Route based VPN on VyOS

How to configure route based vpn on VyOS

How to configure route (interface) based vpn on VyOS with BGP protocol enabled. Hub and spoke configuration.




Configuration

Shared configuration:

set vpn ipsec ike-group CENTRAL lifetime '28800'
set vpn ipsec ike-group CENTRAL proposal 1 dh-group '2'
set vpn ipsec ike-group CENTRAL proposal 1 encryption 'aes128'
set vpn ipsec ike-group CENTRAL proposal 1 hash 'sha1'



set vpn ipsec esp-group CENTRAL compression 'disable'
set vpn ipsec esp-group CENTRAL lifetime '3600'
set vpn ipsec esp-group CENTRAL mode 'tunnel'
set vpn ipsec esp-group CENTRAL pfs 'enable'
set vpn ipsec esp-group CENTRAL proposal 1 encryption 'aes128'
set vpn ipsec esp-group CENTRAL proposal 1 hash 'sha1'



set vpn ipsec ike-group CENTRAL dead-peer-detection action 'restart'
set vpn ipsec ike-group CENTRAL dead-peer-detection interval '15'
set vpn ipsec ike-group CENTRAL dead-peer-detection timeout '30'


set vpn ipsec ipsec-interfaces interface 'eth0' # eth0 is public interface in all cases


Central firewall:


set vpn ipsec site-to-site peer satelite_1_ip authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer satelite_1_ip authentication pre-shared-secret 'test123tunnel1'
set vpn ipsec site-to-site peer satelite_1_ip connection-type 'initiate'
set vpn ipsec site-to-site peer satelite_1_ip description 'Tunnel to Satelite 1'
set vpn ipsec site-to-site peer satelite_1_ip ike-group 'CENTRAL'
set vpn ipsec site-to-site peer satelite_1_ip ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer satelite_1_ip local-address 'central_ip'
set vpn ipsec site-to-site peer satelite_1_ip vti bind 'vti0'
set vpn ipsec site-to-site peer satelite_1_ip vti esp-group 'CENTRAL'
set vpn ipsec site-to-site peer satelite_2_ip authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer satelite_2_ip authentication pre-shared-secret 'test123tunnel1'
set vpn ipsec site-to-site peer satelite_2_ip description 'Tunnel to Satelite 2'
set vpn ipsec site-to-site peer satelite_2_ip ike-group 'CENTRAL'
set vpn ipsec site-to-site peer satelite_2_ip local-address 'central_ip'
set vpn ipsec site-to-site peer satelite_2_ip vti bind 'vti1'
set vpn ipsec site-to-site peer satelite_2_ip vti esp-group 'CENTRAL'


set interfaces vti vti0 address '169.254.1.1/30'
set interfaces vti vti0 description 'VPC tunnel 1'
set interfaces vti vti0 mtu '1436'
set interfaces vti vti1 address '169.254.1.5/30'
set interfaces vti vti1 description 'VPC tunnel 2'
set interfaces vti vti1 mtu '1436'


set protocols bgp 64601 neighbor 169.254.1.2 remote-as '64602'
set protocols bgp 64601 neighbor 169.254.1.2 soft-reconfiguration 'inbound'
set protocols bgp 64601 neighbor 169.254.1.2 timers holdtime '30'
set protocols bgp 64601 neighbor 169.254.1.2 timers keepalive '30'
set protocols bgp 64601 neighbor 169.254.1.6 remote-as '64603'
set protocols bgp 64601 neighbor 169.254.1.6 soft-reconfiguration 'inbound'
set protocols bgp 64601 neighbor 169.254.1.6 timers holdtime '30'
set protocols bgp 64601 neighbor 169.254.1.6 timers keepalive '30'
set protocols bgp 64601 network '10.0.0.0/24'


Satelite 1 firewall:


set vpn ipsec site-to-site peer central_ip authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer central_ip authentication pre-shared-secret 'test123tunnel1'
set vpn ipsec site-to-site peer central_ip connection-type 'initiate'
set vpn ipsec site-to-site peer central_ip description 'Tunnel to Central FW'
set vpn ipsec site-to-site peer central_ip ike-group 'CENTRAL'
set vpn ipsec site-to-site peer central_ip ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer central_ip local-address 'satelite_1_ip'
set vpn ipsec site-to-site peer central_ip vti bind 'vti0'
set vpn ipsec site-to-site peer central_ip vti esp-group 'CENTRAL'


set interfaces vti vti0 address '169.254.1.2/30'
set interfaces vti vti0 description 'VPC tunnel 1'
set interfaces vti vti0 mtu '1436'


set protocols bgp 64602 neighbor 169.254.1.1 remote-as '64601'
set protocols bgp 64602 neighbor 169.254.1.1 soft-reconfiguration 'inbound'
set protocols bgp 64602 neighbor 169.254.1.1 timers holdtime '30'
set protocols bgp 64602 neighbor 169.254.1.1 timers keepalive '30'
set protocols bgp 64602 network '10.10.0.0/24'


Satelite 2 firewall:


set vpn ipsec site-to-site peer central_ip authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer central_ip authentication pre-shared-secret 'test123tunnel1'
set vpn ipsec site-to-site peer central_ip description 'Tunnel to Central FW'
set vpn ipsec site-to-site peer central_ip ike-group 'CENTRAL'
set vpn ipsec site-to-site peer central_ip local-address 'satelite_2_ip'
set vpn ipsec site-to-site peer central_ip vti bind 'vti1'
set vpn ipsec site-to-site peer central_ip vti esp-group 'CENTRAL'


set interfaces vti vti1 address '169.254.1.6/30'
set interfaces vti vti1 description 'VPC tunnel 2'
set interfaces vti vti1 mtu '1436'


set protocols bgp 64603 neighbor 169.254.1.5 remote-as '64601'
set protocols bgp 64603 neighbor 169.254.1.5 soft-reconfiguration 'inbound'
set protocols bgp 64603 neighbor 169.254.1.5 timers holdtime '30'
set protocols bgp 64603 neighbor 169.254.1.5 timers keepalive '30'
set protocols bgp 64603 network '10.20.0.0/24'


Verification


show vpn ipsec sa


show interfaces vti detail


show ip route



show vpn debug


000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 192.168.56.250:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "peer-192.168.56.151-tunnel-vti": 0.0.0.0/0===192.168.56.250[192.168.56.250]...192.168.56.151[192.168.56.151]===0.0.0.0/0; erouted; eroute owner: #12
000 "peer-192.168.56.151-tunnel-vti": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-192.168.56.151-tunnel-vti": dpd_action: restart; dpd_delay: 15s; dpd_timeout: 30s;
000 "peer-192.168.56.151-tunnel-vti": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 0,0; interface: eth0;
000 "peer-192.168.56.151-tunnel-vti": newest ISAKMP SA: #1; newest IPsec SA: #12;
000 "peer-192.168.56.151-tunnel-vti": IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024
000 "peer-192.168.56.151-tunnel-vti": ESP proposal: AES_CBC_128/HMAC_SHA1/
000 "peer-192.168.56.152-tunnel-vti": 0.0.0.0/0===192.168.56.250[192.168.56.250]...192.168.56.152[192.168.56.152]===0.0.0.0/0; erouted; eroute owner: #13
000 "peer-192.168.56.152-tunnel-vti": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-192.168.56.152-tunnel-vti": dpd_action: restart; dpd_delay: 15s; dpd_timeout: 30s;
000 "peer-192.168.56.152-tunnel-vti": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 0,0; interface: eth0;
000 "peer-192.168.56.152-tunnel-vti": newest ISAKMP SA: #5; newest IPsec SA: #13;
000 "peer-192.168.56.152-tunnel-vti": IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024
000 "peer-192.168.56.152-tunnel-vti": ESP proposal: AES_CBC_128/HMAC_SHA1/
000
000 #1: "peer-192.168.56.151-tunnel-vti" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 20459s; newest ISAKMP; DPD active
000 #12: "peer-192.168.56.151-tunnel-vti" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 584s; newest IPSEC; eroute owner
000 #12: "peer-192.168.56.151-tunnel-vti" esp.cef24225@192.168.56.151 (142848 bytes, 4s ago) esp.cd99e3e3@192.168.56.250 (151948 bytes, 4s ago); tunnel
000 #2: "peer-192.168.56.151-tunnel-vti" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 20912s; DPD active
000 #5: "peer-192.168.56.152-tunnel-vti" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 21914s; newest ISAKMP; DPD active
000 #13: "peer-192.168.56.152-tunnel-vti" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1693s; newest IPSEC; eroute owner
000 #13: "peer-192.168.56.152-tunnel-vti" esp.c2dd9395@192.168.56.152 (21948 bytes, 2s ago) esp.ceeeff82@192.168.56.250 (24392 bytes, 2s ago); tunnel
000 #11: "peer-192.168.56.152-tunnel-vti" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 6s
000 #11: "peer-192.168.56.152-tunnel-vti" esp.c2be6dc9@192.168.56.152 (253624 bytes) esp.ce7c1309@192.168.56.250 (259448 bytes); tunnel
000 #6: "peer-192.168.56.152-tunnel-vti" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 22253s; DPD active
000