Configure site-to-site VPN on VyOS

Tech Stack

  • VyOS 1.4-rolling

Common Problems

Topology

Configure Interface

The first step is that we can create an address on each interface, for the eth0 interface we can attach a public IP to the digital ocean droplet, and on the eth1 interface, we can attach a private IP droplet, namely by setting a DHCP address on each interface.

vyos@vyos# set interfaces ethernet eth0 address dhcp
vyos@vyos# set interfaces ethernet eth1 address dhcp
vyos@vyos# commit
vyos@vyos# save

Interface on SGP1 region

vyos@vyos# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             159.223.59.74/20                  u/u
eth1             10.104.0.3/20                     u/u
lo               127.0.0.1/8                       u/u
                 ::1/128

Interface on NYC3 region

vyos@vyos# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             134.209.174.36/20                 u/u
eth1             10.108.0.2/20                     u/u
lo               127.0.0.1/8                       u/u
                 ::1/128

Set SSH services

Configure the ssh service to be able to access VyOS via the local terminal.

vyos@vyos# set service ssh port 22

Configure site-to-site VPN on Right (SGP1 Region)

ipsec {
     esp-group to-nyc {
         lifetime 86400
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes256
             hash sha256
         }
     }
     ike-group to-nyc {
         key-exchange ikev2
         lifetime 86400
         proposal 1 {
             dh-group 14
             encryption aes256
             hash sha256
         }
     }
     interface eth0
     site-to-site {
         peer to-nyc {
             authentication {
                 local-id 159.223.59.74
                 mode pre-shared-secret
                 pre-shared-secret P@ssw0rd123!
                 remote-id 134.209.174.36
             }
             ike-group to-nyc
             local-address any
             remote-address 134.209.174.36
             tunnel 0 {
                 esp-group to-nyc
                 local {
                     prefix 10.104.0.0/20
                 }
                 remote {
                     prefix 10.108.0.0/20
                 }
             }
         }
     }
 }

Configure site-to-site VPN on Left (NYC3 Region)

ipsec {
     esp-group to-sgp {
         lifetime 86400
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes256
             hash sha256
         }
     }
     ike-group to-sgp {
         key-exchange ikev2
         lifetime 86400
         proposal 1 {
             dh-group 14
             encryption aes256
             hash sha256
         }
     }
     interface eth0
     site-to-site {
         peer to-sgp {
             authentication {
                 local-id 134.209.174.36
                 mode pre-shared-secret
                 pre-shared-secret P@ssw0rd123!
                 remote-id 159.223.59.74
             }
             ike-group to-sgp
             local-address any
             remote-address 159.223.59.74
             tunnel 0 {
                 esp-group to-sgp
                 local {
                     prefix 10.108.0.0/20
                 }
                 remote {
                     prefix 10.104.0.0/20
                 }
             }
         }
     }
 }

Show VPN Status

Show VPN status on SGP region

vyos@vyos# run show vpn ipsec connections
Connection       State    Type    Remote address    Local TS       Remote TS      Local id       Remote id       Proposal
---------------  -------  ------  ----------------  -------------  -------------  -------------  --------------  ---------------------------------------
to-drc           up       IKEv2   134.209.174.36    -              -              159.223.59.74  134.209.174.36  AES_CBC/256/HMAC_SHA2_256_128/MODP_2048
to-drc-tunnel-0  up       IPsec   134.209.174.36    10.104.0.0/20  10.108.0.0/20  159.223.59.74  134.209.174.36  AES_CBC/256/HMAC_SHA2_256_128/MODP_2048

Show VPN status on NYC region

vyos@vyos# run show vpn ipsec connections
Connection      State    Type    Remote address    Local TS       Remote TS      Local id        Remote id      Proposal
--------------  -------  ------  ----------------  -------------  -------------  --------------  -------------  ---------------------------------------
to-ho           up       IKEv2   159.223.59.74     -              -              134.209.174.36  159.223.59.74  AES_CBC/256/HMAC_SHA2_256_128/MODP_2048
to-ho-tunnel-0  up       IPsec   159.223.59.74     10.108.0.0/20  10.104.0.0/20  134.209.174.36  159.223.59.74  AES_CBC/256/HMAC_SHA2_256_128/MODP_2048

Test VPN Connection

Ping to NYC region private IP from SGP region

vyos@vyos# ping 10.108.0.2
PING 10.108.0.2 (10.108.0.2) 56(84) bytes of data.
64 bytes from 10.108.0.2: icmp_seq=1 ttl=64 time=239 ms
64 bytes from 10.108.0.2: icmp_seq=2 ttl=64 time=236 ms
64 bytes from 10.108.0.2: icmp_seq=3 ttl=64 time=237 ms
64 bytes from 10.108.0.2: icmp_seq=4 ttl=64 time=237 ms
^C
--- 10.108.0.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 236.405/237.125/238.856/1.003 ms

Ping to SGP region private IP from NYC region

vyos@vyos# ping 10.104.0.3
PING 10.104.0.3 (10.104.0.3) 56(84) bytes of data.
64 bytes from 10.104.0.3: icmp_seq=1 ttl=64 time=236 ms
64 bytes from 10.104.0.3: icmp_seq=2 ttl=64 time=237 ms
64 bytes from 10.104.0.3: icmp_seq=3 ttl=64 time=236 ms
64 bytes from 10.104.0.3: icmp_seq=4 ttl=64 time=236 ms
^C
--- 10.104.0.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 236.169/236.409/236.606/0.156 ms