IPsec Site-to-Site VPN

Created by Yuriy Andamasov, Modified on Tue, 16 Jan at 4:04 PM by Srividya Anantapatnaikuni

Article review date
2024-01-15
Validated for VyOS versions
1.2.5, 1.3.5

Introduction

In addition to being used with other protocols (such as L2TP) in a server-client VPN setup, another common use for IPsec is the creation of site-to-site VPNs. 

Basic Configuration

For this example, we'll be using the following two network topologies:

For central-office-net: 

  • Public address of 203.0.113.2 on interface eth1 
  • Local private network of 10.1.1.0/24 
  • A VyOS router called central-office-rtr 

For remote-office-net

  • Public address of 192.51.100.2 on interface eth1 
  • Local private network of 10.2.2.0/24  
  • A VyOS router called remote-office-rtr  

For simplicity, we will be using pre-shared secret authentication for IPsec, although one may also use an RSA key or X.509 certificates, depending on existing infrastructure. The pre-shared key will be not-so-secret.

Note: These configurations are run from the vpn ipsec  tree. The edit vpn ipsec is issued in the first line to change the current configuration path. It is displayed as [edit vpn ipsec] in the command line, and as a comment here (prefixed by # ).

Configuration of central-office-rtr: 

edit vpn ipsec
#[edit vpn ipsec]

set esp-group central-rtr-esp compression 'disable'
set esp-group central-rtr-esp lifetime '1800'
set esp-group central-rtr-esp mode 'tunnel'
set esp-group central-rtr-esp pfs 'enable'
set esp-group central-rtr-esp proposal 1 encryption 'aes256'
set esp-group central-rtr-esp proposal 1 hash 'sha256'
set ike-group central-rtr-ike ikev2-reauth 'no'
set ike-group central-rtr-ike key-exchange 'ikev1'
set ike-group central-rtr-ike lifetime '3600'
set ike-group central-rtr-ike proposal 1 encryption 'aes256'
set ike-group central-rtr-ike proposal 1 hash 'sha256'
set ipsec-interfaces interface 'eth1'
set site-to-site peer 192.51.100.2 authentication mode 'pre-shared-secret'
set site-to-site peer 192.51.100.2 authentication pre-shared-secret 'not-so-secret'
set site-to-site peer 192.51.100.2 ike-group 'central-rtr-ike'
set site-to-site peer 192.51.100.2 local-address '203.0.113.2'
set site-to-site peer 192.51.100.2 tunnel 0 allow-nat-networks 'disable'
set site-to-site peer 192.51.100.2 tunnel 0 allow-public-networks 'disable'
set site-to-site peer 192.15.100.2 tunnel 0 esp-group 'central-rtr-esp'
set site-to-site peer 192.51.100.2 tunnel 0 local prefix '10.1.1.0/24'
set site-to-site peer 192.51.100.2 tunnel 0 remote prefix '10.2.2.0/24'

Configuration of remote-office-rtr: 

edit vpn ipsec
#[edit vpn ipsec]
set esp-group remote-rtr-esp compression 'disable'
set esp-group remote-rtr-esp lifetime '1800'
set esp-group remote-rtr-esp mode 'tunnel'
set esp-group remote-rtr-esp pfs 'enable'
set esp-group remote-rtr-esp proposal 1 encryption 'aes256'
set esp-group remote-rtr-esp proposal 1 hash 'sha256'
set ike-group remote-rtr-ike ikev2-reauth 'no'
set ike-group remote-rtr-ike key-exchange 'ikev1'
set ike-group remote-rtr-ike lifetime '3600'
set ike-group remote-rtr-ike proposal 1 encryption 'aes256'
set ike-group remote-rtr-ike proposal 1 hash 'sha256'
set ipsec-interfaces interface 'eth1'
set site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
set site-to-site peer 203.0.113.2 authentication pre-shared-secret 'not-so-secret'
set site-to-site peer 203.0.113.2 ike-group 'remote-rtr-ike'
set site-to-site peer 203.0.113.2 local-address '192.51.100.2'
set site-to-site peer 203.0.113.2 tunnel 0 allow-nat-networks 'disable'
set site-to-site peer 203.0.113.2 tunnel 0 allow-public-networks 'disable'
set site-to-site peer 203.0.113.2 tunnel 0 esp-group 'remote-rtr-esp'
set site-to-site peer 203.0.113.2 tunnel 0 local prefix '10.2.2.0/24'
set site-to-site peer 203.0.113.2 tunnel 0 remote prefix '10.1.1.0/24'

At this point, there should be a working tunnel between central-office-net  and remote-office-net. This can be verified on each router:

vyos@central-office-rtr:~$ show vpn ipsec sa #show security associations
Peer ID / IP Local ID / IP
------------ -------------
192.51.100.2 203.0.113.2

Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 up 0.0/0.0 aes256 sha256 no 1145 1800 all

vyos@central-office-rtr:~$ show vpn ipsec status #show status of IPsec tunnels/process
IPSec Process Running PID: 4058

1 Active IPsec Tunnels

IPsec Interfaces :
eth1 (203.0.113.2)

vyos@central-office-rtr:~$ show vpn ipsec state #not displayed, but shows the in-kernel crypto state.

The same commands may be performed on remote-office-rtr as well.


Additional Configuration

SNAT

If you have source NAT rules on the outbound interface, exceptions need to be added on each router:

edit nat source rule 10
# [edit nat source rule 10]
set destination address 10.2.2.0/24
set exclude
set outbound-interface eth1
set source address 10.1.1.0/24

And similarly for remote-office-rtr:

edit nat source rule 10
# [edit nat source rule 10]
set destination address 10.1.1.0/24
set exclude
set outbound-interface eth1
set source address 10.2.2.0/24

Firewall Rules

If either or both router has existing firewall rules that prevent non-local LAN traffic from being sent/accepted, the appropriate firewall exceptions need to be made on each router for the other network, for example:

 For central-office-rtr:

set firewall name REMOTE-LOCAL rule 32 action accept
set firewall name REMOTE-LOCAL rule 32 source address 10.2.2.0/24

and remote-office-rtr:

set firewall name CENTRAL-LOCAL rule 32 action accept
set firewall name CENTRAL-LOCAL rule 32 source address 10.1.1.0/24

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article