Difference between revisions of "VyOS IPSEC AWS VPC"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) (Created page with "==Purpose== To create an IPSEC tunnel between a VyOS EC2 instance and remote hosts. In this example we will be connecting to a PFSense box. Then two more tunnels will be estab...") |
Michael.mast (talk | contribs) (→Steps) |
||
(One intermediate revision by the same user not shown) | |||
Line 9: | Line 9: | ||
*Create IPSEC profile | *Create IPSEC profile | ||
<pre> | <pre> | ||
− | + | set vpn ipsec esp-group esp01 mode transport | |
+ | set vpn ipsec esp-group esp01 pfs dh-group14 | ||
+ | set vpn ipsec esp-group esp01 proposal 1 encryption aes256 | ||
+ | set vpn ipsec esp-group esp01 proposal 1 hash sha256 | ||
+ | set vpn ipsec ike-group ike01 dead-peer-detection action restart | ||
+ | set vpn ipsec ike-group ike01 proposal 1 dh-group 14 | ||
+ | set vpn ipsec ike-group ike01 proposal 1 encryption aes256 | ||
+ | set vpn ipsec ike-group ike01 proposal 1 hash sha256 | ||
+ | set vpn ipsec ike-group ike01 key-exchange ikev2 | ||
+ | set vpn ipsec site-to-site peer <peer IP or URL> authentication id <public IP> | ||
+ | set vpn ipsec site-to-site peer <peer IP or URL> authentication mode pre-shared-secret | ||
+ | set vpn ipsec site-to-site peer <peer IP or URL> authentication pre-shared-secret <enter secret here> | ||
+ | set vpn ipsec site-to-site peer <peer IP or URL> connection-type initiate | ||
+ | set vpn ipsec site-to-site peer <peer IP or URL> ike-group ike01 | ||
+ | set vpn ipsec site-to-site peer <peer IP or URL> local-address <private IP> | ||
</pre> | </pre> |
Latest revision as of 12:49, 5 April 2018
Purpose
To create an IPSEC tunnel between a VyOS EC2 instance and remote hosts. In this example we will be connecting to a PFSense box. Then two more tunnels will be established for GRE use.
Steps
- Make sure to set your banner
set system login banner pre-login "\n\nTHIS SYSTEM IS PROPERTY OF <Company name here>,\nUNNAUTHORIZED USE IS PROHIBITED!\n\n" set system login banner post-login "\n\nYou are being monitored\n\n"
- Create IPSEC profile
set vpn ipsec esp-group esp01 mode transport set vpn ipsec esp-group esp01 pfs dh-group14 set vpn ipsec esp-group esp01 proposal 1 encryption aes256 set vpn ipsec esp-group esp01 proposal 1 hash sha256 set vpn ipsec ike-group ike01 dead-peer-detection action restart set vpn ipsec ike-group ike01 proposal 1 dh-group 14 set vpn ipsec ike-group ike01 proposal 1 encryption aes256 set vpn ipsec ike-group ike01 proposal 1 hash sha256 set vpn ipsec ike-group ike01 key-exchange ikev2 set vpn ipsec site-to-site peer <peer IP or URL> authentication id <public IP> set vpn ipsec site-to-site peer <peer IP or URL> authentication mode pre-shared-secret set vpn ipsec site-to-site peer <peer IP or URL> authentication pre-shared-secret <enter secret here> set vpn ipsec site-to-site peer <peer IP or URL> connection-type initiate set vpn ipsec site-to-site peer <peer IP or URL> ike-group ike01 set vpn ipsec site-to-site peer <peer IP or URL> local-address <private IP>