Site2Site VPN Configuration

This Document describes the configuration of a Site2Site VPN connection between an external router and an instance on EXOSCALE.

Steps:

  • Align on security parameters with provider of external router
  • Create Private Network on EXOSCALE portal
  • Start new instance using “VyOS” template
  • Configure VyOS and test connection
  • Setup and test connection on target instance

Configuration on EXOSCALE:

Prerequisites:

  • Pre-Shared-Secret: Shared assword for Authentification
  • VyOS 1.3 template
  • Instance: Tiny with 10 GB
  • SSH-Key
  • Private Network - unmanaged

During the setup you have to use the following IP addresses:

WAN-IP router Local IP router WAN-IP Exoscale Local IP Exoscale

Ports needed on Firewall settings:

  • Either use the “Default” Security group or create a new group
  • Add the following FW rules:

0.65

22 TCP – SSH 3389 TCP – RDP (if Windows server is used) 500 UDP – IPSec 4500 UDP – IPSec ESP

Create a Private Network

  • Click on “Add Private Network” and select “manual”

0.65

Connecting to VyOS

  • Use “Puttygen” to create an SSH keypair (public + private)
  • Import Public Key to EXOSCALE
  • Create instance in target zone (e.g. VIE) including SSH key and Security Group
  • Connect to VyOS with Putty using the private SSH key

Configuration VyOS

  • Enter “vyos” as user
  • Enter “configure” to got to “Edit” mode
  • Enter the commands below, you can copy paste each block
set system host-name 'vpn-endpoint'

set interfaces ethernet eth1 address '*Local IP Exoscale*'

IPSEC base config

set vpn ipsec ipsec-interfaces interface 'eth0'

set vpn ipsec logging log-level '1'

set vpn ipsec logging log-modes 'any'

IPSEC Phase 1

set vpn ipsec ike-group ike-local-remote close-action 'none'

set vpn ipsec ike-group ike-local-remote dead-peer-detection action 'clear'

set vpn ipsec ike-group ike-local-remote dead-peer-detection interval '30'

set vpn ipsec ike-group ike-local-remote dead-peer-detection timeout '90'

set vpn ipsec ike-group ike-local-remote ikev2-reauth 'no'

set vpn ipsec ike-group ike-local-remote key-exchange 'xxx' (e.g. ikev2)

set vpn ipsec ike-group ike-local-remote lifetime 'xxx' (e.g. 86400)

set vpn ipsec ike-group ike-local-remote proposal 1 dh-group 'XX' (e.g. 21)

set vpn ipsec ike-group ike-local-remote proposal 1 encryption 'xxx' (e.g. aes256gcm128)

set vpn ipsec ike-group ike-local-remote proposal 1 hash 'xxx' (e.g. sha-512)

IPSEC Phase 2

set vpn ipsec esp-group esp-local-remote compression 'disable'

set vpn ipsec esp-group esp-local-remote lifetime 'xxx' (e.g. 3600)

set vpn ipsec esp-group esp-local-remote mode 'tunnel'

set vpn ipsec esp-group esp-local-remote pfs 'xxx' (e.g. dh-group21)

set vpn ipsec esp-group esp-local-remote proposal 1 encryption 'xxx' (e.g. aes256gcm128)

set vpn ipsec esp-group esp-local-remote proposal 1 hash 'xxx' (e.g. sha1)

IPSEC site-to-site config

set vpn ipsec site-to-site peer *WAN-IP router* authentication id '*WAN-IP Exoscale*'

set vpn ipsec site-to-site peer *WAN-IP router* authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer *WAN-IP router* authentication pre-shared-secret 'xxx'

set vpn ipsec site-to-site peer *WAN-IP router* connection-type 'initiate'

set vpn ipsec site-to-site peer *WAN-IP router* default-esp-group 'esp-local-remote'

set vpn ipsec site-to-site peer *WAN-IP router* ike-group 'ike-local-remote'

set vpn ipsec site-to-site peer *WAN-IP router* ikev2-reauth 'inherit'

set vpn ipsec site-to-site peer *WAN-IP router* local-address '*WAN-IP Exoscale*'

set vpn ipsec site-to-site peer *WAN-IP router* tunnel 0 local prefix '*Local IP Exoscale/Subnet*'

set vpn ipsec site-to-site peer *WAN-IP router* tunnel 0 remote prefix '*Local IP router/Subnet*'

Check status of VPN Tunnel

In order to check the status of the new VPN tunnel, type in:

*show vpn ipsec sa*

0.65

IPSEC static routes

To enable connections between devices in your local and remote network, you need to set a static route:

set protocols static route Local IP router/Subnet next-hop Local IP Exoscale

Settings on Windows instance:

You need to set the route in your Windows instances as well:

route add *Local IP router* MASK *Local Subnet* *Local IP Exoscale* -p

Settings on Linux

Please refer to the documentation of your respective OS

Ping remote network to check Tunnel

ping XX.XX.XX.XX

Documentation

• https://vyos.readthedocs.io/en/latest

Useful commands:

configure to enter configuration mode 
commit to commit changes
save to save changes
exit discard to exit without saving changes
show configuration commands to show the configuration commands of the running config

Cloud-init

Beginning with version 1.2.4, cloud-init can be used to configure the instance.

Example:

set set system host-name test01
set interfaces ethernet eth1 address '10.0.0.1/24'

or also possible: http://192.0.2.1/vyos-commands.txt

More information:

• https://github.com/zdc/vyos-cloud-init-userdata