Difference between revisions of "VyOS IPSEC AWS VPC"

From Michael's Information Zone
Jump to navigation Jump to search
(Created page with "==Purpose== To create an IPSEC tunnel between a VyOS EC2 instance and remote hosts. In this example we will be connecting to a PFSense box. Then two more tunnels will be estab...")
 
 
(One intermediate revision by the same user not shown)
Line 9: Line 9:
 
*Create IPSEC profile
 
*Create IPSEC profile
 
<pre>
 
<pre>
 
+
set vpn ipsec esp-group esp01 mode transport
 +
set vpn ipsec esp-group esp01 pfs dh-group14
 +
set vpn ipsec esp-group esp01 proposal 1 encryption aes256
 +
set vpn ipsec esp-group esp01 proposal 1 hash sha256
 +
set vpn ipsec ike-group ike01 dead-peer-detection action restart
 +
set vpn ipsec ike-group ike01 proposal 1 dh-group 14
 +
set vpn ipsec ike-group ike01 proposal 1 encryption aes256
 +
set vpn ipsec ike-group ike01 proposal 1 hash sha256
 +
set vpn ipsec ike-group ike01 key-exchange ikev2
 +
set vpn ipsec site-to-site peer <peer IP or URL> authentication id <public IP>
 +
set vpn ipsec site-to-site peer <peer IP or URL> authentication mode pre-shared-secret
 +
set vpn ipsec site-to-site peer <peer IP or URL> authentication pre-shared-secret <enter secret here>
 +
set vpn ipsec site-to-site peer <peer IP or URL> connection-type initiate
 +
set vpn ipsec site-to-site peer <peer IP or URL> ike-group ike01
 +
set vpn ipsec site-to-site peer <peer IP or URL> local-address <private IP>
 
</pre>
 
</pre>

Latest revision as of 12:49, 5 April 2018

Purpose

To create an IPSEC tunnel between a VyOS EC2 instance and remote hosts. In this example we will be connecting to a PFSense box. Then two more tunnels will be established for GRE use.

Steps

  • Make sure to set your banner
set system login banner pre-login "\n\nTHIS SYSTEM IS PROPERTY OF <Company name here>,\nUNNAUTHORIZED USE IS PROHIBITED!\n\n"
set system login banner post-login "\n\nYou are being monitored\n\n"
  • Create IPSEC profile
set vpn ipsec esp-group esp01 mode transport
set vpn ipsec esp-group esp01 pfs dh-group14
set vpn ipsec esp-group esp01 proposal 1 encryption aes256
set vpn ipsec esp-group esp01 proposal 1 hash sha256
set vpn ipsec ike-group ike01 dead-peer-detection action restart
set vpn ipsec ike-group ike01 proposal 1 dh-group 14
set vpn ipsec ike-group ike01 proposal 1 encryption aes256
set vpn ipsec ike-group ike01 proposal 1 hash sha256
set vpn ipsec ike-group ike01 key-exchange ikev2
set vpn ipsec site-to-site peer <peer IP or URL> authentication id <public IP>
set vpn ipsec site-to-site peer <peer IP or URL> authentication mode pre-shared-secret 
set vpn ipsec site-to-site peer <peer IP or URL> authentication pre-shared-secret <enter secret here>
set vpn ipsec site-to-site peer <peer IP or URL> connection-type initiate
set vpn ipsec site-to-site peer <peer IP or URL> ike-group ike01
set vpn ipsec site-to-site peer <peer IP or URL> local-address <private IP>