - local, S - static,
R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric, t - Table-Direct,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
S>* 0.0.0.0/0 [1/0] via 10.0.1.1, eth0, weight 1, 00:07:54
C>* 10.0.1.0/30 is directly connected, eth0, weight 1, 00:07:59
L>* 10.0.1.2/32 is directly connected, eth0, weight 1, 00:07:59
O 10.100.100.0/30 [110/1] is directly connected, vti1, weight 1, 00:07:50
C>* 10.100.100.0/30 is directly connected, vti1, weight 1, 00:07:50
L>* 10.100.100.1/32 is directly connected, vti1, weight 1, 00:07:50
O 192.168.0.0/24 [110/1] is directly connected, eth1, weight 1, 00:07:54
C>* 192.168.0.0/24 is directly connected, eth1, weight 1, 00:07:59
L>* 192.168.0.1/32 is directly connected, eth1, weight 1, 00:07:59
O 192.168.1.0/24 [110/1] is directly connected, eth2, weight 1, 00:07:54
C>* 192.168.1.0/24 is directly connected, eth2, weight 1, 00:07:59
L>* 192.168.1.1/32 is directly connected, eth2, weight 1, 00:07:59
O>* 192.168.10.0/24 [110/2] via 10.100.100.2, vti1, weight 1, 00:07:34
O>* 192.168.11.0/24 [110/2] via 10.100.100.2, vti1, weight 1, 00:07:34
Monitoring on Cisco side
------------------------
IKE SAs:
.. code-block:: none
Cisco#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.1.2 10.0.2.2 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
IPsec SAs:
.. code-block:: none
Cisco#show crypto ipsec sa
interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 10.0.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.0.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1295, #pkts encrypt: 1295, #pkts digest: 1295
#pkts decaps: 1238, #pkts decrypt: 1238, #pkts verify: 1238
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.2.2, remote crypto endpt.: 10.0.1.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xC3E9B307(3286872839)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2740C328(658555688)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 7, flow_id: SW:7, sibling_flags 80000040, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4173824/1401)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC3E9B307(3286872839)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 8, flow_id: SW:8, sibling_flags 80000040, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4173819/1401)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
OSPF Neighbor Status:
.. code-block:: none
Cisco# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/ - 00:00:35 10.100.100.1 Tunnel10
Routing Table:
.. code-block:: none
Cisco#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 10.0.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.0.2.1
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.0.2.0/30 is directly connected, GigabitEthernet0/0
L 10.0.2.2/32 is directly connected, GigabitEthernet0/0
C 10.100.100.0/30 is directly connected, Tunnel10
L 10.100.100.2/32 is directly connected, Tunnel10
O 192.168.0.0/24 [110/1001] via 10.100.100.1, 00:09:36, Tunnel10
O 192.168.1.0/24 [110/1001] via 10.100.100.1, 00:09:36, Tunnel10
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, GigabitEthernet0/2
L 192.168.11.1/32 is directly connected, GigabitEthernet0/2
Checking Connectivity
---------------------
ICMP packets from PC1 to PC3.
.. code-block:: none
PC1> ping 192.168.10.2
84 bytes from 192.168.10.2 icmp_seq=1 ttl=62 time=8.479 ms
84 bytes from 192.168.10.2 icmp_seq=2 ttl=62 time=3.344 ms
84 bytes from 192.168.10.2 icmp_seq=3 ttl=62 time=3.139 ms
84 bytes from 192.168.10.2 icmp_seq=4 ttl=62 time=3.176 ms
84 bytes from 192.168.10.2 icmp_seq=5 ttl=62 time=3.978 ms
ICMP packets from PC2 to PC4.
.. code-block:: none
PC2> ping 192.168.11.2
84 bytes from 192.168.11.2 icmp_seq=1 ttl=62 time=9.687 ms
84 bytes from 192.168.11.2 icmp_seq=2 ttl=62 time=3.286 ms
84 bytes from 192.168.11.2 icmp_seq=3 ttl=62 time=2.972 ms

420
docs/configexamples/ipsec-pa-route-based.rst Normal file
View File

@ -0,0 +1,420 @@
:lastproofread: 2025-06-26
.. _examples-ipsec-pa-route-based:
#############################################################
Route-based Site-to-Site VPN IPsec between VyOS and Palo Alto
#############################################################
This document is to describe a basic setup using route-based
site-to-site VPN IPsec. In this example we use VyOS 1.5 and
PA 11.0.0. OSPF is selected as routing protocol inside the
tunnel.
Since this example focuses on IPsec configuration it does not
include firewall configuration.
Network Topology
================
.. image:: /_static/images/ipsec-vyos-pa.png
:align: center
:alt: Network Topology Diagram
Prerequirements
===============
**VyOS:**
+---------+----------------+
| WAN IP | 10.0.1.2/30 |
+---------+----------------+
| LAN1 IP | 192.168.0.1/24 |
+---------+----------------+
| LAN2 IP | 192.168.1.1/24 |
+---------+----------------+
**Cisco:**
+---------+-----------------+
| WAN IP | 10.0.2.2/30 |
+---------+-----------------+
| LAN1 IP | 192.168.10.1/24 |
+---------+-----------------+
| LAN2 IP | 192.168.11.1/24 |
+---------+-----------------+
**IKE parameters:**
+-------------------+---------+
| Encryption | AES-128 |
+-------------------+---------+
| HASH | SHA-1 |
+-------------------+---------+
| Diff-Helman Group | 14 |
+-------------------+---------+
| Life-Time | 28800 |
+-------------------+---------+
| IKE Version | 1 |
+-------------------+---------+
**IPsec parameters:**
+------------+---------+
| Encryption | AES-256 |
+------------+---------+
| HASH | SHA-256 |
+------------+---------+
| Life-Time | 3600 |
+------------+---------+
| PFS | disable |
+------------+---------+
**Hosts configuration**
+--------+--------------+
| PC1 IP | 192.168.0.2 |
+--------+--------------+
| PC2 IP | 192.168.1.2 |
+--------+--------------+
| PC3 IP | 192.168.10.2 |
+--------+--------------+
| PC4 IP | 192.168.11.2 |
+--------+--------------+
Configuration
=============
VyOS
----
.. code-block:: none
set interfaces ethernet eth0 address '10.0.1.2/30'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth2 address '192.168.1.1/24'
set interfaces vti vti1 address '10.100.100.1/30'
set interfaces vti vti1 mtu '1438'
set protocols ospf area 0 network '10.100.100.0/30'
set protocols ospf area 0 network '192.168.0.0/24'
set protocols ospf area 0 network '192.168.1.0/24'
set protocols ospf interface eth1 passive
set protocols ospf interface eth2 passive
set protocols ospf interface vti1 network 'point-to-point'
set protocols ospf parameters router-id '2.2.2.2'
set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'dGVzdA=='
set vpn ipsec authentication psk AUTH-PSK secret-type 'base64'
set vpn ipsec esp-group ESP-GROUP lifetime '3600'
set vpn ipsec esp-group ESP-GROUP pfs 'disable'
set vpn ipsec esp-group ESP-GROUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GROUP proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '10'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes128'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer CISCO authentication local-id '10.0.1.2'
set vpn ipsec site-to-site peer CISCO authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer CISCO authentication remote-id '10.0.2.2'
set vpn ipsec site-to-site peer CISCO connection-type 'initiate'
set vpn ipsec site-to-site peer CISCO default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer CISCO ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer CISCO local-address '10.0.1.2'
set vpn ipsec site-to-site peer CISCO remote-address '10.0.2.2'
set vpn ipsec site-to-site peer CISCO vti bind 'vti1'
Palo Alto
---------
GUI Configuration:
Network -> Network Profiles -> IKE Crypto
.. image:: /_static/images/PA-IKE-group.png
:align: center
Network -> Network Profiles -> IKE Gateways
.. image:: /_static/images/PA-IKE-GW-1.png
:align: center
.. image:: /_static/images/PA-IKE-GW-2.png
:align: center
Network -> Network Profiles -> IPSec Crypto
.. image:: /_static/images/PA-ESP-group.png
:align: center
Network -> Interfaces
.. image:: /_static/images/PA-tunnel-1.png
:align: center
.. image:: /_static/images/PA-tunnel-2.png
:align: center
.. image:: /_static/images/PA-tunnel-3.png
:align: center
Network -> IPSec Tunnels
.. image:: /_static/images/PA-IPsec-tunnel.png
:align: center
CLI configuration with OSPF:
.. code-block:: none
set network interface ethernet ethernet1/1 layer3 ip 10.0.2.2/30
set network interface ethernet ethernet1/1 layer3 interface-management-profile Allow
set network interface ethernet ethernet1/2 layer3 ip 192.168.10.1/24
set network interface ethernet ethernet1/1 layer3 interface-management-profile Allow
set network interface ethernet ethernet1/3 layer3 ip 192.168.11.1/24
set network interface ethernet ethernet1/1 layer3 interface-management-profile Allow
set network interface tunnel units tunnel.1 ip 10.100.100.2/30
set network interface tunnel units tunnel.1 interface-management-profile Allow
set network interface tunnel units tunnel.1 mtu 1438
set network profiles interface-management-profile Allow ping yes
set network ike crypto-profiles ike-crypto-profiles IKE-GROUP hash sha1
set network ike crypto-profiles ike-crypto-profiles IKE-GROUP dh-group group14
set network ike crypto-profiles ike-crypto-profiles IKE-GROUP encryption aes-128-cbc
set network ike crypto-profiles ike-crypto-profiles IKE-GROUP lifetime seconds 28800
set network ike crypto-profiles ipsec-crypto-profiles ESP-GROUP esp authentication sha256
set network ike crypto-profiles ipsec-crypto-profiles ESP-GROUP esp encryption aes-256-cbc
set network ike crypto-profiles ipsec-crypto-profiles ESP-GROUP lifetime seconds 3600
set network ike crypto-profiles ipsec-crypto-profiles ESP-GROUP dh-group no-pfs
set network ike gateway VyOS authentication pre-shared-key key test
set network ike gateway VyOS protocol ikev1 dpd enable yes
set network ike gateway VyOS protocol ikev1 exchange-mode main
set network ike gateway VyOS protocol ikev1 ike-crypto-profile IKE-GROUP
set network ike gateway VyOS protocol ikev2 dpd enable yes
set network ike gateway VyOS protocol version ikev1
set network ike gateway VyOS protocol-common nat-traversal enable yes
set network ike gateway VyOS protocol-common fragmentation enable no
set network ike gateway VyOS protocol-common passive-mode yes
set network ike gateway VyOS local-address interface ethernet1/1
set network ike gateway VyOS peer-address ip 10.0.1.2
set network ike gateway VyOS local-id id 10.0.2.2
set network ike gateway VyOS local-id type ipaddr
set network ike gateway VyOS peer-id id 10.0.1.2
set network ike gateway VyOS peer-id type ipaddr
set network tunnel ipsec VyOS-tunnel auto-key ike-gateway VyOS
set network tunnel ipsec VyOS-tunnel auto-key ipsec-crypto-profile ESP-GROUP
set network tunnel ipsec VyOS-tunnel tunnel-monitor enable no
set network tunnel ipsec VyOS-tunnel tunnel-interface tunnel.1
set network tunnel ipsec VyOS-tunnel anti-replay no
set network virtual-router default protocol ospf enable yes
set network virtual-router default protocol ospf area 0.0.0.0 type normal
set network virtual-router default protocol ospf area 0.0.0.0 interface tunnel.1 enable yes
set network virtual-router default protocol ospf area 0.0.0.0 interface tunnel.1 passive no
set network virtual-router default protocol ospf area 0.0.0.0 interface tunnel.1 link-type p2p
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/2 enable yes
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/2 passive yes
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/2 link-type broadcast
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 enable yes
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 passive yes
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 link-type broadcast
set network virtual-router default protocol ospf router-id 1.1.1.1
set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 tunnel.1 ]
Monitoring
==========
Monitoring on VyOS side
-----------------------
IKE SAs:
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.0.2.2 10.0.2.2 10.0.1.2 10.0.1.2
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 1372 25802
IPsec SAs:
.. code-block:: none
vyos@vyos:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------ ------- -------- -------------- ---------------- ---------------- ----------- -----------------------------
PA-vti up 23m27s 9K/10K 149/151 10.0.2.2 10.0.2.2 AES_CBC_256/HMAC_SHA2_256_128
OSPF Neighbor Status:
.. code-block:: none
vyos@vyos:~$ show ip ospf neighbor
Neighbor ID Pri State Up Time Dead Time Address Interface RXmtL RqstL DBsmL
1.1.1.1 1 Full/- 23m56s 37.948s 10.100.100.2 vti1:10.100.100.1 0 0 0
Routing Table:
.. code-block:: none
vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, L - local, S - static,
R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric, t - Table-Direct,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
S>* 0.0.0.0/0 [1/0] via 10.0.1.1, eth0, weight 1, 00:27:30
C>* 10.0.1.0/30 is directly connected, eth0, weight 1, 00:27:34
L>* 10.0.1.2/32 is directly connected, eth0, weight 1, 00:27:34
O 10.100.100.0/30 [110/1] is directly connected, vti1, weight 1, 00:24:34
C>* 10.100.100.0/30 is directly connected, vti1, weight 1, 00:24:34
L>* 10.100.100.1/32 is directly connected, vti1, weight 1, 00:24:34
O 192.168.0.0/24 [110/1] is directly connected, eth1, weight 1, 00:27:29
C>* 192.168.0.0/24 is directly connected, eth1, weight 1, 00:27:34
L>* 192.168.0.1/32 is directly connected, eth1, weight 1, 00:27:34
O 192.168.1.0/24 [110/1] is directly connected, eth2, weight 1, 00:27:29
C>* 192.168.1.0/24 is directly connected, eth2, weight 1, 00:27:34
L>* 192.168.1.1/32 is directly connected, eth2, weight 1, 00:27:34
O>* 192.168.10.0/24 [110/11] via 10.100.100.2, vti1, weight 1, 00:24:19
O>* 192.168.11.0/24 [110/11] via 10.100.100.2, vti1, weight 1, 00:24:19
Monitoring on Cisco side
------------------------
IKE SAs:
.. code-block:: none
admin@PA-VM> show vpn ike-sa
IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
1 10.0.1.2 VyOS Resp Main PSK/DH14/A128/SHA1 Jul.31 01:35:00 Jul.31 09:35:00 v1 13 1 1
Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.
IKEv1 phase-2 SAs
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt
------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --
VyOS 1 VyOS-tunnel 1 Resp ESP/ /tunl/SHA2 8827A3D9 C204F4FA BD202829 9 1
Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.
There is no IKEv2 SA found.
IPsec SAs:
.. code-block:: none
admin@PA-VM> show vpn ipsec-sa
GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) remain-time(Sec)
-------------- ---- ------------ --------------- --------- ------- -------- ------------ ----------------
1 1 10.0.1.2 VyOS-tunnel(VyOS) ESP/A256/SHA256 8827A3D9 C204F4FA 3600/Unlimited 2733
Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.
OSPF Neighbor Status:
.. code-block:: none
admin@PA-VM> show routing protocol ospf neighbor
Options: 0x80:reserved, O:Opaq-LSA capability, DC:demand circuits, EA:Ext-Attr LSA capability,
N/P:NSSA option, MC:multicase, E:AS external LSA capability, T:TOS capability
==========
virtual router: default
neighbor address: 10.100.100.1
local address binding: 0.0.0.0
type: dynamic
status: full
neighbor router ID: 2.2.2.2
area id: 0.0.0.0
neighbor priority: 1
lifetime remain: 32
messages pending: 0
LSA request pending: 0
options: 0x02: E
hello suppressed: no
restart helper status: not helping
restart helper time remaining: 0
restart helper exit reason: none
Routing Table:
.. code-block:: none
admin@PA-VM> show routing route
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 10.0.2.1 10 A S ethernet1/1
10.0.2.0/30 10.0.2.2 0 A C ethernet1/1
10.0.2.2/32 0.0.0.0 0 A H
10.100.100.0/30 0.0.0.0 10 Oi 1273 tunnel.1
10.100.100.0/30 10.100.100.2 0 A C tunnel.1
10.100.100.2/32 0.0.0.0 0 A H
192.168.0.0/24 10.100.100.1 11 A Oi 1253 tunnel.1
192.168.1.0/24 10.100.100.1 11 A Oi 1253 tunnel.1
192.168.10.0/24 0.0.0.0 10 Oi 1273 ethernet1/2
192.168.10.0/24 192.168.10.1 0 A C ethernet1/2
192.168.10.1/32 0.0.0.0 0 A H
192.168.11.0/24 0.0.0.0 10 Oi 1273 ethernet1/3
192.168.11.0/24 192.168.11.1 0 A C ethernet1/3
192.168.11.1/32 0.0.0.0 0 A H
total routes shown: 14
Checking Connectivity
---------------------
ICMP packets from PC1 to PC3.
.. code-block:: none
PC1> ping 192.168.10.2
84 bytes from 192.168.10.2 icmp_seq=1 ttl=62 time=8.479 ms
84 bytes from 192.168.10.2 icmp_seq=2 ttl=62 time=3.344 ms
84 bytes from 192.168.10.2 icmp_seq=3 ttl=62 time=3.139 ms
84 bytes from 192.168.10.2 icmp_seq=4 ttl=62 time=3.176 ms
84 bytes from 192.168.10.2 icmp_seq=5 ttl=62 time=3.978 ms
ICMP packets from PC2 to PC4.
.. code-block:: none
PC2> ping 192.168.11.2
84 bytes from 192.168.11.2 icmp_seq=1 ttl=62 time=9.687 ms
84 bytes from 192.168.11.2 icmp_seq=2 ttl=62 time=3.286 ms
84 bytes from 192.168.11.2 icmp_seq=3 ttl=62 time=2.972 ms