vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 01:31:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: vyos:2ff18f0cb9052a979dcbaa2d1cdaed65c1a2674d
Branches Tags
vyos:current
vyos:sagitta
vyos:bgp-vrf-system-as
vyos:mergify/bp/sagitta/pr-1654
vyos:cla
vyos:c-po-patch-1
vyos:mergify/bp/sagitta/pr-1648
vyos:ssh-ca
vyos:T1771
vyos:mergify/bp/sagitta/pr-1632
vyos:kernel-option-quiet
vyos:mergify/bp/sagitta/pr-1543
vyos:mergify/bp/sagitta/pr-1616
vyos:mergify/bp/sagitta/pr-1612
vyos:mergify/bp/sagitta/pr-1613
vyos:t861-secure-boot-ca
vyos:syslog-mark
vyos:lldp-T7165
vyos:allow-atlassian-bot
vyos:mergify/bp/sagitta/pr-1584
vyos:T6746-frr-10
vyos:avahi-T6908
vyos:crux
vyos:equuleus
vyos:mergify/bp/sagitta/pr-1554
vyos:revert-1544-T6652-current
vyos:mergify/bp/sagitta/pr-1533
vyos:feature/T6410-workflows-fix
vyos:update-dependencies-sagitta
vyos:update-dependencies-current
vyos:update-dependencies-equuleus
vyos:update-translations-current
vyos:1.4.3
vyos:1.3.8
vyos:1.4.0
vyos:1.3.7
vyos:1.3.6
vyos:1.3.5
vyos:1.3.4
vyos:1.3.3
vyos:1.3.3-epa1
vyos:1.2.9-S1
vyos:1.3.2
vyos:VyOS_1.2-2019Q4
...
compare: vyos:6bdc91f403e4b7db70e9c82bdde2a4afc3a2999e
Branches Tags
vyos:current
vyos:sagitta
vyos:bgp-vrf-system-as
vyos:mergify/bp/sagitta/pr-1654
vyos:cla
vyos:c-po-patch-1
vyos:mergify/bp/sagitta/pr-1648
vyos:ssh-ca
vyos:T1771
vyos:mergify/bp/sagitta/pr-1632
vyos:kernel-option-quiet
vyos:mergify/bp/sagitta/pr-1543
vyos:mergify/bp/sagitta/pr-1616
vyos:mergify/bp/sagitta/pr-1612
vyos:mergify/bp/sagitta/pr-1613
vyos:t861-secure-boot-ca
vyos:syslog-mark
vyos:lldp-T7165
vyos:allow-atlassian-bot
vyos:mergify/bp/sagitta/pr-1584
vyos:T6746-frr-10
vyos:avahi-T6908
vyos:crux
vyos:equuleus
vyos:mergify/bp/sagitta/pr-1554
vyos:revert-1544-T6652-current
vyos:mergify/bp/sagitta/pr-1533
vyos:feature/T6410-workflows-fix
vyos:update-dependencies-sagitta
vyos:update-dependencies-current
vyos:update-dependencies-equuleus
vyos:update-translations-current
vyos:1.4.3
vyos:1.3.8
vyos:1.4.0
vyos:1.3.7
vyos:1.3.6
vyos:1.3.5
vyos:1.3.4
vyos:1.3.3
vyos:1.3.3-epa1
vyos:1.2.9-S1
vyos:1.3.2
vyos:VyOS_1.2-2019Q4

4 Commits
2ff18f0cb9 ... 6bdc91f403

Author SHA1 Message Date
Aslan Hajiyev
6bdc91f403
Added AWS/Azure HA deployment documentation for and modified titles of AWS, Azure, GCP deployment pages (#1668) 
* Added documentation pages for AWS/Azure HA deployment and modified pages AWS,Azure,GCP

* Update docs/installation/cloud/azure-ha.rst

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-08-20 16:59:02 +01:00
aapostoliuk
ddceec6cf5
Added IPSec blueprints with Cisco and PA (#1667) 
Added blueprint Policy-based Site-to-Site IPsec VPN with Cisco IOS.
Added blueprint Route-based Site-to-Site IPsec VPN with Cisco IOS.
Added blueprint Route-based Site-to-Site IPsec VPN with Palo Alto.
 2025-08-12 15:45:43 +01:00
mergify[bot]
723f4fd402
container: T7403: add "force" option to "delete container image" (#1663) 
(cherry picked from commit 1f5ad605bc854f60565666a9e5d1a06488594732)

Co-authored-by: Christian Breunig <christian@breunig.cc>
 2025-08-02 18:27:21 +01:00
aapostoliuk
6ec864e8d3
Updated site-to-site IPsec VPN documentation (#1660) 
* Updated site-to-site IPsec VPN documentation

Added general theoretical IPsec documentation.
Changed site-to-site IPsec VPN documentation.
Added steps for configuration.
Added documentation for troubleshooting site-to-site IPsec VPN.
Backported from https://github.com/vyos/vyos-documentation/pull/1653

---------

Co-authored-by: aapostoliuk <aapostoliuk@vyos.io>
Co-authored-by: Daniil Baturin <daniil@baturin.org>
 2025-07-28 13:51:55 +01:00
34 changed files with 2905 additions and 1095 deletions
Show Stats Expand all files Collapse all files

BIN
docs/_static/images/ESP_AH.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
docs/_static/images/IPSec_close_action_settings.jpg vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 69 KiB

BIN
docs/_static/images/IPSec_close_action_settings.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
docs/_static/images/PA-ESP-group.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
docs/_static/images/PA-IKE-GW-1.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
docs/_static/images/PA-IKE-GW-2.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
docs/_static/images/PA-IKE-group.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
docs/_static/images/PA-IPsec-tunnel.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
docs/_static/images/PA-tunnel-1.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
docs/_static/images/PA-tunnel-2.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
docs/_static/images/PA-tunnel-3.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
docs/_static/images/cisco-vpn-ipsec.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
docs/_static/images/cloud-aws-ha-architecture.png vendored Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
docs/_static/images/cloud-azure-ha-architecture.png vendored Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
docs/_static/images/ipsec-vyos-pa.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

3
docs/configexamples/index.rst
View File

@ -22,6 +22,9 @@ This chapter contains various configuration examples:
qos
segment-routing-isis
nmp
ipsec-cisco-policy-based
ipsec-cisco-route-based
ipsec-pa-route-based
Configuration Blueprints (autotest)

355
docs/configexamples/ipsec-cisco-policy-based.rst Normal file
View File

@ -0,0 +1,355 @@
:lastproofread: 2025-06-26
.. _examples-ipsec-cisco-policy-based:
##########################################################
Policy-based Site-to-Site VPN IPsec between VyOS and Cisco
##########################################################
This document is to describe a basic setup using policy-based
site-to-site VPN IPsec. In this example we use VyOS 1.5 and
Cisco IOS. Cisco initiates IPsec connection only if interesting
traffic present. For stable work we recommend configuring an
initiator role on VyOS side.
Network Topology
================
.. image:: /_static/images/cisco-vpn-ipsec.png
:align: center
:alt: Network Topology Diagram
Prerequirements
===============
**VyOS:**
+---------+----------------+
| WAN IP | 10.0.1.2/30 |
+---------+----------------+
| LAN1 IP | 192.168.0.1/24 |
+---------+----------------+
| LAN2 IP | 192.168.1.1/24 |
+---------+----------------+
**Cisco:**
+---------+-----------------+
| WAN IP | 10.0.2.2/30 |
+---------+-----------------+
| LAN1 IP | 192.168.10.1/24 |
+---------+-----------------+
| LAN2 IP | 192.168.11.1/24 |
+---------+-----------------+
**IKE parameters:**
+-------------------+---------+
| Encryption | AES-256 |
+-------------------+---------+
| HASH | SHA-1 |
+-------------------+---------+
| Diff-Helman Group | 14 |
+-------------------+---------+
| Life-Time | 28800 |
+-------------------+---------+
| IKE Version | 2 |
+-------------------+---------+
**IPsec parameters:**
+------------+---------+
| Encryption | AES-256 |
+------------+---------+
| HASH | SHA-256 |
+------------+---------+
| Life-Time | 3600 |
+------------+---------+
| PFS | disable |
+------------+---------+
**Traffic Selectors**
192.168.0.0/24 <==> 192.168.10.0/24
192.168.1.0/24 <==> 192.168.11.0/24
**Hosts configuration**
+--------+--------------+
| PC1 IP | 192.168.0.2 |
+--------+--------------+
| PC2 IP | 192.168.1.2 |
+--------+--------------+
| PC3 IP | 192.168.10.2 |
+--------+--------------+
| PC4 IP | 192.168.11.2 |
+--------+--------------+
Configuration
=============
.. note:: Pfs is disabled in Cisco by default.
VyOS
----
.. code-block:: none
set interfaces ethernet eth0 address '10.0.1.2/30'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth2 address '192.168.1.1/24'
set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'dGVzdA=='
set vpn ipsec authentication psk AUTH-PSK secret-type 'base64'
set vpn ipsec esp-group ESP-GROUP lifetime '3600'
set vpn ipsec esp-group ESP-GROUP pfs 'disable'
set vpn ipsec esp-group ESP-GROUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GROUP proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '10'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec site-to-site peer CISCO authentication local-id '10.0.1.2'
set vpn ipsec site-to-site peer CISCO authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer CISCO authentication remote-id '10.0.2.2'
set vpn ipsec site-to-site peer CISCO connection-type 'initiate'
set vpn ipsec site-to-site peer CISCO default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer CISCO ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer CISCO local-address '10.0.1.2'
set vpn ipsec site-to-site peer CISCO remote-address '10.0.2.2'
set vpn ipsec site-to-site peer CISCO tunnel 1 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer CISCO tunnel 1 remote prefix '192.168.10.0/24'
set vpn ipsec site-to-site peer CISCO tunnel 2 local prefix '192.168.1.0/24'
set vpn ipsec site-to-site peer CISCO tunnel 2 remote prefix '192.168.11.0/24'
Cisco
-----
.. code-block:: none
crypto ikev2 proposal aes-cbc-256-proposal
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy policy1
match address local 10.0.2.2
proposal aes-cbc-256-proposal
!
crypto ikev2 keyring keys
peer VyOS
address 10.0.1.2
pre-shared-key local test
pre-shared-key remote test
!
crypto ikev2 profile IKEv2-profile
match identity remote address 10.0.1.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keys
lifetime 28800
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map IPSEC-map 10 ipsec-isakmp
set peer 10.0.1.2
set security-association lifetime seconds 3600
set transform-set TS
set ikev2-profile IKEv2-profile
match address cryptoacl
!
interface GigabitEthernet0/0
ip address 10.0.2.2 255.255.255.252
crypto map IPSEC-map
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/2
ip address 192.168.11.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.2.1
!
ip access-list extended cryptoacl
permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
Monitoring
==========
Monitoring on VyOS side
-----------------------
IKE SAs:
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.0.2.2 10.0.2.2 10.0.1.2 10.0.1.2
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 304 26528
IPsec SAs:
.. code-block:: none
vyos@vyos:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
-------------- ------- -------- -------------- ---------------- ---------------- ----------- -----------------------------
CISCO-tunnel-1 up 6m6s 0B/0B 0/0 10.0.2.2 10.0.2.2 AES_CBC_256/HMAC_SHA2_256_128
CISCO-tunnel-2 up 6m6s 0B/0B 0/0 10.0.2.2 10.0.2.2 AES_CBC_256/HMAC_SHA2_256_128
Monitoring on Cisco side
------------------------
IKE SAs:
.. code-block:: none
Cisco#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.2.2/4500 10.0.1.2/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/471 sec
IPv6 Crypto IKEv2 SA
IPsec SAs:
.. code-block:: none
Cisco#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: IPSEC-map, local addr 10.0.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 10.0.1.2 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.2.2, remote crypto endpt.: 10.0.1.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xC81F83DA(3357508570)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x8C63C51E(2355348766)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 23, flow_id: SW:23, sibling_flags 80000040, crypto map: IPSEC-map
sa timing: remaining key lifetime (k/sec): (4231729/3585)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC81F83DA(3357508570)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 24, flow_id: SW:24, sibling_flags 80000040, crypto map: IPSEC-map
sa timing: remaining key lifetime (k/sec): (4231729/3585)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 10.0.1.2 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.2.2, remote crypto endpt.: 10.0.1.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xC40C7A20(3289152032)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2948B6CB(692631243)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 21, flow_id: SW:21, sibling_flags 80000040, crypto map: IPSEC-map
sa timing: remaining key lifetime (k/sec): (4194891/3581)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC40C7A20(3289152032)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 22, flow_id: SW:22, sibling_flags 80000040, crypto map: IPSEC-map
sa timing: remaining key lifetime (k/sec): (4194891/3581)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Checking Connectivity
---------------------
ICMP packets from PC1 to PC3.
.. code-block:: none
PC1> ping 192.168.10.2
84 bytes from 192.168.10.2 icmp_seq=1 ttl=62 time=8.479 ms
84 bytes from 192.168.10.2 icmp_seq=2 ttl=62 time=3.344 ms
84 bytes from 192.168.10.2 icmp_seq=3 ttl=62 time=3.139 ms
84 bytes from 192.168.10.2 icmp_seq=4 ttl=62 time=3.176 ms
84 bytes from 192.168.10.2 icmp_seq=5 ttl=62 time=3.978 ms
ICMP packets from PC2 to PC4.
.. code-block:: none
PC2> ping 192.168.11.2
84 bytes from 192.168.11.2 icmp_seq=1 ttl=62 time=9.687 ms
84 bytes from 192.168.11.2 icmp_seq=2 ttl=62 time=3.286 ms
84 bytes from 192.168.11.2 icmp_seq=3 ttl=62 time=2.972 ms

405
docs/configexamples/ipsec-cisco-route-based.rst Normal file
View File

@ -0,0 +1,405 @@
:lastproofread: 2025-06-26
.. _examples-ipsec-cisco-route-based:
#########################################################
Route-based Site-to-Site VPN IPsec between VyOS and Cisco
#########################################################
This document is to describe a basic setup using route-based
site-to-site VPN IPsec. In this example we use VyOS 1.5 and
Cisco IOS. Cisco initiates IPsec connection only if interesting
traffic present. For stable work we recommend configuring an
initiator role on VyOS side. OSPF is selected as routing protocol
inside the tunnel.
Network Topology
================
.. image:: /_static/images/cisco-vpn-ipsec.png
:align: center
:alt: Network Topology Diagram
Prerequirements
===============
**VyOS:**
+---------+----------------+
| WAN IP | 10.0.1.2/30 |
+---------+----------------+
| LAN1 IP | 192.168.0.1/24 |
+---------+----------------+
| LAN2 IP | 192.168.1.1/24 |
+---------+----------------+
**Cisco:**
+---------+-----------------+
| WAN IP | 10.0.2.2/30 |
+---------+-----------------+
| LAN1 IP | 192.168.10.1/24 |
+---------+-----------------+
| LAN2 IP | 192.168.11.1/24 |
+---------+-----------------+
**IKE parameters:**
+-------------------+---------+
| Encryption | AES-128 |
+-------------------+---------+
| HASH | SHA-1 |
+-------------------+---------+
| Diff-Helman Group | 14 |
+-------------------+---------+
| Life-Time | 28800 |
+-------------------+---------+
| IKE Version | 1 |
+-------------------+---------+
**IPsec parameters:**
+------------+---------+
| Encryption | AES-256 |
+------------+---------+
| HASH | SHA-256 |
+------------+---------+
| Life-Time | 3600 |
+------------+---------+
| PFS | disable |
+------------+---------+
**Hosts configuration**
+--------+--------------+
| PC1 IP | 192.168.0.2 |
+--------+--------------+
| PC2 IP | 192.168.1.2 |
+--------+--------------+
| PC3 IP | 192.168.10.2 |
+--------+--------------+
| PC4 IP | 192.168.11.2 |
+--------+--------------+
Configuration
=============
.. note:: Pfs is disabled in Cisco by default.
VyOS
----
.. code-block:: none
set interfaces ethernet eth0 address '10.0.1.2/30'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth2 address '192.168.1.1/24'
set interfaces vti vti1 address '10.100.100.1/30'
set interfaces vti vti1 mtu '1438'
set protocols ospf area 0 network '10.100.100.0/30'
set protocols ospf area 0 network '192.168.0.0/24'
set protocols ospf area 0 network '192.168.1.0/24'
set protocols ospf interface eth1 passive
set protocols ospf interface eth2 passive
set protocols ospf interface vti1 network 'point-to-point'
set protocols ospf parameters router-id '2.2.2.2'
set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'dGVzdA=='
set vpn ipsec authentication psk AUTH-PSK secret-type 'base64'
set vpn ipsec esp-group ESP-GROUP lifetime '3600'
set vpn ipsec esp-group ESP-GROUP pfs 'disable'
set vpn ipsec esp-group ESP-GROUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GROUP proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '10'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes128'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer CISCO authentication local-id '10.0.1.2'
set vpn ipsec site-to-site peer CISCO authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer CISCO authentication remote-id '10.0.2.2'
set vpn ipsec site-to-site peer CISCO connection-type 'initiate'
set vpn ipsec site-to-site peer CISCO default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer CISCO ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer CISCO local-address '10.0.1.2'
set vpn ipsec site-to-site peer CISCO remote-address '10.0.2.2'
set vpn ipsec site-to-site peer CISCO vti bind 'vti1'
Cisco
-----
.. code-block:: none
crypto isakmp policy 10
encr aes
authentication pre-share
group 14
lifetime 28800
crypto isakmp key test address 10.0.1.2
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile IPsec-profile
set transform-set TS
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel10
ip address 10.100.100.2 255.255.255.252
ip ospf network point-to-point
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 10.0.1.2
tunnel protection ipsec profile IPsec-profile
!
interface GigabitEthernet0/0
ip address 10.0.2.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 192.168.11.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
router ospf 1
router-id 1.1.1.1
passive-interface GigabitEthernet0/1
passive-interface GigabitEthernet0/2
network 10.100.100.0 0.0.0.3 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.11.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 10.0.2.1
Monitoring
==========
Monitoring on VyOS side
-----------------------
IKE SAs:
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.0.2.2 10.0.2.2 10.0.1.2 10.0.1.2
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 8175 18439
IPsec SAs:
.. code-block:: none
vyos@vyos:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------ ------- -------- -------------- ---------------- ---------------- ----------- -----------------------------
CISCO-vti up 34m59s 17K/14K 224/213 10.0.2.2 10.0.2.2 AES_CBC_256/HMAC_SHA2_256_128
OSPF Neighbor Status:
.. code-block:: none
vyos@vyos:~$ show ip ospf neighbor
Neighbor ID Pri State Up Time Dead Time Address Interface RXmtL RqstL DBsmL
1.1.1.1 1 Full/- 1h29m37s 39.317s 10.100.100.2 vti1:10.100.100.1 0 0 0
Routing Table:
.. code-block:: none
vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, L - local, S - static,
R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric, t - Table-Direct,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
S>* 0.0.0.0/0 [1/0] via 10.0.1.1, eth0, weight 1, 00:07:54
C>* 10.0.1.0/30 is directly connected, eth0, weight 1, 00:07:59
L>* 10.0.1.2/32 is directly connected, eth0, weight 1, 00:07:59
O 10.100.100.0/30 [110/1] is directly connected, vti1, weight 1, 00:07:50
C>* 10.100.100.0/30 is directly connected, vti1, weight 1, 00:07:50
L>* 10.100.100.1/32 is directly connected, vti1, weight 1, 00:07:50
O 192.168.0.0/24 [110/1] is directly connected, eth1, weight 1, 00:07:54
C>* 192.168.0.0/24 is directly connected, eth1, weight 1, 00:07:59
L>* 192.168.0.1/32 is directly connected, eth1, weight 1, 00:07:59
O 192.168.1.0/24 [110/1] is directly connected, eth2, weight 1, 00:07:54
C>* 192.168.1.0/24 is directly connected, eth2, weight 1, 00:07:59
L>* 192.168.1.1/32 is directly connected, eth2, weight 1, 00:07:59
O>* 192.168.10.0/24 [110/2] via 10.100.100.2, vti1, weight 1, 00:07:34
O>* 192.168.11.0/24 [110/2] via 10.100.100.2, vti1, weight 1, 00:07:34
Monitoring on Cisco side
------------------------
IKE SAs:
.. code-block:: none
Cisco#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.1.2 10.0.2.2 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
IPsec SAs:
.. code-block:: none
Cisco#show crypto ipsec sa
interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 10.0.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.0.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1295, #pkts encrypt: 1295, #pkts digest: 1295
#pkts decaps: 1238, #pkts decrypt: 1238, #pkts verify: 1238
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.2.2, remote crypto endpt.: 10.0.1.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xC3E9B307(3286872839)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2740C328(658555688)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 7, flow_id: SW:7, sibling_flags 80000040, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4173824/1401)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC3E9B307(3286872839)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 8, flow_id: SW:8, sibling_flags 80000040, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4173819/1401)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
OSPF Neighbor Status:
.. code-block:: none
Cisco# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/ - 00:00:35 10.100.100.1 Tunnel10
Routing Table:
.. code-block:: none
Cisco#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 10.0.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.0.2.1
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.0.2.0/30 is directly connected, GigabitEthernet0/0
L 10.0.2.2/32 is directly connected, GigabitEthernet0/0
C 10.100.100.0/30 is directly connected, Tunnel10
L 10.100.100.2/32 is directly connected, Tunnel10
O 192.168.0.0/24 [110/1001] via 10.100.100.1, 00:09:36, Tunnel10
O 192.168.1.0/24 [110/1001] via 10.100.100.1, 00:09:36, Tunnel10
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, GigabitEthernet0/2
L 192.168.11.1/32 is directly connected, GigabitEthernet0/2
Checking Connectivity
---------------------
ICMP packets from PC1 to PC3.
.. code-block:: none
PC1> ping 192.168.10.2
84 bytes from 192.168.10.2 icmp_seq=1 ttl=62 time=8.479 ms
84 bytes from 192.168.10.2 icmp_seq=2 ttl=62 time=3.344 ms
84 bytes from 192.168.10.2 icmp_seq=3 ttl=62 time=3.139 ms
84 bytes from 192.168.10.2 icmp_seq=4 ttl=62 time=3.176 ms
84 bytes from 192.168.10.2 icmp_seq=5 ttl=62 time=3.978 ms
ICMP packets from PC2 to PC4.
.. code-block:: none
PC2> ping 192.168.11.2
84 bytes from 192.168.11.2 icmp_seq=1 ttl=62 time=9.687 ms
84 bytes from 192.168.11.2 icmp_seq=2 ttl=62 time=3.286 ms
84 bytes from 192.168.11.2 icmp_seq=3 ttl=62 time=2.972 ms

420
docs/configexamples/ipsec-pa-route-based.rst Normal file
View File

@ -0,0 +1,420 @@
:lastproofread: 2025-06-26
.. _examples-ipsec-pa-route-based:
#############################################################
Route-based Site-to-Site VPN IPsec between VyOS and Palo Alto
#############################################################
This document is to describe a basic setup using route-based
site-to-site VPN IPsec. In this example we use VyOS 1.5 and
PA 11.0.0. OSPF is selected as routing protocol inside the
tunnel.
Since this example focuses on IPsec configuration it does not
include firewall configuration.
Network Topology
================
.. image:: /_static/images/ipsec-vyos-pa.png
:align: center
:alt: Network Topology Diagram
Prerequirements
===============
**VyOS:**
+---------+----------------+
| WAN IP | 10.0.1.2/30 |
+---------+----------------+
| LAN1 IP | 192.168.0.1/24 |
+---------+----------------+
| LAN2 IP | 192.168.1.1/24 |
+---------+----------------+
**Cisco:**
+---------+-----------------+
| WAN IP | 10.0.2.2/30 |
+---------+-----------------+
| LAN1 IP | 192.168.10.1/24 |
+---------+-----------------+
| LAN2 IP | 192.168.11.1/24 |
+---------+-----------------+
**IKE parameters:**
+-------------------+---------+
| Encryption | AES-128 |
+-------------------+---------+
| HASH | SHA-1 |
+-------------------+---------+
| Diff-Helman Group | 14 |
+-------------------+---------+
| Life-Time | 28800 |
+-------------------+---------+
| IKE Version | 1 |
+-------------------+---------+
**IPsec parameters:**
+------------+---------+
| Encryption | AES-256 |
+------------+---------+
| HASH | SHA-256 |
+------------+---------+
| Life-Time | 3600 |
+------------+---------+
| PFS | disable |
+------------+---------+
**Hosts configuration**
+--------+--------------+
| PC1 IP | 192.168.0.2 |
+--------+--------------+
| PC2 IP | 192.168.1.2 |
+--------+--------------+
| PC3 IP | 192.168.10.2 |
+--------+--------------+
| PC4 IP | 192.168.11.2 |
+--------+--------------+
Configuration
=============
VyOS
----
.. code-block:: none
set interfaces ethernet eth0 address '10.0.1.2/30'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth2 address '192.168.1.1/24'
set interfaces vti vti1 address '10.100.100.1/30'
set interfaces vti vti1 mtu '1438'
set protocols ospf area 0 network '10.100.100.0/30'
set protocols ospf area 0 network '192.168.0.0/24'
set protocols ospf area 0 network '192.168.1.0/24'
set protocols ospf interface eth1 passive
set protocols ospf interface eth2 passive
set protocols ospf interface vti1 network 'point-to-point'
set protocols ospf parameters router-id '2.2.2.2'
set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'dGVzdA=='
set vpn ipsec authentication psk AUTH-PSK secret-type 'base64'
set vpn ipsec esp-group ESP-GROUP lifetime '3600'
set vpn ipsec esp-group ESP-GROUP pfs 'disable'
set vpn ipsec esp-group ESP-GROUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GROUP proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '10'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes128'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer CISCO authentication local-id '10.0.1.2'
set vpn ipsec site-to-site peer CISCO authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer CISCO authentication remote-id '10.0.2.2'
set vpn ipsec site-to-site peer CISCO connection-type 'initiate'
set vpn ipsec site-to-site peer CISCO default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer CISCO ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer CISCO local-address '10.0.1.2'
set vpn ipsec site-to-site peer CISCO remote-address '10.0.2.2'
set vpn ipsec site-to-site peer CISCO vti bind 'vti1'
Palo Alto
---------
GUI Configuration:
Network -> Network Profiles -> IKE Crypto
.. image:: /_static/images/PA-IKE-group.png
:align: center
Network -> Network Profiles -> IKE Gateways
.. image:: /_static/images/PA-IKE-GW-1.png
:align: center
.. image:: /_static/images/PA-IKE-GW-2.png
:align: center
Network -> Network Profiles -> IPSec Crypto
.. image:: /_static/images/PA-ESP-group.png
:align: center
Network -> Interfaces
.. image:: /_static/images/PA-tunnel-1.png
:align: center
.. image:: /_static/images/PA-tunnel-2.png
:align: center
.. image:: /_static/images/PA-tunnel-3.png
:align: center
Network -> IPSec Tunnels
.. image:: /_static/images/PA-IPsec-tunnel.png
:align: center
CLI configuration with OSPF:
.. code-block:: none
set network interface ethernet ethernet1/1 layer3 ip 10.0.2.2/30
set network interface ethernet ethernet1/1 layer3 interface-management-profile Allow
set network interface ethernet ethernet1/2 layer3 ip 192.168.10.1/24
set network interface ethernet ethernet1/1 layer3 interface-management-profile Allow
set network interface ethernet ethernet1/3 layer3 ip 192.168.11.1/24
set network interface ethernet ethernet1/1 layer3 interface-management-profile Allow
set network interface tunnel units tunnel.1 ip 10.100.100.2/30
set network interface tunnel units tunnel.1 interface-management-profile Allow
set network interface tunnel units tunnel.1 mtu 1438
set network profiles interface-management-profile Allow ping yes
set network ike crypto-profiles ike-crypto-profiles IKE-GROUP hash sha1
set network ike crypto-profiles ike-crypto-profiles IKE-GROUP dh-group group14
set network ike crypto-profiles ike-crypto-profiles IKE-GROUP encryption aes-128-cbc
set network ike crypto-profiles ike-crypto-profiles IKE-GROUP lifetime seconds 28800
set network ike crypto-profiles ipsec-crypto-profiles ESP-GROUP esp authentication sha256
set network ike crypto-profiles ipsec-crypto-profiles ESP-GROUP esp encryption aes-256-cbc
set network ike crypto-profiles ipsec-crypto-profiles ESP-GROUP lifetime seconds 3600
set network ike crypto-profiles ipsec-crypto-profiles ESP-GROUP dh-group no-pfs
set network ike gateway VyOS authentication pre-shared-key key test
set network ike gateway VyOS protocol ikev1 dpd enable yes
set network ike gateway VyOS protocol ikev1 exchange-mode main
set network ike gateway VyOS protocol ikev1 ike-crypto-profile IKE-GROUP
set network ike gateway VyOS protocol ikev2 dpd enable yes
set network ike gateway VyOS protocol version ikev1
set network ike gateway VyOS protocol-common nat-traversal enable yes
set network ike gateway VyOS protocol-common fragmentation enable no
set network ike gateway VyOS protocol-common passive-mode yes
set network ike gateway VyOS local-address interface ethernet1/1
set network ike gateway VyOS peer-address ip 10.0.1.2
set network ike gateway VyOS local-id id 10.0.2.2
set network ike gateway VyOS local-id type ipaddr
set network ike gateway VyOS peer-id id 10.0.1.2
set network ike gateway VyOS peer-id type ipaddr
set network tunnel ipsec VyOS-tunnel auto-key ike-gateway VyOS
set network tunnel ipsec VyOS-tunnel auto-key ipsec-crypto-profile ESP-GROUP
set network tunnel ipsec VyOS-tunnel tunnel-monitor enable no
set network tunnel ipsec VyOS-tunnel tunnel-interface tunnel.1
set network tunnel ipsec VyOS-tunnel anti-replay no
set network virtual-router default protocol ospf enable yes
set network virtual-router default protocol ospf area 0.0.0.0 type normal
set network virtual-router default protocol ospf area 0.0.0.0 interface tunnel.1 enable yes
set network virtual-router default protocol ospf area 0.0.0.0 interface tunnel.1 passive no
set network virtual-router default protocol ospf area 0.0.0.0 interface tunnel.1 link-type p2p
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/2 enable yes
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/2 passive yes
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/2 link-type broadcast
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 enable yes
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 passive yes
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 link-type broadcast
set network virtual-router default protocol ospf router-id 1.1.1.1
set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 tunnel.1 ]
Monitoring
==========
Monitoring on VyOS side
-----------------------
IKE SAs:
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.0.2.2 10.0.2.2 10.0.1.2 10.0.1.2
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 1372 25802
IPsec SAs:
.. code-block:: none
vyos@vyos:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------ ------- -------- -------------- ---------------- ---------------- ----------- -----------------------------
PA-vti up 23m27s 9K/10K 149/151 10.0.2.2 10.0.2.2 AES_CBC_256/HMAC_SHA2_256_128
OSPF Neighbor Status:
.. code-block:: none
vyos@vyos:~$ show ip ospf neighbor
Neighbor ID Pri State Up Time Dead Time Address Interface RXmtL RqstL DBsmL
1.1.1.1 1 Full/- 23m56s 37.948s 10.100.100.2 vti1:10.100.100.1 0 0 0
Routing Table:
.. code-block:: none
vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, L - local, S - static,
R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric, t - Table-Direct,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
S>* 0.0.0.0/0 [1/0] via 10.0.1.1, eth0, weight 1, 00:27:30
C>* 10.0.1.0/30 is directly connected, eth0, weight 1, 00:27:34
L>* 10.0.1.2/32 is directly connected, eth0, weight 1, 00:27:34
O 10.100.100.0/30 [110/1] is directly connected, vti1, weight 1, 00:24:34
C>* 10.100.100.0/30 is directly connected, vti1, weight 1, 00:24:34
L>* 10.100.100.1/32 is directly connected, vti1, weight 1, 00:24:34
O 192.168.0.0/24 [110/1] is directly connected, eth1, weight 1, 00:27:29
C>* 192.168.0.0/24 is directly connected, eth1, weight 1, 00:27:34
L>* 192.168.0.1/32 is directly connected, eth1, weight 1, 00:27:34
O 192.168.1.0/24 [110/1] is directly connected, eth2, weight 1, 00:27:29
C>* 192.168.1.0/24 is directly connected, eth2, weight 1, 00:27:34
L>* 192.168.1.1/32 is directly connected, eth2, weight 1, 00:27:34
O>* 192.168.10.0/24 [110/11] via 10.100.100.2, vti1, weight 1, 00:24:19
O>* 192.168.11.0/24 [110/11] via 10.100.100.2, vti1, weight 1, 00:24:19
Monitoring on Cisco side
------------------------
IKE SAs:
.. code-block:: none
admin@PA-VM> show vpn ike-sa
IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
1 10.0.1.2 VyOS Resp Main PSK/DH14/A128/SHA1 Jul.31 01:35:00 Jul.31 09:35:00 v1 13 1 1
Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.
IKEv1 phase-2 SAs
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt
------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --
VyOS 1 VyOS-tunnel 1 Resp ESP/ /tunl/SHA2 8827A3D9 C204F4FA BD202829 9 1
Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.
There is no IKEv2 SA found.
IPsec SAs:
.. code-block:: none
admin@PA-VM> show vpn ipsec-sa
GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) remain-time(Sec)
-------------- ---- ------------ --------------- --------- ------- -------- ------------ ----------------
1 1 10.0.1.2 VyOS-tunnel(VyOS) ESP/A256/SHA256 8827A3D9 C204F4FA 3600/Unlimited 2733
Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.
OSPF Neighbor Status:
.. code-block:: none
admin@PA-VM> show routing protocol ospf neighbor
Options: 0x80:reserved, O:Opaq-LSA capability, DC:demand circuits, EA:Ext-Attr LSA capability,
N/P:NSSA option, MC:multicase, E:AS external LSA capability, T:TOS capability
==========
virtual router: default
neighbor address: 10.100.100.1
local address binding: 0.0.0.0
type: dynamic
status: full
neighbor router ID: 2.2.2.2
area id: 0.0.0.0
neighbor priority: 1
lifetime remain: 32
messages pending: 0
LSA request pending: 0
options: 0x02: E
hello suppressed: no
restart helper status: not helping
restart helper time remaining: 0
restart helper exit reason: none
Routing Table:
.. code-block:: none
admin@PA-VM> show routing route
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 10.0.2.1 10 A S ethernet1/1
10.0.2.0/30 10.0.2.2 0 A C ethernet1/1
10.0.2.2/32 0.0.0.0 0 A H
10.100.100.0/30 0.0.0.0 10 Oi 1273 tunnel.1
10.100.100.0/30 10.100.100.2 0 A C tunnel.1
10.100.100.2/32 0.0.0.0 0 A H
192.168.0.0/24 10.100.100.1 11 A Oi 1253 tunnel.1
192.168.1.0/24 10.100.100.1 11 A Oi 1253 tunnel.1
192.168.10.0/24 0.0.0.0 10 Oi 1273 ethernet1/2
192.168.10.0/24 192.168.10.1 0 A C ethernet1/2
192.168.10.1/32 0.0.0.0 0 A H
192.168.11.0/24 0.0.0.0 10 Oi 1273 ethernet1/3
192.168.11.0/24 192.168.11.1 0 A C ethernet1/3
192.168.11.1/32 0.0.0.0 0 A H
total routes shown: 14
Checking Connectivity
---------------------
ICMP packets from PC1 to PC3.
.. code-block:: none
PC1> ping 192.168.10.2
84 bytes from 192.168.10.2 icmp_seq=1 ttl=62 time=8.479 ms
84 bytes from 192.168.10.2 icmp_seq=2 ttl=62 time=3.344 ms
84 bytes from 192.168.10.2 icmp_seq=3 ttl=62 time=3.139 ms
84 bytes from 192.168.10.2 icmp_seq=4 ttl=62 time=3.176 ms
84 bytes from 192.168.10.2 icmp_seq=5 ttl=62 time=3.978 ms
ICMP packets from PC2 to PC4.
.. code-block:: none
PC2> ping 192.168.11.2
84 bytes from 192.168.11.2 icmp_seq=1 ttl=62 time=9.687 ms
84 bytes from 192.168.11.2 icmp_seq=2 ttl=62 time=3.286 ms
84 bytes from 192.168.11.2 icmp_seq=3 ttl=62 time=2.972 ms

6
docs/configuration/container/index.rst
View File

@ -261,11 +261,15 @@ Operation Commands
Update container image
.. opcmd:: delete container image [image id|all]
.. opcmd:: delete container image <image id|all> [force]
Delete a particular container image based on it's image ID.
You can also delete all container images at once.
You can not delete a container image if it has more then one tag
assigned, this is why there is a `force` option to pass down to
the container image to also remove those images.
*********************
Example Configuration
*********************

2
docs/configuration/vpn/dmvpn.rst
View File

@ -40,7 +40,7 @@ Configuration
* Please refer to the :ref:`tunnel-interface` documentation for the individual
tunnel related options.
* Please refer to the :ref:`ipsec` documentation for the individual IPSec
* Please refer to the :ref:`ipsec_general` documentation for individual IPSec
related options.
.. cfgcmd:: set protocols nhrp tunnel <tunnel> cisco-authentication <secret>

4
docs/configuration/vpn/index.rst
View File

@ -7,7 +7,7 @@ VPN
:maxdepth: 1
:includehidden:
ipsec
ipsec/index
l2tp
openconnect
pptp
@ -22,4 +22,4 @@ pages to sort
:includehidden:
dmvpn
site2site_ipsec

657
docs/configuration/vpn/ipsec.rst
View File

@ -1,657 +0,0 @@
.. _ipsec:
#####
IPsec
#####
:abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec,
SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way
to protect the traffic inside a tunnel.
An advantage of this scheme is that you get a real interface with its own
address, which makes it easier to setup static routes or use dynamic routing
protocols without having to modify IPsec policies. The other advantage is that
it greatly simplifies router to router communication, which can be tricky with
plain IPsec because the external outgoing address of the router usually doesn't
match the IPsec policy of a typical site-to-site setup and you would need to
add special configuration for it, or adjust the source address of the outgoing
traffic of your applications. GRE/IPsec has no such problem and is completely
transparent for applications.
GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme
easy to implement between VyOS and virtually any other router.
For simplicity we'll assume that the protocol is GRE, it's not hard to guess
what needs to be changed to make it work with a different protocol. We assume
that IPsec will use pre-shared secret authentication and will use AES128/SHA1
for the cipher and hash. Adjust this as necessary.
.. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000
adapters have known issues with GRE processing.
**************************************
IKE (Internet Key Exchange) Attributes
**************************************
IKE performs mutual authentication between two parties and establishes
an IKE security association (SA) that includes shared secret information
that can be used to efficiently establish SAs for Encapsulating Security
Payload (ESP) or Authentication Header (AH) and a set of cryptographic
algorithms to be used by the SAs to protect the traffic that they carry.
https://datatracker.ietf.org/doc/html/rfc5996
In VyOS, IKE attributes are specified through IKE groups.
Multiple proposals can be specified in a single group.
VyOS IKE group has the next options:
* ``close-action`` defines the action to take if the remote peer unexpectedly
closes a CHILD_SA:
* ``none`` set action to none (default);
* ``trap`` installs a trap policy for the CHILD_SA;
* ``start`` tries to immediately re-create the CHILD_SA;
* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol
(DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty
INFORMATIONAL messages (IKEv2) are periodically sent in order to check the
liveliness of the IPsec peer:
* ``action`` keep-alive failure action:
* ``trap`` installs a trap policy, which will catch matching traffic
and tries to re-negotiate the tunnel on-demand;
* ``clear`` closes the CHILD_SA and does not take further action (default);
* ``restart`` immediately tries to re-negotiate the CHILD_SA
under a fresh IKE_SA;
* ``interval`` keep-alive interval in seconds <2-86400> (default 30);
* ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only
* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate
the peer. In IKEv1, reauthentication is always done.
Setting this parameter enables remote host re-authentication during an IKE
rekey.
* ``key-exchange`` which protocol should be used to initialize the connection
If not set both protocols are handled and connections will use IKEv2 when
initiating, but accept any protocol version when responding:
* ``ikev1`` use IKEv1 for Key Exchange;
* ``ikev2`` use IKEv2 for Key Exchange;
* ``lifetime`` IKE lifetime in seconds <0-86400> (default 28800);
* ``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2
and enabled by default.
* ``mode`` IKEv1 Phase 1 Mode Selection:
* ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol
(Recommended Default);
* ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol
aggressive mode is much more insecure compared to Main mode;
* ``proposal`` the list of proposals and their parameters:
* ``dh-group`` dh-group;
* ``encryption`` encryption algorithm;
* ``hash`` hash algorithm.
* ``prf`` pseudo-random function.
***********************************************
ESP (Encapsulating Security Payload) Attributes
***********************************************
ESP is used to provide confidentiality, data origin authentication,
connectionless integrity, an anti-replay service (a form of partial sequence
integrity), and limited traffic flow confidentiality.
https://datatracker.ietf.org/doc/html/rfc4303
In VyOS, ESP attributes are specified through ESP groups.
Multiple proposals can be specified in a single group.
VyOS ESP group has the next options:
* ``compression`` Enables the IPComp(IP Payload Compression) protocol which
allows compressing the content of IP packets.
* ``life-bytes`` ESP life in bytes <1024-26843545600000>.
Number of bytes transmitted over an IPsec SA before it expires;
* ``life-packets`` ESP life in packets <1000-26843545600000>.
Number of packets transmitted over an IPsec SA before it expires;
* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600).
How long a particular instance of a connection (a set of
encryption/authentication keys for user packets) should last,
from successful negotiation to expiry;
* ``mode`` the type of the connection:
* ``tunnel`` tunnel mode (default);
* ``transport`` transport mode;
* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the
connection's keying channel and defines a Diffie-Hellman group for PFS:
* ``enable`` Inherit Diffie-Hellman group from IKE group (default);
* ``disable`` Disable PFS;
* ``< dh-group >`` defines a Diffie-Hellman group for PFS;
* ``proposal`` ESP-group proposal with number <1-65535>:
* ``encryption`` encryption algorithm (default 128 bit AES-CBC);
* ``hash`` hash algorithm (default sha1).
* ``disable-rekey`` Do not locally initiate a re-key of the SA, remote
peer must re-key before expiration.
***********************************************
Options (Global IPsec settings) Attributes
***********************************************
* ``options``
* ``disable-route-autoinstall`` Do not automatically install routes to remote
networks;
* ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
Cisco brand devices allow negotiating a local traffic selector (from
strongSwan's point of view) that is not the assigned virtual IP address if
such an address is requested by strongSwan. Sending the Cisco FlexVPN
vendor ID prevents the peer from narrowing the initiator's local traffic
selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
template but should also work for GRE encapsulation;
* ``interface`` Interface Name to use. The name of the interface on which
virtual IP addresses should be installed. If not specified the addresses
will be installed on the outbound interface;
* ``virtual-ip`` Allows the installation of virtual-ip addresses. A comma
separated list of virtual IPs to request in IKEv2 configuration payloads or
IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an
arbitrary address, specific addresses may be defined. The responder may
return a different address, or none at all. Define the ``virtual-address``
option to configure the IP address in a site-to-site hierarchy.
*************************
IPsec policy matching GRE
*************************
The first and arguably cleaner option is to make your IPsec policy match GRE
packets between external addresses of your routers. This is the best option if
both routers have static external addresses.
Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface,
and the RIGHT router is 203.0.113.45
On the LEFT:
.. code-block:: none
# GRE tunnel
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.10
set interfaces tunnel tun0 remote 203.0.113.45
set interfaces tunnel tun0 address 10.10.10.1/30
## IPsec
set vpn ipsec interface eth0
# Pre-shared-secret
set vpn ipsec authentication psk vyos id 192.0.2.10
set vpn ipsec authentication psk vyos id 203.0.113.45
set vpn ipsec authentication psk vyos secret MYSECRETKEY
# IKE group
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
# ESP group
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
# IPsec tunnel
set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45
set vpn ipsec site-to-site peer right ike-group MyIKEGroup
set vpn ipsec site-to-site peer right default-esp-group MyESPGroup
set vpn ipsec site-to-site peer right local-address 192.0.2.10
set vpn ipsec site-to-site peer right remote-address 203.0.113.45
# This will match all GRE traffic to the peer
set vpn ipsec site-to-site peer right tunnel 1 protocol gre
On the RIGHT, setup by analogy and swap local and remote addresses.
Source tunnel from dummy interface
==================================
The scheme above doesn't work when one of the routers has a dynamic external
address though. The classic workaround for this is to setup an address on a
loopback interface and use it as a source address for the GRE tunnel, then setup
an IPsec policy to match those loopback addresses.
We assume that the LEFT router has static 192.0.2.10 address on eth0, and the
RIGHT router has a dynamic address on eth0.
The peer names RIGHT and LEFT are used as informational text.
**Setting up the GRE tunnel**
On the LEFT:
.. code-block:: none
set interfaces dummy dum0 address 192.168.99.1/32
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 address 10.10.10.1/30
set interfaces tunnel tun0 source-address 192.168.99.1
set interfaces tunnel tun0 remote 192.168.99.2
On the RIGHT:
.. code-block:: none
set interfaces dummy dum0 address 192.168.99.2/32
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 address 10.10.10.2/30
set interfaces tunnel tun0 source-address 192.168.99.2
set interfaces tunnel tun0 remote 192.168.99.1
**Setting up IPSec**
However, now you need to make IPsec work with dynamic address on one side. The
tricky part is that pre-shared secret authentication doesn't work with dynamic
address, so we'll have to use RSA keys.
First, on both routers run the operational command "generate pki key-pair
install <key-pair name>". You may choose different length than 2048 of course.
.. code-block:: none
vyos@left# run generate pki key-pair install ipsec-LEFT
Enter private key type: [rsa, dsa, ec] (Default: rsa)
Enter private key bits: (Default: 2048)
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] N
Configure mode commands to install key pair:
Do you want to install the public key? [Y/n] Y
set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
Do you want to install the private key? [Y/n] Y
set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...'
[edit]
Configuration commands for the private and public key will be displayed on the
screen which needs to be set on the router first.
Note the command with the public key
(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...').
Then do the same on the opposite router:
.. code-block:: none
vyos@left# run generate pki key-pair install ipsec-RIGHT
Note the command with the public key
(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...').
Now the noted public keys should be entered on the opposite routers.
On the LEFT:
.. code-block:: none
set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'
On the RIGHT:
.. code-block:: none
set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
Now you are ready to setup IPsec. You'll need to use an ID instead of address
for the peer.
On the LEFT (static address):
.. code-block:: none
set vpn ipsec interface eth0
set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
set vpn ipsec site-to-site peer RIGHT authentication local-id LEFT
set vpn ipsec site-to-site peer RIGHT authentication mode rsa
set vpn ipsec site-to-site peer RIGHT authentication rsa local-key ipsec-LEFT
set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key ipsec-RIGHT
set vpn ipsec site-to-site peer RIGHT authentication remote-id RIGHT
set vpn ipsec site-to-site peer RIGHT default-esp-group MyESPGroup
set vpn ipsec site-to-site peer RIGHT ike-group MyIKEGroup
set vpn ipsec site-to-site peer RIGHT local-address 192.0.2.10
set vpn ipsec site-to-site peer RIGHT connection-type respond
set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local
set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote
On the RIGHT (dynamic address):
.. code-block:: none
set vpn ipsec interface eth0
set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
set vpn ipsec site-to-site peer LEFT authentication local-id RIGHT
set vpn ipsec site-to-site peer LEFT authentication mode rsa
set vpn ipsec site-to-site peer LEFT authentication rsa local-key ipsec-RIGHT
set vpn ipsec site-to-site peer LEFT authentication rsa remote-key ipsec-LEFT
set vpn ipsec site-to-site peer LEFT authentication remote-id LEFT
set vpn ipsec site-to-site peer LEFT connection-type initiate
set vpn ipsec site-to-site peer LEFT default-esp-group MyESPGroup
set vpn ipsec site-to-site peer LEFT ike-group MyIKEGroup
set vpn ipsec site-to-site peer LEFT local-address any
set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10
set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local
set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
*******************************************
IKEv2 IPSec road-warriors remote-access VPN
*******************************************
Internet Key Exchange version 2, IKEv2 for short, is a request/response
protocol developed by both Cisco and Microsoft. It is used to establish and
secure IPv4/IPv6 connections, be it a site-to-site VPN or from a
road-warrior connecting to a hub site. IKEv2, when run in point-to-multipoint,
or remote-access/road-warrior mode, secures the server-side with another layer
by using an x509 signed server certificate.
Key exchange and payload encryption is still done using IKE and ESP proposals
as known from IKEv1 but the connections are faster to establish, more reliable,
and also support roaming from IP to IP (called MOBIKE which makes sure your
connection does not drop when changing networks from e.g. WIFI to LTE and back).
This feature closely works together with :ref:`pki` subsystem as you required
a x509 certificate.
Example
=======
This example uses CACert as certificate authority.
.. code-block::
set pki ca CAcert_Class_3_Root certificate 'MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAChiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoGCysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5vcmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGqeSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6HhLSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QUqGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k50cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfqi5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUECokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87cSvOK6eB1kdGKLA8ymXxZp8='
set pki ca CAcert_Signing_Authority certificate 'MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42yfk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jcG8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4kepKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43qlaegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQQUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivUfslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8wggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTADAQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TANBgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0qIh1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtjaJQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad94SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9ivmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/hJCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmxXdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eNaQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVrGwc='
After you obtain your server certificate you can import it from a file on the
local filesystem, or paste it into the CLI. Please note that when entering the
certificate manually you need to strip the ``-----BEGIN KEY-----`` and
``-----END KEY-----`` tags. Also, the certificate or key needs to be presented
in a single line without line breaks (``\n``).
To import it from the filesystem use:
.. code-block::
import pki certificate <name> file /path/to/cert.pem
In our example the certificate name is called vyos:
.. code-block::
set pki certificate vyos certificate 'MIIE45s...'
set pki certificate vyos private key 'MIIEvgI...'
After the PKI certs are all set up we can start configuring our IPSec/IKE
proposals used for key-exchange end data encryption. The used encryption
ciphers and integrity algorithms vary from operating system to operating
system. The ones used in this post are validated to work on both Windows 10
and iOS/iPadOS 14 to 17.
.. code-block::
set vpn ipsec esp-group ESP-RW compression 'disable'
set vpn ipsec esp-group ESP-RW lifetime '3600'
set vpn ipsec esp-group ESP-RW pfs 'disable'
set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128'
set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RW lifetime '7200'
set vpn ipsec ike-group IKE-RW mobike 'enable'
set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256'
Every connection/remote-access pool we configure also needs a pool where
we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool.
Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix
and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some
DNS nameservers down for our clients to use with their connection.
.. code-block::
set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1'
set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25'
set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1'
set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64'
VyOS supports multiple IKEv2 remote-access connections. Every connection can
have its own dedicated IKE/ESP ciphers, certificates or local listen address
for e.g. inbound load balancing.
We configure a new connection named ``rw`` for road-warrior, that identifies
itself as ``192.0.2.1`` to the clients and uses the ``vyos`` certificate
signed by the `CAcert_Class3_Root`` intermediate CA. We select our previously
specified IKE/ESP groups and also link the IP address pool to draw addresses
from.
.. code-block::
set vpn ipsec remote-access connection rw authentication id '192.0.2.1'
set vpn ipsec remote-access connection rw authentication server-mode 'x509'
set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root'
set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos'
set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
set vpn ipsec remote-access connection rw local-address '192.0.2.1'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6'
VyOS also supports (currently) two different modes of authentication, local and
RADIUS. To create a new local user named ``vyos`` with password ``vyos`` use the
following commands.
.. code-block::
set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2'
set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos'
If you feel better forwarding all authentication requests to your enterprises
RADIUS server, use the commands below.
.. code-block::
set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius'
set vpn ipsec remote-access radius server 192.0.2.2 key 'secret'
Client Configuration
====================
Configuring VyOS to act as your IPSec access concentrator is one thing, but
you probably need to setup your client connecting to the server so they can
talk to the IPSec gateway.
Microsoft Windows (10+)
-----------------------
Windows 10 does not allow a user to choose the integrity and encryption ciphers
using the GUI and it uses some older proposals by default. A user can only
change the proposals on the client side by configuring the IPSec connection
profile via PowerShell.
We generate a connection profile used by Windows clients that will connect to
the "rw" connection on our VyOS server on the VPN servers IP address/fqdn
`vpn.vyos.net`.
.. note:: Microsoft Windows expects the server name to be also used in the
server's certificate common name, so it's best to use this DNS name for
your VPN connection.
.. code-block::
vyos@vyos:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net
==== <snip> ====
Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2"
Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force
==== </snip> ====
As both Microsoft Windows and Apple iOS/iPadOS only support a certain set of
encryption ciphers and integrity algorithms we will validate the configured
IKE/ESP proposals and only list the compatible ones to the user — if multiple
are defined. If there are no matching proposals found — we can not generate a
profile for you.
When first connecting to the new VPN the user is prompted to enter proper
credentials.
Apple iOS/iPadOS (14.2+)
------------------------
Like on Microsoft Windows, Apple iOS/iPadOS out of the box does not expose
all available VPN options via the device GUI.
If you want, need, and should use more advanced encryption ciphers (default
is still 3DES) you need to provision your device using a so-called "Device
Profile". A profile is a simple text file containing XML nodes with a
``.mobileconfig`` file extension that can be sent and opened on any device
from an E-Mail.
Profile generation happens from the operational level and is as simple as
issuing the following command to create a profile to connect to the IKEv2
access server at ``vpn.vyos.net`` with the configuration for the ``rw``
remote-access connection group.
.. note:: Apple iOS/iPadOS expects the server name to be also used in the
server's certificate common name, so it's best to use this DNS name for
your VPN connection.
.. code-block::
vyos@vyos:~$ generate ipsec profile ios-remote-access rw remote vpn.vyos.net
==== <snip> ====
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
...
</plist>
==== </snip> ====
In the end, an XML structure is generated which can be saved as
``vyos.mobileconfig`` and sent to the device by E-Mail where it later can
be imported.
During profile import, the user is asked to enter its IPSec credentials
(username and password) which is stored on the mobile.
Operation Mode
==============
.. opcmd:: show vpn ike sa
Show all currently active IKE Security Associations.
.. opcmd:: show vpn ike sa nat-traversal
Show all currently active IKE Security Associations (SA) that are using
NAT Traversal.
.. opcmd:: show vpn ike sa peer <peer_name>
Show all currently active IKE Security Associations (SA) for a specific
peer.
.. opcmd:: show vpn ike secrets
Show all the configured pre-shared secret keys.
.. opcmd:: show vpn ike status
Show the detailed status information of IKE charon process.
.. opcmd:: show vpn ipsec connections
Show details of all available VPN connections
.. opcmd:: show vpn ipsec policy
Print out the list of existing crypto policies
.. opcmd:: show vpn ipsec sa
Show all active IPsec Security Associations (SA)
.. opcmd:: show vpn ipsec sa detail
Show a detailed information of all active IPsec Security Associations (SA)
in verbose format.
.. opcmd:: show vpn ipsec state
Print out the list of existing in-kernel crypto state
.. opcmd:: show vpn ipsec status
Show the status of running IPsec process and process ID.
.. opcmd:: restart ipsec
Restart the IPsec VPN process and re-establishes the connection.
.. opcmd:: reset vpn ipsec site-to-site all
Reset all site-to-site IPSec VPN sessions. It terminates all active
child_sa and reinitiates the connection.
.. opcmd:: reset vpn ipsec site-to-site peer <name>
Reset all tunnels for a given peer, can specify tunnel or vti interface.
It terminates a specific child_sa and reinitiates the connection.
.. opcmd:: show log ipsec
Show logs for IPsec

20
docs/configuration/vpn/ipsec/index.rst Normal file
View File

@ -0,0 +1,20 @@
#####
IPsec
#####
.. toctree::
:maxdepth: 1
:includehidden:
ipsec_general
site2site_ipsec
troubleshooting_ipsec
pages to sort
.. toctree::
:maxdepth: 1
:includehidden:

308
docs/configuration/vpn/ipsec/ipsec_general.rst Normal file
View File

@ -0,0 +1,308 @@
.. _ipsec_general:
#########################
IPsec General Information
#########################
***********************
Information about IPsec
***********************
IPsec is the framework used to secure data.
IPsec accomplishes these goals by providing authentication,
encryption of IP network packets, key exchange, and key management.
VyOS uses strongSwan for its IPsec implementation.
**Authentication Header (AH)** is defined in :rfc:`4302`. It creates
a hash using the IP header and data payload, and prepends it to the
packet. This hash is used to validate that the data has not been
changed during transfer over the network.
**Encapsulating Security Payload (ESP)** is defined in :rfc:`4303`.
It provides encryption and authentication of the data.
There are two IPsec modes:
**IPsec Transport Mode**:
In transport mode, an IPSec header (AH or ESP) is inserted
between the IP header and the upper layer protocol header.
**IPsec Tunnel Mode:**
In tunnel mode, the original IP packet is encapsulated in
another IP datagram, and an IPsec header (AH or ESP) is
inserted between the outer and inner headers.
.. figure:: /_static/images/ESP_AH.png
:scale: 80 %
:alt: AH and ESP in Transport Mode and Tunnel Mode
***************************
IKE (Internet Key Exchange)
***************************
The default IPsec method for secure key negotiation is the Internet Key
Exchange (IKE) protocol. IKE is designed to provide mutual authentication
of systems, as well as to establish a shared secret key to create IPsec
security associations. A security association (SA) includes all relevant
attributes of the connection, including the cryptographic algorithm used,
the IPsec mode, the encryption key, and other parameters related to the
transmission of data over the VPN connection.
IKEv1
=====
IKEv1 is the older version and is still used today. Nowadays, most
manufacturers recommend using IKEv2 protocol.
IKEv1 is described in the next RFCs: :rfc:`2409` (IKE), :rfc:`3407`
(IPsec DOI), :rfc:`3947` (NAT-T), :rfc:`3948` (UDP Encapsulation
of ESP Packets), :rfc:`3706` (DPD)
IKEv1 operates in two phases to establish these IKE and IPsec SAs:
* **Phase 1** provides mutual authentication of the IKE peers and
establishment of the session key. This phase creates an IKE SA (a
security association for IKE) using a DH exchange, cookies, and an
ID exchange. Once an IKE SA is established, all IKE communication
between the initiator and responder is protected with encryption
and an integrity check that is authenticated. The purpose of IKE
phase 1 is to facilitate a secure channel between the peers so that
phase 2 negotiations can occur securely. IKE phase 1 offers two modes:
Main and Aggressive.
* **Main Mode** is used for site-to-site VPN connections.
* **Aggressive Mode** is used for remote access VPN connections.
* **Phase 2** provides for the negotiation and establishment of the
IPsec SAs using ESP or AH to protect IP data traffic.
IKEv2
=====
IKEv2 is described in :rfc:`7296`. The biggest difference between IKEv1 and
IKEv2 is that IKEv2 is much simpler and more reliable than IKEv1 because
fewer messages are exchanged during the establishment of the VPN and
additional security capabilities are available.
IKE Authentication
==================
VyOS supports 3 authentication methods.
* **Pre-shared keys**: In this method, both peers of the IPsec
tunnel must have the same preshared keys.
* **Digital certificates**: PKI is used in this method.
* **RSA-keys**: If the RSA-keys method is used in your IKE policy,
you need to make sure each peer has the other peers public keys.
*************************
DPD (Dead Peer Detection)
*************************
This is a mechanism used to detect when a VPN peer is no longer active.
This mechanism has different algorithms in IKEv1 and IKEv2 in VyOS.
DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses
are sent as ISAKMP R-U-THERE-ACK messages. In IKEv1, DPD sends messages
every configured interval. The remote peer is considered unreachable
if no response to these packets is received within the DPD timeout.
In IKEv2, DPD sends messages every configured interval. If one request
does not receive a response, strongSwan executes its retransmission algorithm with
its timers. https://docs.strongswan.org/docs/5.9/config/retransmission.html
*****************
Configuration IKE
*****************
IKE (Internet Key Exchange) Attributes
======================================
VyOS IKE group has the next options:
.. cfgcmd:: set vpn ipsec ike-group <name> close-action <action>
Defines the action to take if the remote peer unexpectedly
closes a CHILD_SA:
* **none** - Set action to none (default),
* **trap** - Installs a trap policy (IPsec policy without Security
Association) for the CHILD_SA and traffic matching these policies
will trigger acquire events that cause the daemon to establish the
required IKE/IPsec SAs.
* **start** - Tries to immediately re-create the CHILD_SA.
.. cfgcmd:: set vpn ipsec ike-group <name> ikev2-reauth
Whether rekeying of an IKE_SA should also reauthenticate
the peer. In IKEv1, reauthentication is always done.
Setting this parameter enables remote host re-authentication
during an IKE rekey.
.. cfgcmd:: set vpn ipsec ike-group <name> key-exchange
Which protocol should be used to initialize the connection
If not set both protocols are handled and connections will
use IKEv2 when initiating, but accept any protocol version
when responding:
* **ikev1** - Use IKEv1 for Key Exchange.
* **ikev2** - Use IKEv2 for Key Exchange.
.. cfgcmd:: set vpn ipsec ike-group <name> lifetime
IKE lifetime in seconds <0-86400> (default 28800).
.. cfgcmd:: set vpn ipsec ike-group <name> mode
IKEv1 Phase 1 Mode Selection:
* **main** - Use Main mode for Key Exchanges in the IKEv1 Protocol
(Recommended Default).
* **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1
protocol aggressive mode is much more insecure compared to Main mode.
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number>
Diffie-Hellman algorithm group. Default value is **2**.
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> encryption <encryption>
Encryption algorithm. Default value is **aes128**.
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash>
Hash algorithm. Default value is **sha1**.
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> prf <prf>
Pseudo-random function.
DPD (Dead Peer Detection) Configuration
=======================================
.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection action <action>
Action to perform for this CHILD_SA on DPD timeout.
* **trap** - Installs a trap policy (IPsec policy without Security
Association), which will catch matching traffic and tries to
re-negotiate the tunnel on-demand.
* **clear** - Closes the CHILD_SA and does not take further action
(default).
* **restart** - Immediately tries to re-negotiate the CHILD_SA
under a fresh IKE_SA.
.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval>
Keep-alive interval in seconds <2-86400> (default 30).
.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout>
Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only**
ESP (Encapsulating Security Payload) Attributes
===============================================
In VyOS, ESP attributes are specified through ESP groups.
Multiple proposals can be specified in a single group.
VyOS ESP group has the next options:
.. cfgcmd:: set vpn ipsec esp-group <name> compression
Enables the IPComp(IP Payload Compression) protocol which allows
compressing the content of IP packets.
.. cfgcmd:: set vpn ipsec esp-group <name> disable-rekey
Do not locally initiate a re-key of the SA, remote peer must
re-key before expiration.
.. cfgcmd:: set vpn ipsec esp-group <name> life-bytes <bytes>
ESP life in bytes <1024-26843545600000>. Number of bytes
transmitted over an IPsec SA before it expires.
.. cfgcmd:: set vpn ipsec esp-group <name> life-packets <packets>
ESP life in packets <1000-26843545600000>.
Number of packets transmitted over an IPsec SA before it expires.
.. cfgcmd:: set vpn ipsec esp-group <name> lifetime <timeout>
ESP lifetime in seconds <30-86400> (default 3600).
How long a particular instance of a connection (a set of
encryption/authentication keys for user packets) should last,
from successful negotiation to expiry.
.. cfgcmd:: set vpn ipsec esp-group <name> mode <mode>
The type of the connection:
* **tunnel** - Tunnel mode (default).
* **transport** - Transport mode.
.. cfgcmd:: set vpn ipsec esp-group <name> pfs < dh-group>
Whether Perfect Forward Secrecy of keys is desired on the
connection's keying channel and defines a Diffie-Hellman group for
PFS:
* **enable** - Inherit Diffie-Hellman group from IKE group (default).
* **disable** - Disable PFS.
* **<dh-group>** - Defines a Diffie-Hellman group for PFS.
.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption>
Encryption algorithm. Default value is **aes128**.
.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash>
Hash algorithm. Default value is **sha1**.
Global IPsec Settings
=====================
.. cfgcmd:: set vpn ipsec interface <name>
Interface name to restrict outbound IPsec policies. There is a possibility
to specify multiple interfaces. If an interfaces are not specified, IPsec
policies apply to all interfaces.
.. cfgcmd:: set vpn ipsec log level <number>
Level of logging. Default value is **0**.
.. cfgcmd:: set vpn ipsec log subsystem <name>
Subsystem of the daemon.
Options
=======
.. cfgcmd:: set vpn ipsec options disable-route-autoinstall
Do not automatically install routes to remote
networks.
.. cfgcmd:: set vpn ipsec options flexvpn
Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
Cisco brand devices allow negotiating a local traffic selector (from
strongSwan's point of view) that is not the assigned virtual IP address if
such an address is requested by strongSwan. Sending the Cisco FlexVPN
vendor ID prevents the peer from narrowing the initiator's local traffic
selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
template but should also work for GRE encapsulation.
.. cfgcmd:: set vpn ipsec options interface <name>
Interface Name to use. The name of the interface on which
virtual IP addresses should be installed. If not specified the addresses
will be installed on the outbound interface.
.. cfgcmd:: set vpn ipsec options virtual-ip
Allows the installation of virtual-ip addresses.

729
docs/configuration/vpn/ipsec/site2site_ipsec.rst Normal file
View File

@ -0,0 +1,729 @@
.. _size2site_ipsec:
######################
IPsec Site-to-Site VPN
######################
****************************
IPsec Site-to-Site VPN Types
****************************
VyOS supports two types of IPsec VPN: Policy-based IPsec VPN and Route-based
IPsec VPN.
Policy-based VPN
================
Policy-based VPN is based on static configured policies. Each policy creates
individual IPSec SA. Traffic matches these SAs encrypted and directed to the
remote peer.
Route-Based VPN
===============
Route-based VPN is based on secure traffic passing over Virtual Tunnel
Interfaces (VTIs). This type of IPsec VPNs allows using routing protocols.
******************************
Configuration Site-to-Site VPN
******************************
Requirements and Prerequisites for Site-to-Site VPN
===================================================
**Negotiated parameters that need to match**
Phase 1
* IKE version
* Authentication
* Encryption
* Hashing
* PRF
* Lifetime
.. note:: Strongswan recommends to use the same lifetime value on both peers
Phase 2
* Encryption
* Hashing
* PFS
* Mode (tunnel or transport)
* Lifetime
.. note:: Strongswan recommends to use the same lifetime value on both peers
* Remote and Local networks in SA must be compatible on both peers
Configuration Steps for Site-to-Site VPN
========================================
The next example shows the configuration one of the router participating in
IPsec VPN.
Tunnel information:
* Phase 1:
* encryption: AES256
* hash: SHA256
* PRF: SHA256
* DH: 14
* lifetime: 28800
* Phase 2:
* IPsec mode: tunnel
* encryption: AES256
* hash: SHA256
* PFS: inherited from DH Phase 1
* lifetime: 3600
* If Policy based VPN is used
* Remote network is 192.168.50.0/24. Local network is 192.168.10.0/24
* If Route based VPN is used
* IP of the VTI interface is 10.0.0.1/30
.. note:: We do not recommend using policy-based vpn and route-based vpn configurations to the same peer.
**1. Configure ike-group (IKE Phase 1)**
.. code-block:: none
set vpn ipsec ike-group IKE close-action 'start'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '28800'
set vpn ipsec ike-group IKE proposal 10 dh-group '14'
set vpn ipsec ike-group IKE proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE proposal 10 prf 'prfsha256'
**2. Configure ESP-group (IKE Phase 2)**
.. code-block:: none
set vpn ipsec esp-group ESP lifetime '3600'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'enable'
set vpn ipsec esp-group ESP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 10 hash 'sha256'
**3. Specify interface facing to the protected destination.**
.. code-block:: none
set vpn ipsec interface eth0
**4. Configure PSK keys and authentication ids for this key if authentication type is PSK**
.. code-block:: none
set vpn ipsec authentication psk PSK-KEY id '192.168.0.2'
set vpn ipsec authentication psk PSK-KEY id '192.168.5.2'
set vpn ipsec authentication psk PSK-KEY secret 'vyos'
To set base64 secret encode plaintext password to base64 and set secret-type
.. code-block:: none
echo -n "vyos" | base64
dnlvcw==
.. code-block:: none
set vpn ipsec authentication psk PSK-KEY secret 'dnlvcw=='
set vpn ipsec authentication psk PSK-KEY secret-type base64
**5. Configure peer and apply IKE-group and esp-group to peer.**
.. code-block:: none
set vpn ipsec site-to-site peer PEER1 authentication local-id '192.168.0.2'
set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer PEER1 authentication remote-id '192.168.5.2'
set vpn ipsec site-to-site peer PEER1 connection-type 'initiate'
set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP'
set vpn ipsec site-to-site peer PEER1 ike-group 'IKE'
set vpn ipsec site-to-site peer PEER1 local-address '192.168.0.2'
set vpn ipsec site-to-site peer PEER1 remote-address '192.168.5.2'
Peer selects the key from step 4 according to local-id/remote-id pair.
**6. Depends to vpn type (route-based vpn or policy-based vpn).**
**6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.**
.. code-block:: none
set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24'
set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24'
**6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.**
.. code-block:: none
set interfaces vti vti1 address 10.0.0.1/30
set vpn ipsec site-to-site peer PEER1 vti bind vti1
set vpn ipsec options disable-route-autoinstall
Create routing between local networks via VTI interface using dynamic or
static routing.
.. code-block:: none
set protocol static route 192.168.50.0/24 next-hop 10.0.0.2
Initiator and Responder Connection Types
========================================
In Site-to-Site IPsec VPN it is recommended that one peer should be an
initiator and the other - the responder. The initiator actively establishes
the VPN tunnel. The responder passively waits for the remote peer to
establish the VPN tunnel. Depends on selected role it is recommended
select proper values for close-action and DPD action.
The result of wrong value selection can be unstable work of the VPN.
* Duplicate CHILD SA creation.
* None of the VPN sides initiates the tunnel establishment.
Below flow-chart could be a quick reference for the close-action
combination depending on how the peer is configured.
.. figure:: /_static/images/IPSec_close_action_settings.png
Similar combinations are applicable for the dead-peer-detection.
Detailed Configuration Commands
===============================
PSK Key Authentication
----------------------
.. cfgcmd:: set vpn ipsec authentication psk <name> dhcp-interface
ID for authentication generated from DHCP address
dynamically.
.. cfgcmd:: set vpn ipsec authentication psk id <id>
static ID's for authentication. In general local and remote
address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``.
.. cfgcmd:: set vpn ipsec authentication psk secret <secret>
A predefined shared secret used in configured mode
``pre-shared-secret``. Base64-encoded secrets are allowed if
`secret-type base64` is configured.
.. cfgcmd:: set vpn ipsec authentication psk secret-type <type>
Specifies the secret type:
* **plaintext** - Plain text type (default value).
* **base64** - Base64 type.
Peer Configuration
------------------
Peer Authentication Commands
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication mode <mode>
Mode for authentication between VyOS and remote peer:
* **pre-shared-secret** - Use predefined shared secret phrase.
* **rsa** - Use simple shared RSA key.
* **x509** - Use certificates infrastructure for authentication.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication local-id <id>
ID for the local VyOS router. If defined, during the authentication
it will be send to remote peer.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication remote-id <id>
ID for remote peer, instead of using peer name or
address. Useful in case if the remote peer is behind NAT
or if ``mode x509`` is used.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa local-key <key>
Name of PKI key-pair with local private key.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa remote-key <key>
Name of PKI key-pair with remote public key.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa passphrase <passphrase>
Local private key passphrase.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication use-x509-id <id>
Use local ID from x509 certificate. Cannot be used when
``id`` is defined.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 ca-certificate <name>
Name of CA certificate in PKI configuration. Using for authenticating
remote peer in x509 mode.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 certificate <name>
Name of certificate in PKI configuration, which will be used
for authenticating local router on remote peer.
.. cfgcmd:: set vpn ipsec authentication x509 passphrase <passphrase>
Private key passphrase, if needed.
Global Peer Configuration Commands
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. cfgcmd:: set vpn ipsec site-to-site peer <name> connection-type <type>
Operational mode defines how to handle this connection process.
* **initiate** - does initial connection to remote peer immediately
after configuring and after boot. In this mode the connection will
not be restarted in case of disconnection, therefore should be used
only together with DPD or another session tracking methods.
* **respond** - does not try to initiate a connection to a remote
peer. In this mode, the IPsec session will be established only
after initiation from a remote peer. Could be useful when there
is no direct connectivity to the peer due to firewall or NAT in
the middle of the local and remote side.
* **none** - loads the connection only, which then can be manually
initiated or used as a responder configuration.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> default-esp-group <name>
Name of ESP group to use by default for traffic encryption.
Might be overwritten by individual settings for tunnel or VTI
interface binding.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> description <description>
Description for this peer.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> dhcp-interface <interface>
Specify the interface which IP address, received from DHCP for IPSec
connection with this peer, will be used as ``local-address``.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> force-udp-encapsulation
Force encapsulation of ESP into UDP datagrams. Useful in case if
between local and remote side is firewall or NAT, which not
allows passing plain ESP packets between them.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> ike-group <name>
Name of IKE group to use for key exchanges.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> local-address <address>
Local IP address for IPsec connection with this peer.
If defined ``any``, then an IP address which configured on interface with
default route will be used.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> remote-address <address>
Remote IP address or hostname for IPsec connection. IPv4 or IPv6
address is used when a peer has a public static IP address. Hostname
is a DNS name which could be used when a peer has a public IP
address and DNS name, but an IP address could be changed from time
to time.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> replay-window <size>
IPsec replay window to configure for CHILD_SAs
(default: 32), a value of 0 disables IPsec replay protection.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> virtual-address <address>
Defines a virtual IP address which is requested by the initiator and
one or several IPv4 and/or IPv6 addresses are assigned from multiple
pools by the responder. The wildcard addresses 0.0.0.0 and ::
request an arbitrary address, specific addresses may be defined.
CHILD SAs Configuration Commands
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Policy-Based CHILD SAs Configuration Commands
"""""""""""""""""""""""""""""""""""""""""""""
Every configured tunnel under peer configuration is a new CHILD SA.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> disable
Disable this tunnel.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> esp-group <name>
Specify ESP group for this CHILD SA.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> priority <number>
Priority for policy-based IPsec VPN tunnels (lowest value more
preferable).
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> protocol <name>
Define the protocol for match traffic, which should be encrypted and
send to this peer.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local prefix <network>
IP network at the local side.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local port <number>
Local port number. Have effect only when used together with
``prefix``.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote prefix <network>
IP network at the remote side.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote port <number>
Remote port number. Have effect only when used together with
``prefix``.
Route-Based CHILD SAs Configuration Commands
"""""""""""""""""""""""""""""""""""""""""""""
To configure route-based VPN it is enough to create vti interface and
bind it to the peer. Any traffic, which will be send to VTI interface
will be encrypted and send to this peer. Using VTI makes IPsec
configuration much flexible and easier in complex situation, and
allows to dynamically add/delete remote networks, reachable via a
peer, as in this mode router don't need to create additional SA/policy
for each remote network.
.. warning:: When using site-to-site IPsec with VTI interfaces,
be sure to disable route autoinstall.
.. code-block:: none
set vpn ipsec options disable-route-autoinstall
.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti bind <interface>
VTI interface to bind to this peer.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti esp-group <name>
ESP group for encrypt traffic, passed this VTI interface.
Traffic-selectors parameters for traffic that should pass via vti
interface.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector local prefix <network>
Local prefix for interesting traffic.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector remote prefix <network>
Remote prefix for interesting traffic.
IPsec Op-mode Commands
======================
.. opcmd:: show vpn ike sa
Shows active IKE SAs information.
.. opcmd:: show vpn ike secrets
Shows configured authentication keys.
.. opcmd:: show vpn ike status
Shows Strongswan daemon status.
.. opcmd:: show vpn ipsec connections
Shows summary status of all configured IKE and IPsec SAs.
.. opcmd:: show vpn ipsec sa [detail]
Shows active IPsec SAs information.
.. opcmd:: show vpn ipsec status
Shows status of IPsec process.
.. opcmd:: show vpn ipsec policy
Shows the in-kernel crypto policies.
.. opcmd:: show vpn ipsec state
Shows the in-kernel crypto state.
.. opcmd:: show log ipsec
Shows IPsec logs.
.. opcmd:: reset vpn ipsec site-to-site all
Clear all ipsec connection and reinitiate them if VyOS is configured
as initiator.
.. opcmd:: reset vpn ipsec site-to-site peer <name>
Clear all peer IKE SAs with IPsec SAs and reinitiate them if VyOS is
configured as initiator.
.. opcmd:: reset vpn ipsec site-to-site peer <name> tunnel <number>
Clear scpecific IPsec SA and reinitiate it if VyOS is configured as
initiator.
.. opcmd:: reset vpn ipsec site-to-site peer <name> vti <number>
Clear IPsec SA which is map to vti interface of this peer and
reinitiate it if VyOS is configured as initiator.
.. opcmd:: restart ipsec
Restart Strongswan daemon.
*********
Examples:
*********
Policy-Based VPN Example
========================
**PEER1:**
* WAN interface on `eth0`
* `eth0` interface IP: `10.0.1.2/30`
* `dum0` interface IP: `192.168.0.1/24` (for testing purposes)
* Initiator
**PEER2:**
* WAN interface on `eth0`
* `eth0` interface IP: `10.0.2.2/30`
* `dum0` interface IP: `192.168.1.0/24` (for testing purposes)
* Responder
.. code-block:: none
# PEER1
set interfaces dummy dum0 address '192.168.0.1/32'
set interfaces ethernet eth0 address '10.0.1.2/30'
set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'test'
set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2'
set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2'
set vpn ipsec site-to-site peer PEER2 connection-type 'initiate'
set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP'
set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2'
set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2'
set vpn ipsec site-to-site peer PEER2 tunnel 0 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer PEER2 tunnel 0 remote prefix '192.168.1.0/24'
# PEER2
set interfaces dummy dum0 address '192.168.1.1/32'
set interfaces ethernet eth0 address '10.0.2.2/30'
set protocols static route 0.0.0.0/0 next-hop 10.0.2.1
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'test'
set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-GROUP close-action 'none'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2'
set vpn ipsec site-to-site peer PEER1 tunnel 0 local prefix '192.168.1.0/24'
set vpn ipsec site-to-site peer PEER1 tunnel 0 remote prefix '192.168.0.0/24'
Show status of policy-based IPsec VPN setup:
.. code-block:: none
vyos@PEER2:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.0.1.2 10.0.1.2 10.0.2.2 10.0.2.2
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 1254 25633
vyos@srv-gw0:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
-------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
PEER1-tunnel-0 up 20m42s 0B/0B 0/0 10.0.1.2 10.0.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_2048
vyos@PEER2:~$ show vpn ipsec connections
Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal
-------------- ------- ------ ---------------- -------------- -------------- ---------- ----------- ----------------------------------
PEER1 up IKEv1 10.0.1.2 - - 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048
PEER1-tunnel-0 up IPsec 10.0.1.2 192.168.1.0/24 192.168.0.0/24 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048
If there is SNAT rules on eth0, need to add exclude rule
.. code-block:: none
# PEER1 side
set nat source rule 10 destination address '192.168.1.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface name 'eth0'
set nat source rule 10 source address '192.168.0.0/24'
# PEER2 side
set nat source rule 10 destination address '192.168.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface name 'eth0'
set nat source rule 10 source address '192.168.1.0/24'
Route-Based VPN Example
=======================
**PEER1:**
* WAN interface on `eth0`
* `eth0` interface IP: `10.0.1.2/30`
* 'vti0' interface IP: `10.100.100.1/30`
* `dum0` interface IP: `192.168.0.1/24` (for testing purposes)
* Role: Initiator
**PEER2:**
* WAN interface on `eth0`
* `eth0` interface IP: `10.0.2.2/30`
* 'vti0' interface IP: `10.100.100.2/30`
* `dum0` interface IP: `192.168.1.0/24` (for testing purposes)
* Role: Responder
.. code-block:: none
# PEER1
set interfaces dummy dum0 address '192.168.0.1/32'
set interfaces ethernet eth0 address '10.0.1.2/30'
set interfaces vti vti0 address '10.100.100.1/30'
set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
set protocols static route 192.168.1.0/24 next-hop 10.100.100.2
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'test'
set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2'
set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2'
set vpn ipsec site-to-site peer PEER2 connection-type 'initiate'
set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP'
set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2'
set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2'
set vpn ipsec site-to-site peer PEER2 vti bind 'vti0'
# PEER2
set interfaces dummy dum0 address '192.168.1.1/32'
set interfaces ethernet eth0 address '10.0.2.2/30'
set interfaces vti vti0 address '10.100.100.2/30'
set protocols static route 0.0.0.0/0 next-hop 10.0.2.1
set protocols static route 192.168.0.0/24 next-hop 10.100.100.1
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'test'
set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-GROUP close-action 'none'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2'
set vpn ipsec site-to-site peer PEER1 vti bind 'vti0'
Show status of route-based IPsec VPN setup:
.. code-block:: none
vyos@PEER2:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.0.1.2 10.0.1.2 10.0.2.2 10.0.2.2
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 404 27650
vyos@PEER2:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------ ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
PEER1-vti up 3m28s 0B/0B 0/0 10.0.1.2 10.0.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_2048
vyos@PEER2:~$ show vpn ipsec connections
Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal
------------ ------- ------ ---------------- ---------- ----------- ---------- ----------- ----------------------------------
PEER1 up IKEv2 10.0.1.2 - - 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048
PEER1-vti up IPsec 10.0.1.2 0.0.0.0/0 0.0.0.0/0 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048
::/0 ::/0

323
docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst Normal file
View File

@ -0,0 +1,323 @@
.. _troubleshooting_ipsec:
######################################
Troubleshooting Site-to-Site VPN IPsec
######################################
************
Introduction
************
This document describes the methodology to monitor and troubleshoot
Site-to-Site VPN IPsec.
Steps for troubleshooting problems with Site-to-Site VPN IPsec:
1. Ping the remote site through the tunnel using the source and
destination IPs included in the policy.
2. Check connectivity between the routers using the ping command
(if ICMP traffic is allowed).
3. Check the IKE SAs' statuses.
4. Check the IPsec SAs' statuses.
5. Check logs to view debug messages.
**********************
Checking IKE SA Status
**********************
The next command shows IKE SAs' statuses.
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 162 27023
This command shows the next information:
- IKE SA status.
- Selected IKE version.
- Selected Encryption, Hash and Diffie-Hellman Group.
- NAT-T.
- ID and IP of both peers.
- A-Time: established time, L-Time: time for next rekeying.
**************************
IPsec SA (CHILD SA) Status
**************************
The next commands show IPsec SAs' statuses.
.. code-block:: none
vyos@vyos:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
PEER-tunnel-1 up 16m30s 168B/168B 2/2 192.168.1.2 192.168.1.2 AES_CBC_128/HMAC_SHA1_96/MODP_2048
.. code-block:: none
vyos@vyos:~$ show vpn ipsec sa detail
PEER: #1, ESTABLISHED, IKEv2, 101275ac719d5a1b_i* 68ea4ec3bed3bf0c_r
local '192.168.0.1' @ 192.168.0.1[4500]
remote '192.168.1.2' @ 192.168.1.2[4500]
AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
established 4054s ago, rekeying in 23131s
PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
installed 1065s ago, rekeying in 1998s, expires in 2535s
in c5821882, 168 bytes, 2 packets, 81s ago
out c433406a, 168 bytes, 2 packets, 81s ago
local 10.0.0.0/24
remote 10.0.1.0/24
These commands show the next information:
- IPsec SA status.
- Uptime and time for the next rekeing.
- Amount of transferred data.
- Remote and local ID and IP.
- Selected Encryption, Hash and Diffie-Hellman Group.
- Mode (tunnel or transport).
- Remote and local prefixes which are use for policy.
There is a possibility to view the summarized information of SAs' status
.. code-block:: none
vyos@vyos:~$ show vpn ipsec connections
Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal
------------- ------- ------ ---------------- ----------- ----------- ----------- ----------- ----------------------------------
PEER up IKEv2 192.168.1.2 - - 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048
PEER-tunnel-1 up IPsec 192.168.1.2 10.0.0.0/24 10.0.1.0/24 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048
**************************
Viewing Logs for Debugging
**************************
If IKE SAs or IPsec SAs are down, need to debug IPsec connectivity
using logs ``show log ipsec``
The next example of the successful IPsec connection initialization.
.. code-block:: none
vyos@vyos:~$ show log ipsec
Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
Jun 20 14:29:47 charon[2428]: 02[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 20 14:29:47 charon-systemd[2428]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key
Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.0.1' (myself) with pre-shared key
Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1}
Jun 20 14:29:47 charon-systemd[2428]: establishing CHILD_SA PEER-tunnel-1{1}
Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 20 14:29:47 charon-systemd[2428]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
Jun 20 14:29:47 charon-systemd[2428]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
Jun 20 14:29:47 charon[2428]: 13[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes)
Jun 20 14:29:47 charon[2428]: 13[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes)
Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful
Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> peer supports MOBIKE
Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.1.2' with pre-shared key successful
Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
Jun 20 14:29:47 charon-systemd[2428]: peer supports MOBIKE
Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> scheduling rekeying in 27703s
Jun 20 14:29:47 charon-systemd[2428]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> maximum IKE_SA lifetime 30583s
Jun 20 14:29:47 charon-systemd[2428]: scheduling rekeying in 27703s
Jun 20 14:29:47 charon[2428]: 13[CFG] <PEER|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jun 20 14:29:47 charon-systemd[2428]: maximum IKE_SA lifetime 30583s
Jun 20 14:29:47 charon-systemd[2428]: selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24
Jun 20 14:29:47 charon-systemd[2428]: CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24
************************
Troubleshooting Examples
************************
IKE PROPOSAL are Different
==========================
In this situation, IKE SAs can be down or not active.
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
The problem is in IKE phase (Phase 1). The next step is checking debug logs.
Responder Side:
.. code-block:: none
Jun 23 07:36:33 charon[2440]: 01[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 23 07:36:33 charon-systemd[2440]: received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 23 07:36:33 charon[2440]: 01[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 23 07:36:33 charon-systemd[2440]: configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 23 07:36:33 charon[2440]: 01[IKE] <1> received proposals unacceptable
Jun 23 07:36:33 charon-systemd[2440]: received proposals unacceptable
Jun 23 07:36:33 charon[2440]: 01[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Initiator side:
.. code-block:: none
Jun 23 07:36:32 charon-systemd[2444]: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jun 23 07:36:32 charon[2444]: 14[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify error
Jun 23 07:36:32 charon-systemd[2444]: received NO_PROPOSAL_CHOSEN notify error
The notification **NO_PROPOSAL_CHOSEN** means that the proposal mismatch.
On the Responder side there is concrete information where is mismatch.
Encryption **AES_CBC_128** is configured in IKE policy on the responder
but **AES_CBC_256** is configured on the initiator side.
PSK Secret Mismatch
===================
In this situation, IKE SAs can be down or not active.
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
The problem is in IKE phase (Phase 1). The next step is checking debug logs.
Responder:
.. code-block:: none
Jun 23 08:07:26 charon-systemd[2440]: tried 1 shared key for '192.168.1.2' - '192.168.0.1', but MAC mismatched
Jun 23 08:07:26 charon[2440]: 13[ENC] <PEER|3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Initiator side:
.. code-block:: none
Jun 23 08:07:24 charon[2436]: 12[ENC] <PEER|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jun 23 08:07:24 charon-systemd[2436]: parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jun 23 08:07:24 charon[2436]: 12[IKE] <PEER|1> received AUTHENTICATION_FAILED notify error
Jun 23 08:07:24 charon-systemd[2436]: received AUTHENTICATION_FAILED notify error
The notification **AUTHENTICATION_FAILED** means that the authentication
is failed. There is a reason to check PSK on both side.
ESP Proposal Mismatch
=====================
The output of **show** commands shows us that IKE SA is established but
IPSec SA is not.
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 158 26817
.. code-block:: none
vyos@vyos:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------ ------- -------- -------------- ---------------- ---------------- ----------- ----------
The next step is checking debug logs.
Initiator side:
.. code-block:: none
Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
Jun 23 08:16:10 charon[3789]: 13[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 23 08:16:10 charon-systemd[3789]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key
Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.0.1' (myself) with pre-shared key
Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1}
Jun 23 08:16:10 charon-systemd[3789]: establishing CHILD_SA PEER-tunnel-1{1}
Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 23 08:16:10 charon-systemd[3789]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
Jun 23 08:16:10 charon-systemd[3789]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
Jun 23 08:16:10 charon[3789]: 09[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes)
Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes)
Jun 23 08:16:10 charon[3789]: 09[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful
Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.1.2' with pre-shared key successful
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> peer supports MOBIKE
Jun 23 08:16:10 charon-systemd[3789]: peer supports MOBIKE
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
Jun 23 08:16:10 charon-systemd[3789]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> scheduling rekeying in 26975s
Jun 23 08:16:10 charon-systemd[3789]: scheduling rekeying in 26975s
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> maximum IKE_SA lifetime 29855s
Jun 23 08:16:10 charon-systemd[3789]: maximum IKE_SA lifetime 29855s
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jun 23 08:16:10 charon-systemd[3789]: received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA
Jun 23 08:16:10 charon-systemd[3789]: failed to establish CHILD_SA, keeping IKE_SA
There are messages: **NO_PROPOSAL_CHOSEN** and
**failed to establish CHILD_SA** which refers that the problem is in
the IPsec(ESP) proposal mismatch.
The reason of this problem is showed on the responder side.
.. code-block:: none
Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 23 08:16:12 charon-systemd[2440]: received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Jun 23 08:16:12 charon-systemd[2440]: configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> no acceptable proposal found
Jun 23 08:16:12 charon-systemd[2440]: no acceptable proposal found
Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> failed to establish CHILD_SA, keeping IKE_SA
Encryption **AES_CBC_128** is configured in IKE policy on the responder but **AES_CBC_256**
is configured on the initiator side.
Prefixes in Policies Mismatch
=============================
As in previous situation, IKE SA is in up state but IPsec SA is not up.
According to logs we can see **TS_UNACCEPTABLE** notification. It means
that prefixes (traffic selectors) mismatch on both sides
Initiator:
.. code-block:: none
Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> received TS_UNACCEPTABLE notify, no CHILD_SA built
Jun 23 14:13:17 charon-systemd[4996]: maximum IKE_SA lifetime 29437s
Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA
Jun 23 14:13:17 charon-systemd[4996]: received TS_UNACCEPTABLE notify, no CHILD_SA built
Jun 23 14:13:17 charon-systemd[4996]: failed to establish CHILD_SA, keeping IKE_SA
The reason of this problem is showed on the responder side.
.. code-block:: none
Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable
Jun 23 14:13:19 charon-systemd[2440]: traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable
Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> failed to establish CHILD_SA, keeping IKE_SA
Jun 23 14:13:19 charon-systemd[2440]: failed to establish CHILD_SA, keeping IKE_SA
Jun 23 14:13:19 charon[2440]: 01[ENC] <PEER|7> generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
Jun 23 14:13:19 charon-systemd[2440]: generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
Traffic selectors **10.0.2.0/24 === 10.0.0.0/24** are unacceptable on the
responder side.

427
docs/configuration/vpn/site2site_ipsec.rst
View File

@ -1,427 +0,0 @@
.. _size2site_ipsec:
Site-to-Site
============
Site-to-site mode provides a way to add remote peers, which could be configured
to exchange encrypted information between them and VyOS itself or
connected/routed networks.
To configure site-to-site connection you need to add peers with the
``set vpn ipsec site-to-site peer <name>`` command.
The peer name must be an alphanumeric and can have hypen or underscore as
special characters. It is purely informational.
Each site-to-site peer has the next options:
* ``authentication`` - configure authentication between VyOS and a remote peer.
Suboptions:
* ``psk`` - Preshared secret key name:
* ``dhcp-interface`` - ID for authentication generated from DHCP address
dynamically;
* ``id`` - static ID's for authentication. In general local and remote
address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``;
* ``secret`` - predefined shared secret. Used if configured mode
``pre-shared-secret``;
* ``local-id`` - ID for the local VyOS router. If defined, during the
authentication
it will be send to remote peer;
* ``mode`` - mode for authentication between VyOS and remote peer:
* ``pre-shared-secret`` - use predefined shared secret phrase;
* ``rsa`` - use simple shared RSA key. The key must be defined in the
``set vpn rsa-keys`` section;
* ``x509`` - use certificates infrastructure for authentication.
* ``remote-id`` - define an ID for remote peer, instead of using peer name or
address. Useful in case if the remote peer is behind NAT or if ``mode x509``
is used;
* ``rsa-key-name`` - shared RSA key for authentication. The key must be defined
in the ``set vpn rsa-keys`` section;
* ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
``id`` is defined;
* ``x509`` - options for x509 authentication mode:
* ``ca-cert-file`` - CA certificate file. Using for authenticating
remote peer;
* ``cert-file`` - certificate file, which will be used for authenticating
local router on remote peer;
* ``crl-file`` - file with the Certificate Revocation List. Using to check if
a certificate for the remote peer is valid or revoked;
* ``key`` - a private key, which will be used for authenticating local router
on remote peer:
* ``file`` - path to the key file;
* ``password`` - passphrase private key, if needed.
* ``connection-type`` - how to handle this connection process. Possible
variants:
* ``initiate`` - does initial connection to remote peer immediately after
configuring and after boot. In this mode the connection will not be restarted
in case of disconnection, therefore should be used only together with DPD or
another session tracking methods;
* ``respond`` - does not try to initiate a connection to a remote peer. In this
mode, the IPSec session will be established only after initiation from a
remote peer. Could be useful when there is no direct connectivity to the
peer due to firewall or NAT in the middle of the local and remote side.
* ``none`` - loads the connection only, which then can be manually initiated or
used as a responder configuration.
* ``default-esp-group`` - ESP group to use by default for traffic encryption.
Might be overwritten by individual settings for tunnel or VTI interface
binding;
* ``description`` - description for this peer;
* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec
connection with this peer, instead of ``local-address``;
* ``force-udp-encapsulation`` - force encapsulation of ESP into UDP datagrams.
Useful in case if between local and remote side is firewall or NAT, which not
allows passing plain ESP packets between them;
* ``ike-group`` - IKE group to use for key exchanges;
* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process.
Can be used only with IKEv2.
Create a new IKE_SA from the scratch and try to recreate all IPsec SAs;
* ``local-address`` - local IP address for IPSec connection with this peer.
If defined ``any``, then an IP address which configured on interface with
default route will be used;
* ``remote-address`` - remote IP address or hostname for IPSec connection.
IPv4 or IPv6 address is used when a peer has a public static IP address.
Hostname is a DNS name which could be used when a peer has a public IP
address and DNS name, but an IP address could be changed from time to time.
* ``tunnel`` - define criteria for traffic to be matched for encrypting and send
it to a peer:
* ``disable`` - disable this tunnel;
* ``esp-group`` - define ESP group for encrypt traffic, defined by this tunnel;
* ``local`` - define a local source for match traffic, which should be
encrypted and send to this peer:
* ``port`` - define port. Have effect only when used together with ``prefix``;
* ``prefix`` - IP network at local side.
* ``protocol`` - define the protocol for match traffic, which should be
encrypted and send to this peer;
* ``remote`` - define the remote destination for match traffic, which should be
encrypted and send to this peer:
* ``port`` - define port. Have effect only when used together with ``prefix``;
* ``prefix`` - IP network at remote side.
* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will
be send to VTI interface will be encrypted and send to this peer. Using VTI
makes IPSec configuration much flexible and easier in complex situation, and
allows to dynamically add/delete remote networks, reachable via a peer, as in
this mode router don't need to create additional SA/policy for each remote
network:
* ``bind`` - select a VTI interface to bind to this peer;
* ``esp-group`` - define ESP group for encrypt traffic, passed this VTI
interface.
* ``virtual-address`` - Defines a virtual IP address which is requested by the
initiator and one or several IPv4 and/or IPv6 addresses are assigned from
multiple pools by the responder.
Examples:
------------------
IKEv1
^^^^^
Example:
* WAN interface on `eth1`
* left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually
there is no client or server roles)
* left local_ip: `198.51.100.3` # server side WAN IP
* right subnet: `10.0.0.0/24` site2,remote office side
* right local_ip: `203.0.113.2` # remote office side WAN IP
.. code-block:: none
# server config
set vpn ipsec authentication psk OFFICE-B id '198.51.100.3'
set vpn ipsec authentication psk OFFICE-B id '203.0.113.2'
set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-B remote-address '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'
# remote office config
set vpn ipsec authentication psk OFFICE-A id '198.51.100.3'
set vpn ipsec authentication psk OFFICE-A id '203.0.113.2'
set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-A remote-address '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '10.0.0.0/21'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '192.168.0.0/24'
Show status of new setup:
.. code-block:: none
vyos@srv-gw0:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
203.0.113.2 198.51.100.3
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
up aes256 sha1 5 no 734 3600
vyos@srv-gw0:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
203.0.113.2 198.51.100.3
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 up 7.5M/230.6K aes256 sha1 no 567 1800 all
If there is SNAT rules on eth1, need to add exclude rule
.. code-block:: none
# server side
set nat source rule 10 destination address '10.0.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface name 'eth1'
set nat source rule 10 source address '192.168.0.0/24'
# remote office side
set nat source rule 10 destination address '192.168.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface name 'eth1'
set nat source rule 10 source address '10.0.0.0/24'
To allow traffic to pass through to clients, you need to add the following
rules. (if you used the default configuration at the top of this page)
.. code-block:: none
# server side
set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24'
# remote office side
set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'
IKEv2
^^^^^
Example:
* left local_ip: 192.168.0.10 # VPN Gateway, behind NAT device
* left public_ip:172.18.201.10
* right local_ip: 172.18.202.10 # right side WAN IP
Imagine the following topology
.. figure:: /_static/images/vpn_s2s_ikev2_c.png
:scale: 50 %
:alt: IPSec IKEv2 site2site VPN
IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio)
**LEFT:**
* WAN interface on `eth0.201`
* `eth0.201` interface IP: `172.18.201.10/24`
* `vti10` interface IP: `10.0.0.2/31`
* `dum0` interface IP: `10.0.11.1/24` (for testing purposes)
**RIGHT:**
* WAN interface on `eth0.202`
* `eth0.201` interface IP: `172.18.202.10/24`
* `vti10` interface IP: `10.0.0.3/31`
* `dum0` interface IP: `10.0.12.1/24` (for testing purposes)
.. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021`
gives you additional information for using /31 subnets on point-to-point
links.
**LEFT**
.. code-block:: none
set interfaces ethernet eth0 vif 201 address '172.18.201.10/24'
set interfaces dummy dum0 address '10.0.11.1/24'
set interfaces vti vti10 address '10.0.0.2/31'
set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10'
set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10'
set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0.201'
set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate'
set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10'
set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT'
set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10
**RIGHT**
.. code-block:: none
set interfaces ethernet eth0 vif 202 address '172.18.202.10/24'
set interfaces dummy dum0 address '10.0.12.1/24'
set interfaces vti vti10 address '10.0.0.3/31'
set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10'
set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10'
set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0.202'
set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate'
set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10'
set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT'
set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10
Key Parameters:
* ``authentication local-id/remote-id`` - IKE identification is used for
validation of VPN peer devices during IKE negotiation. If you do not configure
local/remote-identity, the device uses the IPv4 or IPv6 address that
corresponds to the local/remote peer by default.
In certain network setups (like ipsec interface with dynamic address, or
behind the NAT ), the IKE ID received from the peer does not match the IKE
gateway configured on the device. This can lead to a Phase 1 validation
failure.
So, make sure to configure the local/remote id explicitly and ensure that the
IKE ID is the same as the remote-identity configured on the peer device.
* ``disable-route-autoinstall`` - This option when configured disables the
routes installed in the default table 220 for site-to-site ipsec.
It is mostly used with VTI configuration.
* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE
notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
are periodically sent in order to check the liveliness of the IPsec peer. The
values clear, trap, and restart all activate DPD and determine the action to
perform on a timeout.
With ``clear`` the connection is closed with no further actions taken.
``trap`` installs a trap policy, which will catch matching traffic and tries
to re-negotiate the connection on demand.
``restart`` will immediately trigger an attempt to re-negotiate the
connection.
* ``close-action = none | clear | trap | start`` - defines the action to take
if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
values). A closeaction should not be used if the peer uses reauthentication or
uniqueids.
When the close-action option is set on the peers, the connection-type
of each peer has to considered carefully. For example, if the option is set
on both peers, then both would attempt to initiate and hold open multiple
copies of each child SA. This might lead to instability of the device or
cpu/memory utilization.
Below flow-chart could be a quick reference for the close-action
combination depending on how the peer is configured.
.. figure:: /_static/images/IPSec_close_action_settings.jpg
Similar combinations are applicable for the dead-peer-detection.

154
docs/installation/cloud/aws-ha.rst Executable file
View File

@ -0,0 +1,154 @@
##########
VyOS High Availability (HA) Deployment on AWS
##########
This document describes how to deploy VyOS in a High Availability (HA) configuration on AWS using Terraform and a VPC Route Server to provide sub-second failover.
Why Use HA on AWS?
------------------
This solution helps organizations achieve **high availability** routing with dynamic connectivity to multiple AWS VPCs or hybrid environments.
Key Advantages:
- Utilizes **AWS VPC Route Server** to manage BGP routes dynamically.
- Deploys two VyOS EC2 instances as BGP peers connected to the Route Server. Although both participate, one is typically preferred as the next-hop.
- Employs **Bidirectional Forwarding Detection (BFD)** for rapid failure detection.
- On failure:
- Withdraws the failed peers routes from the RIB.
- Recomputes the optimal path in the FIB.
- Updates VPC route tables to point to the active instance.
- Enables **sub-second failover** (< 1 s), outperforming AWS API-based route table failover.
This architecture supports:
- Cloud edge routing with failover.
- Hybrid cloud resiliency.
- Rapid recovery during instance crashes, upgrades, or network disruptions.
- Continuity for mission-critical operations.
HA Architecture Diagram
------------------------
.. figure:: /_static/images/cloud-aws-ha-architecture.png
:alt: VyOS HA topology diagram
Terraform Automation
--------------------
To streamline and standardize the process, we developed a Terraform project that automates the deployment of VyOS in High Availability (HA) mode on AWS.
This Terraform project automates the deployment of:
- Two VyOS instances in HA mode.
- VPC Route Server.
- Transit Gateway.
- A Transit VPC and a Data VPC containing a test Amazon Linux EC2 instance for connectivity validation.
To integrate with existing AWS infrastructure:
- Remove the Data VPC, its subnets, and EC2 test instance.
- Update `main.tf`, `network.tf`, `transit_gateway.tf`, `variables.tf`, and `outputs.tf` accordingly.
Prerequisites
-------------
AWS Environment:
- Active AWS account with permissions for EC2, VPC, Transit Gateway, Route Server, and IAM (for keypair and role management).
Local Environment:
- AWS CLI installed: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
- Terraform installed: https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli
Set AWS credentials in your shell:
.. code-block:: none
export AWS_ACCESS_KEY_ID="<AWS_ACCESS_KEY_ID>"
export AWS_SECRET_ACCESS_KEY="<AWS_SECRET_ACCESS_KEY>"
export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"
export AWS_DEFAULT_REGION="<AWS_REGION>" # e.g., us-east-1
Obtain VyOS AMI ID and Owner ID:
Subscribe to VyOS via AWS Marketplace. Then run:
.. code-block:: none
aws ec2 describe-images \
--owners aws-marketplace \
--filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" \
--query 'Images[*].[ImageId,OwnerId,Name]' \
--output table
Alternatively, set the `vyos_ami_id` variable directly in `variables.tf`.
Generate an SSH keypair (or use the included demo key):
.. code-block:: none
ssh-keygen -b 2048 -t rsa -m PEM -f keys/vyos_custom_key.pem
chmod 400 keys/vyos_custom_key.pem
Usage
-----
Configure variables in `variables.tf`, including instance type, region, and `vyos_ami_id`.
Terraform Workflow:
.. code-block:: none
terraform init
terraform fmt
terraform validate
terraform plan
terraform apply
On completion, run:
.. code-block:: none
terraform output
This displays the management IP and connectivity test results.
To clean up:
.. code-block:: none
terraform destroy
Management
----------
SSH into VyOS:
.. code-block:: none
ssh vyos@<vyos_public_ip> -i keys/vyos_custom_key.pem
GitHub Repository
-----------------
You can clone or download the Terraform project and use them in your environment:
https://github.com/vyos/vyos-automation/tree/main/Terraform/AWS/ha-instances-with-configs

21
docs/installation/cloud/aws.rst
View File

@ -1,5 +1,5 @@
##########
Amazon AWS
VyOS Deployment on AWS
##########
@ -601,6 +601,8 @@ Connect to the VyOS instance
.. code-block:: none
ssh -i vyos-keypair.pem vyos@35.152.131.62
Deployment of VyOS Instance and Required Resources via CloudFormation Template
@ -621,6 +623,23 @@ https://github.com/vyos/vyos-automation/tree/main/CloudFormation
Deployment of VyOS Instance and Required Resources via Terraform
========
These Terraform projects automate the deployment of a VyOS instance on AWS, configuring essential components such as:
- VPC
- Public and private subnets
- Internet Gateway
- Route Tables
- Elastic IPs
- Security Groups
You can download or clone these templates from the GitHub repository and use them in your environment:
https://github.com/vyos/vyos-automation/tree/main/Terraform/AWS/
Amazon CloudWatch Agent Usage
-----------------------------

152
docs/installation/cloud/azure-ha.rst Executable file
View File

@ -0,0 +1,152 @@
##########
VyOS High Availability (HA) Deployment on Azure
##########
This document describes how to deploy VyOS in a High Availability (HA) configuration on Azure using Terraform and Azure Route Server to provide sub-second failover.
Why Use HA on Azure?
--------------------
This module provides a robust, repeatable foundation for building **resilient network architectures** in Azure. By combining VyOS routing features with Terraform and Azure-native services, it enables:
- Rapid deployment of cloud edge routers.
- Full control over BGP route advertisement and filtering.
- Realistic HA and disaster recovery simulations.
- Seamless integration with hybrid or multi-cloud infrastructure.
The architecture includes:
- Two VyOS routers in a Transit VNet, configured with BGP.
- Azure Route Server for dynamic route distribution.
- Site-to-Site VPN connections to a simulated on-premises VyOS router.
- An Ubuntu VM for connectivity and routing validation.
- A Data VNet for testing and diagnostics.
Key Features
------------
- **High Availability**: Dual VyOS routers for redundancy and failover.
- **Dynamic Routing**: BGP-based routing via Azure Route Server.
- **Hybrid Connectivity**: Site-to-Site VPN integration with a simulated on-prem VyOS.
- **Testing Environment**: Includes Ubuntu VM for verification and diagnostics.
- **Modular & Flexible**: Easily configurable via variables.
HA Architecture Diagram
-----------------------
.. figure:: /_static/images/cloud-azure-ha-architecture.png
:alt: VyOS HA topology diagram
This deployment architecture simulates a real-world enterprise network scenario for testing and validation purposes.
Terraform Automation
--------------------
To streamline and standardize the process, we developed a Terraform project that automates the deployment of VyOS in High Availability (HA) mode on Azure.
This Terraform project automates the deployment of:
- Two VyOS instances in HA mode.
- Azure Route Server.
- A Transit VNet and a Data VNet containing a test Ubuntu VM for connectivity validation.
Prerequisites
-------------
Ensure you have:
- Active Azure subscription:
.. code-block:: none
az account set --subscription "<subscription ID or name>"
- Azure CLI installed:
https://learn.microsoft.com/en-us/cli/azure/install-azure-cli
- Logged in with Azure credentials:
.. code-block:: none
az version
az login
- Azure Resource Group (RG) created:
.. code-block:: none
az group create --name demoResourceGroup --location westus
az group list
az group show --name demoResourceGroup
- Terraform installed:
https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli
- SSH key generated:
.. code-block:: none
ssh-keygen -t rsa -b 4096 -f keys/vyos_custom_key.pem
chmod 400 keys/vyos_custom_key.pem
Usage
-----
All variables are defined in ``variables.tf``. Adjust them to match your environment.
Terraform Workflow:
.. code-block:: none
terraform init
terraform fmt
terraform validate
terraform plan
terraform apply
On completion, run:
.. code-block:: none
terraform output
This displays the management IP and connectivity test results.
To clean up:
.. code-block:: none
terraform destroy
Management
----------
SSH into VyOS:
.. code-block:: none
ssh adminuser@<vyos_public_ip> -i keys/vyos_custom_key.pem
GitHub Repository
-----------------
You can clone or download the Terraform project and use them in your environment:
https://github.com/vyos/vyos-automation/tree/main/Terraform/Azure/azure-ha-deployment-with-configs

2
docs/installation/cloud/azure.rst
View File

@ -1,5 +1,5 @@
##########
Microsoft Azure
VyOS Deployment on Azure
##########

8
docs/installation/cloud/gcp.rst
View File

@ -1,5 +1,5 @@
#####################
Google Cloud Platform
VyOS Deployment on Google Cloud Platform
#####################
This guide provides step-by-step instructions for deploying a VyOS instance with two NICs and the required resources on Google Cloud Platform (GCP).
@ -126,8 +126,8 @@ Step 3: Create VPC Networks and Subnets
.. figure:: /_static/images/cloud-gcp-vpc-03.png
.. figure:: /_static/images/cloud-gcp-vpc-04.png
4. Add firewall rules to allow specific network traffic from the Internet. By default all incoming traffic from outside a network is blocked.
4. Add firewall rules to allow specific network traffic from the Internet if needed. By default, all incoming traffic from outside the network is blocked. Typically, a VyOS deployment from the GCP Marketplace configures this automatically, ensuring that SSH access is enabled after deployment.
.. figure:: /_static/images/cloud-gcp-vpc-05.png
@ -224,7 +224,7 @@ Step 4: Deploy VyOS instance from Marketplace
- set interfaces ethernet eth1 address 'dhcp'
- set interfaces ethernet eth1 dhcp-options no-default-route
For more information, please visit the official VyOS documentation:
For more information, please visit the documentation:
https://docs.vyos.io/en/stable/automation/cloud-init.html#module-vyos-userdata

4
docs/installation/cloud/index.rst
View File

@ -8,6 +8,8 @@ Running VyOS in Cloud Environments
:caption: Content
aws
aws-ha
azure
azure-ha
gcp
oracel
oracle